Can’t Sail Away from Cyber Attacks: ‘Sea-Hacking’ from Land

Dr. Michael Thomas and Dr. Chris Demchak

Source: HackTheSea video screen capture A simulation of physical systems under cyber-attack representing the operational technology of a marine vessel.

The warnings had been issued for years. The techniques were simple enough — penetrate the platform through the onboard navigation system and then go horizontally across the onboard networks to gain control of key systems such as steering and the throttle. The hackers did exactly this — surprisingly without foreknowledge of the specific systems they were to hack prior to beginning the penetration. They were in and through the navigation interface in a remarkably short time and had control of both the steering systems and the throttle in quick succession. From this effort came a coveted “Black Badge” from the Maritime Hacking village of the annual cyber security conference DefCon, held in August 2021 in Las Vegas.

The conference’s Hack the Sea Village “SeaTF” hacking challenge allowed teams of three to five individuals to gain hands-on experience hacking real maritime hardware in a controlled environment using Fathom5’s “Grace” maritime cyber security testbed. The simulated maritime bridge setup is meant to be an accurate facsimile of equipment typically in use onboard ocean-going vessels, allowing hacking teams to attack the afloat environment. Using realistic components and protocols, hackers were able to penetrate different maritime subsystems including navigation, firefighting, and steering systems. While this year’s challenge required hackers to tap into propulsion, steering, and navigation systems through a wired connection to their laptops, next year the hope is to provide a wireless environment.

Importantly, the 2021 competition once more demonstrated that hacking skills from land-based systems and environments are easily transposable to a maritime environment. The winning team had neither experience in the simulated environment or in maritime hacking in general. A skilled hacking team typically takes at most 14 hours to penetrate the system safeguards and remotely take control of both steering and throttle controls. While the simulation used at DefCon did require “plugging into” the equipment, remote-access hacking is possible as demonstrated in February 2017, when hackers took control of a German-owned container vessel traveling from Cyprus to Djibouti. The hackers compromised both steering and maneuver controls. It was only when an information technology team came aboard to remediate that the ship’s crew regained control of the steering. Segregation of a ship’s internet protocol and serial networks can prevent this.

Maritime Chokepoints Make Attractive Targets

The vast bulk of the world’s critical economic and military traffic passes through a handful of narrow strategic waterways known as “maritime chokepoints.” While these waterways have always been prey to pirates, weather, and maritime accidents, these perils are now joined by maritime cyber attacks — whether conducted for ransom, malicious disruption, piracy, or as part of larger geopolitical conflicts. When a commercial vessel or warship is strategically delayed via sea-hacking, critical shipments are delayed by days or weeks. The massive size of modern container ships such as the Ever Given makes hacking their steering systems or forward speed a means of weaponizing the vessel. It is worth a bad actor’s effort to experiment with grounding a major new container ship remotely from land-based cells.

The Suez Canal could be one of the more lucrative cyber disruption targets due to the amount and expected speed of traffic flow through its two-lane and one-lane sections. 30 percent of the world’s shipping container volume carrying 12 percent of global trade passes through the canal. Ships, including the very largest container vessels, can cut an average 12 days off a three-week trip from India to Italy by transiting the canal. The 205-meter-wide canal is known to be challenging even at modest speeds for ships the size of the Ever Given. Its 120-mile-long narrow transit offers the opportunity for cyber-induced disruption, particularly if one wanted to stall oil and gas deliveries to the Mediterranean and Europe. If the canal is blocked companies must take the alternative route — around the Cape of Good Hope, adding 10 to 12 days transit time, fuel costs, and security costs. Comparatively, according to a 2006 RAND study, the closing of the Malacca Strait would increase transit time by only an additional three days.

With the grounding of the enormous container ship — the Ever Given — on March 23, 2021, the world was reintroduced to the issue of “maritime choke points”. The giant ship blocked the Suez Canal for six days. The Ever Given was not a cyber target this time but its grounding demonstrated the potential impact on global trade when a ship blocks a chokepoint. For example, the BBC reported that fears that the blockage would tie up shipments of crude oil resulted in crude prices rising by 4 percent on international markets. The Ever Given was launched in 2018, and is one of the largest ships in the world. It was built and is owned by a Japanese firm, leased and operated by a Taiwanese company, and sailing under a Panamanian flag. Similar-sized ships carry an increasing percentage of global trade, and the relatively recent 2015 addition of a second channel to the Suez Canal was undertaken in part to accommodate them.

