To date, there have been no publicly acknowledged cyberattacks that have similarly impacted a ship, although cyberattacks on other systems connected to shipping are known throughout the industry and maritime academia. The researchers warn that this lack of public acknowledgement does not mean the risks aren’t there.
“We are seeing spoofing and jamming more often now, with foreign governments trying to do different things to confuse the Western world and to create disputes about whether ships entered national territorial waters,” said Marie Haugli-Sandvik, a Ph.D. Candidate at NTNU.
“researchers…successfully hacked a rudder on a ship…during a simulation…”
Reports have suggested that Chinese actors have spoofed AIS (automated identification system) broadcasts required of ships under international law to signal their location to other vessels nearby while potentially unloading oil covered by U.S. embargoes to terminals on China’s eastern coast.
There have also been suggestions that the Iranian Revolutionary Guards Corps has deployed GPS jamming to trick merchant vessels into entering Iranian waters around the strait of Hormuz.
Haugli-Sandvik said the researchers had collaborated with the team at the Cyber-SHIP Lab at the University of Plymouth in England who “successfully hacked a rudder on a ship” during a simulation, and “made the ship run aground in such a timeframe that the deck officers wouldn’t be able to stop it.”
“Sailors have handled cyber issues on the same basis as any other technical issue…”
Although this was a simulation, Haugli-Sandvik and Erlend Erstad, a Ph.D. candidate at NTNU — both of whom have previously worked as deck officers aboard merchant vessels servicing Norway’s oil rigs — said the risks of an attack directly affecting a ship are real and demand greater awareness and training among seafarers.
While a deck officer, Haugli-Sandvik said she didn’t think of a cyberattack on the ship as a possible threat. Erstad agreed: “Just like most people do today, they think that this won’t happen to me, so I don’t need to consider it.”
Erstad told Recorded Future News that he did not know of “any reported safety accidents at this moment,” but he cautioned that there have been “unexplainable” incidents that haven’t yet been attributed to a cyberattack or a technical error. “We know there are unreported events in the industry, as the ship owners and charterers haven’t had any official reporting schemes until recently. Sailors have handled cyber issues on the same basis as any other technical issue,” said Erstad.
Challenges Identified by the Norwegian National Security Authority’s Risk Report 2022
In its 2022 Risk Report, the Norwegian National Security Authority (NSM) points to a threefold increase in the number of serious incidents and cyber operations from 2019 to 2021. The corresponding report for 2023 addresses the issue that there are many vulnerabilities in unclear supply chains, and that with more unpredictability the industry needs to be better prepared.
The maritime industry has worked with digitalization in both traditional information technology systems (IT systems) and in operational technology in systems for automation, propulsion, management and other control systems. The greater the use of remote connection, integration and digitization in operational technologies, the more vulnerable the operation can be.
At the same time, the lifetime of larger ships is generally between 25 and 35 years, and digital upgrades in the entire international fleet usually happen gradually and over time. There is great variation in computer equipment on board both for administrative functions and control systems.
The situation is much the same as for ports, where more and more operations are being automated. When it comes to port traffic alone, incidents have been uncovered that have result from cyber-attacks IT and administrative systems. These lead to business interruptions, information theft and manipulation linked to smuggling. (1)
What Next?
The Cyber-SHIP Lab research has assisted the maritime industry in assessing cyber risk and scenario narratives in a much different manner.
During a training course which was an element of the research project, researchers examined the effects of a compromised ballast water treatment system. They found that an attacker could make “;the ship move uncontrollably to one side’. This wasn’t based on a known vulnerability of the system. The point was to train sailors how to respond if something does go wrong. ‘The learning outcome and the intention of the scenario was not to tip the ship over to make a disaster of some kind, because if you do that you don’t get any learning points for the student,’ explained Erlend Erstad, a Ph.D. candidate at NTNU.
“We know about a lot of vulnerabilities in vessels’ systems and how they can be exploited. So, we know what’s possible. But there is a difference between what’s possible and what’s most likely,” said Marie Haugli-Sandvik, a Ph.D. Candidate at the Norwegian University of Science and Technology (NTNU).
Taking control over an entire ship was “very, very, very unlikely,” said Erstad but compromising a single system and using that to imperil the whole vessel “might be doable.”
“We see that OT [operational technology] and IT [information technology] are connected in very uncontrolled manners on ships today, and that also makes it possible for IT ransomware to be translated over to OT networks onboard the ships,” warned Haugli-Sandvik.
“People often don’t understand the risks. … If you work on a vessel, you work on a floating computer, and there are some threat actors out there that can harm you, or your vessel, or could be interested in the information you have, if you are working within, for example, energy or oil and gas, and so forth,” she added.
“We would like to raise awareness amongst seafarers,” added Haugli-Sandvik. “If we say ransomware is something you need to worry about because your company can go bankrupt, that’s obviously something management would worry about, but if you have to worry about ransomware on your vessel because you can run aground, it’s a different scenario [which seafarers themselves would pay attention to as well].”
Human behavior “can decrease cyber risk a lot,” she said. “That’s where we put our pressure because we are not technical IT experts, we are former deck officers, so our main focus is on the crew, and how they can behave in the best way possible to protect both themselves to decrease the possibility of a cyberattack happening and know what to do in the first hours and days if you are hit by a cyberattack.”
Last October, Norway’s prime minister Jonas Gahr Støre warned that Russia poses “a real and serious threat” to the country’s oil and gas industry amid criticisms that the Scandinavian country has acted too slowly to protect its petroleum sector — including the vital role that the merchant fleet plays — from cyberattacks. (2)
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.