Introduction
Maritime cyber-crimes are illegal actions undertaken against ships or critical infrastructures through computer channels. Attacks can have a wide variety of purposes, including to damage, destroy or hijack IT (Information Technology) or OT (Operations Technology) systems.1
Multiple different targets, forms of attacks, motivations, and perpetrators can be involved in cyber-crimes.
Port, by Bill Dickinson Attribution-NonCommercial-NoDerivs 2.0 Generic (CC BY-NC-ND 2.0)
Characteristics
Targets
Not all cyber-crimes discussed in this entry specifically target the maritime sector, but may instead aim to infect as many systems as possible.2 As such, there is a distinction between targeted and untargeted attacks.3 Even so, cyber-crimes pose an increasing risk to the maritime sector, even when untargeted. This is due to the specific dynamics of the sector’s critical infrastructure.4
For example, the movement of ships across international boundaries exposes their systems to a larger number of unknown IT networks.5 Because many ships are relatively old (the average age of ships is over 20 years),6 they often have a mix of old and new systems, some of which may be obsolete. Many ships (including naval vessels) cannot upgrade these easily due to outdated hardware.7 Tam and Jones argue that the design cycle of newer ships is of a duration that means this problem will likely continue to exist.8
Other reasons ships are particularly vulnerable to cyber-attacks are their differing systems, the duration of their voyages which create large windows of opportunity for cyber-attacks, a nominally low bandwidth while at sea, and alternating between extreme isolation and global connectivity at international ports.9 Because ships often change crews, it can be difficult to ensure that all crews are aware of cyber-vulnerability, meaning human failure can also be significant risk factor for ships.
Ships are increasingly connected to networks through very-small-aperture terminals (VSAT), and their bandwidth capacity is increasing. This means they can access networks with greater regularity and share more information, making them more susceptible to cyber-attack.10
Shipping is also increasingly reliant on networked systems for its operation.11 Navigation depends on electronic systems such as ECDIS, GNSS, VDR and Radar/ARPA, as well as the un-encrypted Automatic Identification System (AIS) network.12 In some cases, ships are unable to sail without these systems; many are designed to be paper-less and are therefore dependent on digital means of navigation.13 Propulsion too is increasingly automated, especially power control systems, and is often networked through integration with navigation.14
Ports are also at risk of being targeted. Computer systems undergird the global flow of maritime commerce. Ports incorporate a variety of networked OT systems, including modern gantry cranes, and scanning systems.15 The advent of ‘smart ports’ means more of the day-to-day operations are automated, increasing vulnerability.16 Port operators and agents also rely on IT for their management, such as freight management, operations data, traffic control communications, financial data, and corporate systems.17
These infrastructures are often connected, with data flowing between a large number of actors from across the globe.18 This means that a cyber-attack targeting or impacting on one actor can quickly spread to other actors and different infrastructures.19
Types of attack
Cyber-attacks can take multiple different forms.20 In order to provide a simplified overview, these will be explored through the effects they have – firstly, those that impact directly on operations, and secondly, those that are used to facilitate other forms of criminality.
The first type of cybercrime stops or limits operations, generally through a direct attack that damages systems or makes them either inaccessible or limited in such a way that continuing operations in ports or onboard ships and offshore infrastructure would be impossible or unsafe. Autonomous shipping, port services, navigation aid systems, offshore platforms and marine traffic control centres are all potential targets for these kinds of crimes.
Cyberattacks of this type can include mechanisms such as malware, software designed to damage systems, ransomware, software that blocks access to systems or publishes data unless a ransom is paid, and Distributed Denial of Service (DDoS – the flooding of a network with data to make it inaccessible). The Baltic and International Maritime Council (BIMCO) report a case where a shipowner opened an infected email attachment sent from two unwitting ship agents which made systems inaccessible until a ransom had been paid.21 Similarly, a large-scale destructive malware attack was targeted at the Maersk line in 2017.22 This saw malware spread across up to 76 ports causing widespread system outages. Both of these examples shut down operations by making information systems inaccessible.
