Maritime Cybersecurity Low to Non-Existent

Tuesday, January 24, 2012

Joel Harding


According to the European Network and Information Security Agency or ENISA, “Maritime cyber security awareness is currently low, to non-existent.”

Imagine, if you will, a huge behemoth of a ship – a tanker or a cargo ship – controlled by hackers.  Imagine a LPG or LNG  ship being used as a remotely controlled bomb.

Instead of buying a ship for the relatively cheap price of $15 million, one could simply take control of the ship remotely and guide it into a target from thousand of miles away.

Imagine the boom that 135 million cubic yards of natural gas could make if an LNG ship were run aground beneath the George Washington Bridge, on the West side of Manhattan

LNG Tanker

Not only would the main thoroughfare up and down the East Coast potentially be obliterated, the blast could conceivably emulate a nuclear blast in its bursting radius.  A major part of Manhattan would disappear, as would a critical portion of New Jersey. 

Oh, I forgot to mention, people, LOTS of people, might die.  This would probably be considered an act of war, more people could conceivably be killed than on 9/11/2001.

This is especially disturbing, as the International Maritime Organization (IMO) has mandated the transition from the primary use of paper charts to the Electronic Chart Display and Information System (ECDIS) beginning in 2012.

On the surface this is a fine and noble cause, updates received from weather satellites and reports of pirates enable a ship to avoid hazardous areas, this could be deemed rerouting for safety and security.

This is where the disconnect first appears. The ENISA is calling for a merger between their standards and the IMO.  This is fine, until one reviews the IMO documents for remote operations – THERE IS NO MENTION of CYBER-SECURITY.  Not one.

 IMO mentions ‘cyber’ as a developing problem in a total of two documents in the forms of warnings, but other than the training of the Ship, Company and Facility Security Officer, there is no mention of a security functionality and there is absolutely no mention of cybersecurity anywhere.

ENISA has first exposed a problem in their report, IMO still has to address this problem.

Cross-posted from To Inform is to Influence

Possibly Related Articles:
Industrial Control Systems
SCADA report Network Security ENISA National Security hackers Maritime Joel Harding IMO International Maritime Organization ECDIS
Post Rating I Like this!
Laura Walker Don't even get me started on our ports.
Sara Hald While I do agree that maritme cybersecurity could and should be better, there is still a far cry from hacking electronic maps to remote controlling an LNG ship into a bridge. There are enough real threats to deal with, we don't need to think up some that are not (as of yet) a problem. That being said, it is definately an area, where we need to pay attention as more and more systems are being digitized and automated.
Don Jackson I seem to remember a simulation of this sort with Boston as the target, it was on the History Channel or one of those documentary stations, and yes this does pose a very real and serious threat. However, for this “remote” attack to work it would have to happen at the very last minute, you cannot seize control of the ship while it’s at sea and sail it to where you need it, the attack would have to happen when the ship is in one of these choke points close to the target if it has any hope of achieving it’s goal.

Another question comes to mind… are these ships capable of being controlled from point A to point B remotely… just because they receive GPS guidance or navigation information does not mean the GPS controls the ship, plus, it can be disabled. But I do get your point that these things should be addressed.
Joel Harding Don, the short answer is I do not know for certain. It is my belief that it is possible, based on conversations with a few people in the field. Based on decades of experience, if there is any connection - whatsoever - even with the greatest of firewalls, all systems are vulnerable, given enough effort and time (and money).

On the surface, if this is just a map system, and it is not connected in any way to the navigation system, there is no problem. Somehow, however, I cannot fathom a mapping system not integrated into a navigation system. Given that the mapping system is communicating, this presents an open portal which can (and will) be commandeered. If security is not the top priority, it will be vulnerable. Just because we have not noted an intrusion into the system does not mean it has not already happened. Without Intrusion Detection Systems present, installed and properly maintained and monitored, one cannot state that their system is safe.

How long should we wait before we raise this issue again? Until we've had an incursion? How long before the ENISA fixes the problem and mandates security? How long before a LPG targets New York or the Port of Los Angeles or Houston? How about another port in another country?
Joel Harding Oops, I meant LNG, not LPG.
Joel Harding One last thought... there are more lucrative targets along the coast. Petroleum and gasoline storage and processing facilities - these would produce an even bigger bang. Just take out the harbor master facility and a vital port would be damaged - not permanently, but the terror factor alone would be huge. Set off near a nuclear power facility and you would crimp the power supply to a metropolitan area. The reactor itself may not go into a meltdown, but the infrastructure carrying the power - the wires, the power station, all would be exposed and vulnerable.

If a rogue group, be it a nation state or a non-affiliated terrorist group - anyone without scruples, sets their mind to hijacking one of these vessels - leave no trace, announce no demands, simulate and emulate normal practices until it is too late...
Don Jackson Joel... I hope that I misunderstand the tone of your response to my post... but I wasn't trying to punch holes in your theory, I was simply asking questions that I think anyone would when a theory is proposed. I also said that you were correct that this is something that should be investigated... fully.

The point that I was making was that even if these ships are and can be steered via remote or commands to a navigational system, unless the "attack" took place in what could be considered a point of no return such as those placed that you mentioned it would be useless... why hijack the ship on the high seas if you want to blow up the Port of Los Angeles or Houston when all that would be needed to solve the problem is to return to manual control or intervention by the Navy or Coast Guard?
Joel Harding Sorry, Don, I didn't mean to sound defensive. Apologies. I'm about as even keeled as you will find. No insult taken, and I'm sure none intended and certainly no intent on my part.

I think I want to explore this more fully, at a later date - I have a two week business trip coming up.
Geoff Cruickshank Yep.....having worked on international ships, this is entirely possible. Most of the large marine insurance brokers demand automation / SCADA in order to class critical areas of the ship as UMS (unmanned machinery space) and therefore pass survey. If SCADA / automation is not present then humans must physically be in the space 24/7. Critical areas include engine rooms, steering spaces, battery rooms and in most cases the bridge deck. Most of the engine controls are completely electronic using MODBUS, Profibus or ethernet protocols to issue throttling / directional commands to the powertrain. Most of the steering systems also issue commands to the tiller annunciators / bow thrusters via electronic means. Couple these factors with high speed satellite internet connections for the crews (distributed throughout the ship using the same network infrastructure as the above-mentioned control systems) and you have a VERY plausible attack vector.
Geoff Cruickshank Don - unfortunately GPS does pretty much completely control the steering systems - many seafarers today wouldn't know what a sextant is, let alone how to use one.
Joel Harding Geoff, trying to hook up with you on LinkedIn...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.