The Port of New York and New Jersey is the largest port on the east coast of the United States, touted by officials as the “gateway to one of the most concentrated and affluent consumer markets in the world.” But for a few weeks last summer, the goods moving through one of its terminals slowed to a crawl because of a global cyberattack that originated 4,500 miles away.
“The delays were six to eight hours to pick up a container,” said Jeffrey Bader, chief executive of the trucking company Golden Carriers, recalling when a terminal in Elizabeth, New Jersey, switched to manual operations while its systems were down. “The line was many, many miles long. Trucks, trucks, trucks.”
The terminal’s operator, APM Terminals, is a subsidiary of the world’s largest container shipping company, A.P. Moller-Maersk Group. The company, which transports roughly 20 percent of the world’s cargo containers, was among the hardest hit by the NotPetya ransomware. NotPetya sprouted in hacked accounting software in Ukraine in late June, and by exploiting a weakness in Microsoft Windows operating systems, quickly went global as it infected corporate networks and locked down the data of contaminated computers. Hackers would usually restore access after a ransom payment is made, but NotPetya was engineered to cause chaos more than extort funds, cybersecurity experts say.
Maersk and many other global firms affected, such as FedEx and pharmaceutical giant Merck, were not specific targets of the attack, but that didn’t matter. In a “heroic effort” over 10 days, Maersk reinstalled 4,000 servers, 45,000 personal computers and 2,500 applications, chairman Jim Hagemann Snabe said at the World Economic Forum meeting in Davos last month.
Snabe called the episode a “very significant wake-up call” that cost Maersk, which has been applauded for being unusually public about the whole episode, as much as $300 million.
The entire shipping and maritime sector, a crucial part of the global economy that impacts ocean health, heard that alarm bell. It is, according to many experts, an industry that is lagging in its preparedness to face modern cybersecurity threats. As ships become more connected to online systems and controlled by software, the risks will only grow.
“This summer is when everybody woke up,” then U.S. Federal Maritime Commissioner William Doyle said at the Shipping 2030 North America conference in New York City in November.
Companies, governments and experts have, in fact, been gathering at meetings and conferences for the last several years to talk about cybersecurity risks both at sea and at port. These extend beyond the usual I.T. and business concerns common to any corporation to the industrial, navigational and information systems that, if breached, could pose national security, environment and worker safety risks. Both the International Maritime Organization and the global shipping industry group BIMCO have issued cybersecurity guidelines in the last two years, as have national governments and the U.S. military.
But the shipping sector as a whole has been playing catch-up, and it still has a long way to go. “We are about 20 years behind the ball compared to many industries worldwide,” Kate Belmont, a lawyer specialized in maritime cybersecurity issues at the firm Blank Rome in New York City, said at the November conference.
The long lifetime of ships and the relatively slow pace at which vessel systems at sea have been connected to the internet, along with the particularly global and interconnected nature of the business, all help to explain why the industry has been slow to grapple with cybersecurity threats.
But cyber attacks and everyday malware infections are increasingly common. The Port of Los Angeles’ executive director recently testified before a congressional homeland security committee that the port’s three-year-old Cybersecurity Operations Center is handling an unprecedented 20 million-plus cyber intrusion attempts. A survey conducted by maritime consulting firm Futurenautics found that 40 percent of 5,000 shipboard officers surveyed said they’ve sailed on a ship they know has been infected with malware, its chief executive KD Adamson said.
Unlike Maersk, most shipping companies are tight-lipped about data breaches. “Attacks have been occurring, but nobody wants to talk about, so a lot of people don’t believe they are happening,” Belmont said.
Ken Munro, who works with the firm Pen Test Partners and conducts what is called “penetration testing” to find cybersecurity vulnerabilities for clients, contrasted the shipping industry with the aviation sector, which he says has deployed anonymous reporting systems for all kinds of situations. In that industry, he said, “an incident is viewed as something you can learn from, not something you should hide.”
Although many worst-case scenarios at sea – ranging from a hacker taking control of a vessel’s navigation systems or causing a ship to spill its oil, explode or sink – have been shown to be theoretically possible, the list of major publicly known cybersecurity incidents is relatively short and not as dramatic.
Over the last few years, cybersecurity specialists have uncovered or demonstrated software vulnerabilities and, just as worrying, human oversights that could allow a cyber intruder to gain access to or control of a variety of ship systems. Among them: the navigational Electronic Chart Display and Information System; a load planning system that balances weight on a containerized ship; or even the voyage data recorder.
One researcher demonstrated at a conference in 2017 how he could quickly take control of a billionaire’s super yacht, according to the Guardian. Another showed that a ship’s satellite communications system was not only connected to the public internet but used default login credentials (for example, a username like “admin”) that could allow anyone relatively easy access.
USB sticks that seafarers still carry and can connect to ship systems are one way malware can make its way to ships and cause trouble, according to Andy Davis, transport assurance practice director at the cybersecurity consulting firm NCC Group. But while ships used to be isolated and off the grid while at sea, now-common “satcom” boxes can also provide entry for hackers looking for access to a vessel’s systems.
“Hackers who have a modicum of sense, who can discover these devices on the internet, they can find security flaws in them and compromise ships,” said Munro.
It is also still uncommon, he said, for ship technology manufacturers to offer a straightforward way for outside researchers to flag software vulnerabilities or bugs they find. “The manufacturers – they really haven’t woken up to security yet,” said Munro. “It’s going to take them several years to get onboard vessel control systems to a point of security where everyone else is already at.”
For now, major publicly known targeted attacks have largely involved stealing critical information, not compromising a ship’s physical systems. In a 2017 report about an unnamed company, Verizon’s cybersecurity team described how pirates hacked into a ship’s cargo management system to target valuable crates. In another example, the Port of Antwerp in 2013 reported that smugglers had gained access to data system to make it easier bring drugs through the port.
But it can also be hard to tell whether a cyber incident has even occurred. After the separate collisions of two U.S. Navy destroyers in 2017, speculation that hackers were involved prompted the Navy to include a cyber attack assessment in one of the cases as part of a larger investigation, according to Foreign Policy. Two experts following the Navy’s cyber assessment wrote about why these kinds of forensic investigations are new and difficult. “It is clear that we do not yet have the basic tools to definitively answer the question, ‘Were we hacked or did we break it?’ ” they said.
Another widely discussed episode on the Black Sea this past summer left unanswered questions. The U.S. Maritime Administration issued an advisory that about 20 vessels in the area were reporting interference with their GPS systems that could affect navigation. Outside researchers found patterns of GPS “spoofing,” in which a false signal confuses a GPS receiver and could potentially misdirect the ship. While it’s well known that it’s possible to spoof GPS signals – and the U.S. government is working to develop a more secure alternative to GPS – there’s no definitive answer yet for what happened.
As ships become more controlled by software or, in some cases, even autonomously operated, questions about cybersecurity will become even more important – or may slow down adoption of these kinds of technologies. “Right now, cybersecurity risks haven’t been solved at all,” said Lars Jensen, founder of the Danish maritime cybersecurity firm CyberKeel, referring to autonomous technologies. At a far more basic level, he says, companies need to do more to train workers and develop more sophisticated strategies to protect critical systems.
As a legal matter, it’s now even possible that ship owners could potentially be held accountable if a real disaster strikes because of a cyberattack they could have easily prevented, attorney Belmont said. “The definition of seaworthiness now has changed,” she said.