Ships are also at risk from these forms of attack. In 2016 in South Korea 280 ships had to halt operations due to problems with their navigation systems.23 Viruses and malware have been shown to contribute to these issues, causing stoppages in operations due to safety concerns and an inability to navigate effectively.24 While these navigation systems were connected to the internet, even air-gapped systems (those not physically connected to an external network) have been shown to have dormant viruses.25
Many of these attacks are likely to have been untargeted. However, analysis by BIMCO suggests that targeted attacks are more sophisticated, because specific tools and techniques will be created for targeting the company or ship. These might include the manipulation of insider individuals; brute force (where many passwords are tried); and DDoS attacks.26
Spoofing is a targeted form of attack that has become a concern for ship navigation.27. Spoofing involves convincing the positioning systems of the ship into believing a counterfeit signal in order to make unintentional course corrections.28
One study conducted by Trend Micro demonstrated an ability to recreate a VHF frequency on AIS that could simulate a “ghost ship” in a nearby port, which would alert vessels they were on a collision course and change their path.29 In a further study the University of Texas-Austin were able to effectively take remote control of a yacht in the Mediterranean by overpowering the onboard GPS.30 Spoofing can also cause ships to misreport or lose their own position, as occurred in the Black Sea in 2017 in an incident that impacted over 20 vessels.31 The diversion of ships through spoofing impacts negatively on operations, requiring the them to right the course manually or halt altogether until the issue is resolved.32 Jamming can also cause such issues by causing failures in navigation systems.33
Data loss and theft resulting from hacking can be a serious targeted cyber-crime. In a case against an Iranian Shipping Line, for example, data loss relating to delivery and locations of containers meant that cargo containers could not be identified or located, causing financial loss.34 There have also been cases where companies have been extorted into paying hackers so that confidential business information is not released.35
A second type of cybercrime aims to facilitate other maritime crimes such as drugs trafficking, piracy, and fraud though various forms of cyber-attack, for example by hacking port systems that control and track container movement in order to hide shipments of illicit goods. An indicative case was the hacking of the Port of Antwerp’s digital container tracking system in 2013.36 Containers trafficking drugs could be released without port authorities becoming aware, and traffickers could reach containers before their legitimate owners.37 Initially this was done through the cultivation of insiders in the port system, which then allowed hackers to re-enter electronic systems remotely. In other cases, traffickers have been able to discover which containers are under suspicion in order to avoid collection, as occurred in Australia in 2012 38
Robbery and piracy can be facilitated by cybercrimes. By hacking a system, attackers can browse cargo and container lists to identify the most valuable goods for black markets, to then be stolen in the port or targeted for future piracy attacks when the ship is at sea.39 Between 2010 and 2011, for example, a Greek Shipping Company was targeted by pirates in the Gulf of Aden after hackers had gained access to route timetables and ship vulnerabilities.40 It has been suggested that spoofing can also make piracy easier, by making the ships appear to be elsewhere – either leading them into more dangerous areas or making rescue difficult.41
Cyber-fraud, too, is an increasing problem. A number of maritime bunkering and fuel services have fallen victim to such frauds, including World Fuel Services, who were defrauded of $17.9 million by a faked order.42 Criminals were able to create a fake fuel supply tender, which led to a ship-to-ship transfer. When they attempted to bill the agency in the documents, however, there was no record of the transaction. Vulnerabilities are increased because many transactions occur over email.43
Perpetrators
Some attacks are undertaken by independent individuals and are relatively minor in scale and effect. These may be carried out by hackers outside of the system or disgruntled employees.44 The motivation for such attacks may be economic gain, but non-financial reasons such as a desire to cause vandalism, leak information, prove cyber skills and enhance reputation in the wider community, or even ideological motivations when wanting to damage operations to protest for an activist cause.45 Within these relatively small activities some may be opportunistic rather than planned and be undertaken without specialist knowledge of techniques and tools.46
Other cybercrimes are more organised. In the cases of trafficking facilitation above for example, there were links to South American organised criminal groups. Corrupt employees can also be implicated in such attacks. Attackers often need an in-depth knowledge of port systems and infrastructure, as well as expert knowledge of the techniques and tools for cyberattacks, both of which demand sophisticated organisational capacities.
