The $500 billion shipping industry is familiar with handling risks: weather, mechanical failures, war and piracy, labor strife, and political challenges. But until fairly recently, experts say, many players in the maritime transport sector didn’t put cybersecurity near the top of that list.
Then came NotPetya. Last June, computers at the Danish shipping giant Maersk were infected in that international malware outbreak, since attributed by U.S. authorities to Russia. The infection, in which Maersk isn’t believed to have been deliberately targeted, cost the business between $250 million and $300 million as it reduced its normal shipping volumes and scrambled to reinstall software on tens of thousands of PCs and servers.
“Imagine a company where a ship with 10,000 to 20,000 containers enter a port every 10 minutes, and for 10 days you have no IT,” Maersk chairman Jim Hagemann Snabe said in a panel session at the World Economic Forum in Davos in January. “It’s almost impossible to even imagine.”
Snabe called the malware incident “a very important wake-up call,” and others in the maritime industry agree it’s brought cybersecurity issues to the forefront.
“Stakeholders in the industry are now beginning to acknowledge, yes, there might be a problem,” says Lars Jensen, cofounder and CEO of CyberKeel, a Copenhagen cybersecurity focused on the maritime world. After all, he says, Maersk “had not been as lax” as other companies in the industry.
“If that is just you being caught in the crossfire, imagine what a targeted attack would do,” he says.
In the worst case, hackers could hijack navigational tools and cause collisions—high-profile crashes by U.S. Navy ships last year raised fears of such attacks, though no evidence of hackers was found—interfere with onboard machinery and cause stalls or even spills, or simply make sailors and passengers very uncomfortable.
“In cruise vessels, all the auxiliary systems such as generators, air conditioning units, elevators, etc., can be attacked, which could lead to catastrophic experience for cruise guests,” warned Itai Sela, CEO of Israeli maritime cybersecurity firm Naval Dome, in an email to Fast Company.
Recent reports have indicated that many yachts are vulnerable, including some of the ultra-high-end superyachts favored by millionaires and billionaires. Last year, the Guardian reported a hacking demonstration at a superyacht industry conference, where security experts showed how easy it was to access private files through yachts’ Wi-Fi networks and even connect to onboard navigation systems. And just this month, a report from Kaspersky Lab indicated that vulnerabilities in yacht digital entertainment systems could be used to remotely breach the vessels, potentially even gaining access to more sensitive systems.
Like many types of systems that predate the modern internet, many ship systems weren’t designed for security the way they likely would be in 2018. In a blog post last year, Ken Munro, a partner at the U.K. security consultancy Pen Test Partners, pointed to internet-enabled shipboard satellite communication systems that openly shared information about their communication hardware, ship coordinates, and even the names of crew members.
Munro compared the situation to industrial control systems, the often-antiquated, specialized computers used in factories and power plants that have sometimes been migrated from isolated, limited-access networks to networks linked to the public internet. In the worst case, a clever phishing attack on one of those identified crew members could be enough to take control of the ship’s computers.
“You could influence or change the direction of travel on a ship—that’s quite scary, isn’t it?” he tells Fast Company. “Most of these systems do have manual overrides, but they’re quite difficult to use.”
But, experts say, bringing nautical systems up to modern security standards isn’t simple. Ship computers, in particular, can be difficult to keep up to date, since the satellite internet connections sailors rely on at sea usually aren’t speedy enough to download software patches, says Jensen.
“Because the satellite connections are extremely expensive, they’re online but with a very limited bandwidth,” he says. “If you want systems updated on a vessel, typically you have somebody physically go on the vessel with a DVD or CD-ROM or a USB key, and say, ‘Here you go.'”
If something goes wrong on a voyage, there’s always a temptation for sailors—used to quickly fixing equipment that breaks down at sea—to simply swap in a replacement part, like a cheap router, that might not be fully secure, Jensen says. In one case, reported last summer by the BBC, malware spread from computer to computer within a ship via an infected USB stick, until it reached the ship’s navigation system and forced a delayed departure. But if a ship inadvertently sets sail with malware on board, the problem can be harder to fix than in an office, says Jamie Jones, head of services at maritime communication company GTMaritime, which has offices in the U.K. and Singapore. And if a delayed cargo ship at sea is working with tech support, that gets costly quickly.
“It’s not great that that happens [on land], but your IT guy can come along and help fix your PC and get you back up and running again,” he says.
Naturally, maritime companies are looking for ways to stop hackers and malware before they can gain a foothold. GTMaritime announced a deal in February with Redwood City, California, anti-malware provider Lastline to add its security tools to GTMailPlus, its specialized email service for the maritime industry. Naval Dome offers a device that connects to shipboard networks to spot anomalous behavior and block cyberattacks. And the U.S. Coast Guard is in the process of developing guidelines for addressing cybersecurity risks at facilities like ports. Under the guidelines, facilities would be required to evaluate their digital risks as part of security assessments required under the post-Sept. 11 Maritime Transportation Security Act.
The overall goal across the sector: making hacking just another manageable hazard of modern seafaring.
“We manage risk—we’re risk experts, if you will,” says Lieutenant Commander Josie Long, from the Coast Guard’s Office of Port and Facility Compliance. “So cyber is just another facet of that.”