Other groups engage in corporate or industrial espionage. 47 These can include corporations seeking to create competitive advantage .48 They may act directly or through third parties with the aim of harming a rival by collecting business intelligence, stealing intellectual property, or disrupting operations to cause financial or reputational loss.49
Not all organised cyber-crimes are targeted or have a financial motivation. For example, the Maersk case discussed above was well-orchestrated, but seems to have been aimed at disruption as much as financial gain. This has led to a recognition of a distinction between vandalism, which is relatively small scale and disorganised on the one hand, and well-organised and intentional sabotage on the other.50
A final difficulty is distinguishing between acts undertaken by criminal groups or independent hackers, and those carried out by states. State-led cyber-crimes tend to be viewed as issues of national security. Cyber-attacks are increasingly difficult to attribute,51 especially if they are undertaken by perpetrators with less clear state-sponsorship. Some of these criminal acts are thought to be undertaken by states due to the targets involved and the sophistication of the attacks. In 2020 for example, a cyber-attack in Iran’s Shahid Rajaee port terminal – thought to have been conducted by Israel – halted operations.52 There are also increasing concerns that terrorist groups could engage in cyber-crimes.53
Scope
There was initially criticism that the frequency and potential of cyber-attacks was been overestimated.54 In response, sources such as CyberKeel and Maritime Cyber Emergency Response Team produce bulletins identifying maritime cyber attacks when they take place.55 BIMCO also collect this information.56
Despite these efforts, the scope of cybercrime in the maritime sphere is not well understood. There is no centralized reporting mechanism and there has been some degree of confusion whether channels for reporting emergencies include cybercrimes.57 This has led to calls for an accessible and streamlined reporting process.58 However, such systems are limited because cybercrimes are sometimes not disclosed by those targeted due to concerns over reputational loss the exposure of flaws in their IT infrastructure, or misclassification as technological error.59
Even so, it is clear that cybercrimes in the maritime sector are on the rise and that many more attacks occur than are made public.60 Cybersecurity consultancy Naval Dome for example reported a 400 per cent increase in their detected attempted attacks between February and May 2020.61 The COVID-19 pandemic is thought to have had an impact on this increase, because more systems are became digitally connected out of necessity.62 Overall, Safety at Sea and BIMCO report 31 per cent of companies surveyed reported an attempted cyber attack in 2020.63
Impact
The kinds of attacks described above have a number of tangible impacts. There are also hypothetical impacts should some (so far unsuccessful) cybercrimes to be successful.
First, paying ransoms or dealing with operational shutdowns has an economic impact. The attack on Maersk for example, is argued to have cost as much as $300 million in lost revenue and costs associated with re-building compromised networks.64 Systems may also be damaged or destroyed. Theft facilitated by cybercrimes also causes a significant economic impact.65
Reputation damage, while negative in itself, might also have an economic impact by limiting future revenue.66 There are concerns that if ports were disrupted by cyber-attacks, the zero-inventory just-in-time nature of many economies would see commerce severely disrupted.67 This would have a severe economic impact for workers, business revenue and also the shipping lines themselves as goods would have to be diverted.
Cyber-crimes that facilitate drug trafficking undermine enforcement efforts and the rule of law. They also contribute to income for illicit organised groups. In the wake of the Antwerp case discussed above, over $365 million of drugs were seized – demonstrating just how profitable the operation was to the organised gangs.68
Cyber-attacks may impact on the physical safety of ships, crews and others. Disrupting navigation could lead to ship-on-ship collisions or even cause ships to collide go aground.69 As yet, this remains only a hypothesised outcome, but the growing reliance on automated shipping means it is a possibility based on the successful spoofing attacks that have occurred so far. Undetected attacks on Mobile Offshore Drilling Units have the potential to cause oil spills or loss of life through explosions.70 If OT systems in ports were compromised, it could lead to injury or death due to the dangerous natures of the cranes and ship movement.71 There are also serious security and safety implications of having queues of ships outside of a port entrance in the case of a shutdown.72
Finally, Kramek hypothesises that some cyber-crimes could also impact on military operations, and therefore have a significant national security dimension.73 In his analysis of the Port of Beaumont, through which much of the US Army’s logistics run, he argues that any attack there could impact the military’s ability to respond to crisis or conflict.
Linkages & Synergies
Cybercrime is most often linked to illicit trafficking, given traffickers’ past usage of cyber to facilitate the movement of cargo through ports. It is also linked to piracy, as information gained through cyber-attacks has been used to inform pirate attacks in the past.
Responses
Responses to cybercrime in the maritime sector have been slow in coming, though there is a movement towards improved guidelines for maritime stakeholders.
Most evidence suggests that ports and shipping lines are under-prepared for cyber threats 74 due to a lack of awareness about cyber-security among management and stakeholders, and a belief that the prospect of an attack is either unlikely or theoretical.75. There may also be a confusion of responsibility for cyber security between port authorities and IT providers.76 Kramek demonstrates that most ports in the US did not claim Port Security Grant Program funds (which could be used for any aspect of port security) for cybersecurity purposes.77 Most did not have cyber incident response plans. These factors have led some to argue that the maritime industry is 10-20 years behind comparable industries in addressing cyber security challenges.78
International
A number of international organisations have released guidelines for shipping companies and ports, including BIMCO, the International Maritime Organisation (IMO), the European Union Agency for Cybersecurity (ENISA), International Association of Ports and Harbors (IAPH),79 and EUROPOL.
The expected outcome of these guidelines is a greater awareness amongst stakeholders of the issues, leading to better cyber security policies and training for staff.80 Such training is important due to the ‘insider threat’, where employees may unwillingly contribute to cyber-attacks through their own lack of awareness.81
Insurance companies have played a role in raising awareness, especially as many exclude cyber-attacks from their policies and therefore increase risk (the Institute Cyber Attack Exclusion Clause).82
International guidelines also suggest security audits and assessments,83 penetration testing, network segmentation, regular network scans, multi-factor authentication, identification of stakeholders, the creation of a security operations centre with a dedicated cybersecurity officer, and physical security assessments.84 Relatively basic guidelines include the need to employ antivirus and encryption measures, frequent password updates, and electronic data backup, as well as limiting the use of USB devices by employees.85
In their Interim Guidelines in Maritime Security Cyber Risk Management, issued in 2017, the IMO proposes an approach based on five functional elements: identify, protect, detect, respond and recover. Shipping companies had to come into compliance on the 1st of January, 2021.86
National
National guidelines have also been implemented. Examples include two sets of codes of practice from the UK’s Department for Transport (Cybersecurity for Ships, and the Cyber Security Code of Practice for Ports),87, France’s Critical Infrastructures Information Protection Law,88 and the German IT-Grundschutz.89
While preventative guidelines to cyber-threats are increasingly common, strategies for actually responding to cyber-attacks are less well-developed. Reporting attacks to national jurisdictions when underway remains problematic, for example.
Some countries have delegated cyber-security to a specific agency or department in order to build stronger cyber resilience. In the US for example, the US Coast Guard is charged with protecting the maritime sector from cyber-crimes. They send out monthly notices to the maritime community in the United States with links to cybersecurity awareness bulletins, training, tools, and alerts.90 However, coordination with other relevant agencies has sometimes been problematic.91 Coordination challenges have also been recognised within the EU. The European Union Agency for Cyber Security (ENISA) for example argues that ‘the fragmentation of European maritime policies brings difficulties for the clear definition of responsibilities and roles to be taken regarding cyber security matters in this sector.’92
Coordination and information-sharing between state and private stakeholders such as shipping agents and port authorities can also be difficult. This is problematic when these stakeholders share access to the same systems and networks.93 One port can incorporate up to 900 different stakeholders for example.94 Some may use different IT systems with different technical support teams behind them. As ENISA argues, ‘this [port] ecosystem is built from companies of various sizes, with various levels of cybersecurity capabilities and can even be direct competitors among themselves’.95 Efforts are underway to solve this problem – Port Information Sharing and Analysis centres, for example, aim to establish public-private partnerships and are predicated on trust-based networks that allow for secure information-exchange.96
List of References
- Alcaide & Llave 2020
- MARLINK 2018; BIMCO 2021
- MARLINK 2018; BIMCO 2021
- Tam & Jones 2018; 2019
- Tam and Jones 2018; 2019
- Statista 2022
- Goldman 2015; Tam & Jones 2018; 2019
- Tam & Jones 2018
- Tam & Jones 2018
- MARLINK 2018
- Balduzzi et al. 2014; Driva 2016; Hareide et al. 2018; Tam & Jones 2018; 2019; Tam et al. 2021
- Marsh 2014; Daum 2019; BIMCO 2021
- Tam and Jones 2018
- Daum 2019; BIMCO 2021
- Kramek 2013; ENISA 2019
- Chelin & Reva 2020; ENISA 2019; Bagwandeen 2022
- Kramek 2013
- Loomis et al. 2021; Kessler & Shepard 2022
- BIMCO 2021
- Kessler & Shepard 2022
- BIMCO 2021
- Mathews 2017
- BIMCO 2021
- BIMCO 2021
- Tam & Jones 2018
- BIMCO 2021
- Daum 2019
- Daum 2019
- Ferran 2013
- Daum 2019
- Daum 2019
- Hareide et al. 2018
- Homeland Security 2016; Daum 2019
- Cyberkeel 2014; Kapalidis 2020
- BIMCO 2021
- EUROPOL 2013
- Cyberkeel 2014
- Kotchekova 2015
- ENISA 2019
- BIMCO 2021; Kessler & Shepard 2022
- Daum 2019
- Bunker Index 2016
- Ship & Bunker 2014
- Department for Transport 2017; 2020; Daum 2019
- Department for Transport 2017; 2020; Daum 2019; Loomis et al. 2021
- Department for Transport 2017; 2020
- Newberry 2015
- Daum 2019
- Department for Transport 2017; 2020; Daum 2019
- ENISA 2019
- Daum 2019; Fahey 2017
- Warrick & Nakashima 2020
- Kramek 2013; Newberry 2015; Tanti-Dougall 2014
- Jensen 2015; Cyberkeel 2014
- Maritime CERT n.d.; Cyberkeel 2014
- BIMCO 2021
- Tam & Jones 2018
- Silverajan & Vistiaho 2019; Loomis et al. 2021
- Ahokas et al. 2017; Cyberkeel 2014; Jensen 2015; Larsen & Lund 2021; Loomis et al. 2021
- Kessler 2019
- Maritime Executive 2020
- Khun et al. 2021
- Safety at Sea & BIMCO 2021
- Kessler 2019
- Tam & Jones 2018
- Tam & Jones 2018; MARLINK 2018; Alcaide & Llave 2020
- Kramek 2013; Khun et al. 2021
- Kapalidis 2020
- Daum 2019
- Belmont 2015
- ENISA 2019
- ENISA 2019
- Kramek 2013
- Ahokas et al. 2017; ENISA 2019
- Cyberkeel 2014; ENISA 2019; Khun et al. 2021
- Kramek 2013
- Kramek 2013
- Caponi & Belmont 2014
- IAPH 2020
- BIMCO 2021; ENISA 2019; Khun et al. 2021
- Tam & Jones 2018; Fitton et al. 2015
- Marsh 2020
- BIMCO 2021; Chelin & Reva 2020; ENISA 2019
- ENISA 2019; Department for Transport 2017; 2020
- ENISA 2019
- Daum 2019; Petta 2021
- Department for Transport 2017; 2020
- ANSSI n.d.
- ENISA n.d.
- USCG n.d.
- Kramek 2013
- ENISA 2011
- ENISA 2011; ENISA 2019
- ENISA 2019
- ENISA 2019
- USCG 2015; Larsen & Lund 2021