The canal is wide enough to accommodate such large vessels but physical clearance on either side of both channels is currently still limited. Mistakes in speed or understanding of wind effects on huge vessels can (and did in this case) come from human error. But they can also be stimulated by difficult-to-detect cyber intrusions into the navigation and steering systems of these ships, especially in newer vessels. The internet protocol networks used for steering and navigation are often not segregated effectively for cyber security. They are connected to the serial bus networks that make up the supervisory control and data acquisition systems critical to ship operations. The blockage caused by the grounding of the Ever Given demonstrates to cyber-competent terrorists or adversaries the potential for disruption if they are able to manipulate or disrupt transit mechanisms from the ships themselves, their containers’ content, and pilotage management systems. Even basic electricity supplies for locks such as those in the Panama Canal offer disruption options to a world of bad actors who have already demonstrated a willingness to attack critical infrastructure. The 900-kilometer-long Malacca Strait carries 40 percent of the world’s maritime trade, including a quarter of the globe’s seaborne oil supplies and 80 percent of the Middle East’s oil and gas supplies to China. Traffic congestion is its major challenge, particularly where the strait narrows to just 2.7 kilometers wide near Singapore. In addition to posing a lucrative target, these chokepoints also afford the opportunity, both from shore and through remote means, for potential bad actors to track particular ships, owners’ fleets, crew, content, origin, destination nationalities, or missions in order to select targets.

These risks are aggravated as ships and systems rely increasingly on automation. Fully autonomous ships are a stated goal of the industry and the U.S. Navy. Such systems should include proper cyber security.

Ships and Cyber Security Still Strangers

In 2018, security researchers at Pen Test Partners found vulnerabilities in electronic chart display and information systems commonly used on cargo and container ships. These chart systems are often linked to GPS-guided autopilots, which when exploited give hackers the ability to access the operational technology of the ship: If networks are not segregated, hackers can remotely manipulate the ship’s steering, ballast pumps, and navigation. The electronic charting system is often slaved directly to the autopilot on many ships, causing the ship to automatically follow the charted course. Hackers can redirect the ship’s course by planting false information messages via satellite communications in order to mislead navigational decisions. Many satellite communications terminals on ships are available on the public internet with default credentials and can be hacked remotely. Numerous other paths can also prove useful vectors in the cyber attack of a vessel. For example, the 2018 research also showed that the electronic charting systems on some ships were still using relic operating systems with many known major vulnerabilities, such as Windows NT, often because these are expensive to upgrade. Even when malicious control is discovered, as the cliché goes, it can be very difficult to regain control in a timely manner.


What a hacker sees. Original Image adapted from Pen Test Partners for this essay.

Commercial ship networks tend to have flat network architectures that are originally unsegmented networks without firewalls or other cyber security measures as part of their architecture. Once inside such networks, it is not difficult to travel around across the systems of the entire ship. Internal systems often use manufacturer default passwords, not just on firewalls but also on the critical programmable logic controllers running systems, as well as satellite communication equipment.

Researchers have identified other vulnerabilities in computer-security forums, such as using the ship’s satellite terminal as a point of penetration. The terminal opens the system itself to attackers replacing the poorly secured firmware or simply reverting to an even less secure previous version, and then altering the applications running the terminal. Similar research results have produced similar concerns. Access in — whether through the electronic charting system, the satellite communications terminal, or any other outward-facing communications — means the ability to control critical ship systems covertly and use the massive bulk for any reason the attacker desires.

At the outset some experts suggested that the Ever Given grounding was a cyber incident. When the voyage data recorder was examined, this speculation was shown to be wrong in this case. However, as long-time cyber control systems expert Joe Weiss noted, the potential for cyber disruption still exists. Despite the ship’s relative youth, the latest marine electronics likely installed for control and navigations do not resolve the vulnerabilities discussed earlier. The recent DefCon exercise is not a one-off example of success in simulated seahacking. Concurrent with the actual grounding of the Ever Given, a team of doctoral students competed in a NavalX “Hack the Machine” exercise — using the same “Grace” maritime system as DefCon — in order to determine if “hackers” could successfully attack maritime systems remotely through a cloud network. The team succeeded, “hacking and crashing the [fictional ship’s] cyber security monitoring system.”

These oversights are major safety and security issues currently left unaddressed. One reason is a gap in crew skills and the costs of maintaining cyber secure systems while underway. Leaving poor default administrative passwords on essential systems means that attackers can take control of those systems.

Shipping as a Cyber Campaign Weapon

Attackers will not ignore the opportunities presented by poor maritime cyber security. A cyber campaign can provide a good enough return on investment in either economic or political benefits to make it attractive, and possibly even lucrative. American adversaries such as China, Russia, and Iran learn from these exploits and integrate them in larger cyber-enabled campaigns. Russia, for example, has spoofed a ship’s GPS at least 7,910 times between 2016 and 2019, affecting about 1300 commercial ships. In 2017, North Korean navigation jamming was said to be behind the forced return of hundreds of South Korean fishing vessels, and its cyber attacks led to the devastating NotPetya attacks that crippled the large Maersk shipping line the same year. In July 2021, Sky News reported the acquisition of documents said to originate from an Iranian offensive cyber unit called Shahid Kaveh, which is part of the Islamic Revolutionary Guard Corps cyber command. They present research on how to sink a cargo ship using cyber techniques and include details on the satellite communications systems used in the global shipping industry.

Classified files apparently leaked from a cyber unit of the Iranian government show that Iran is looking to improve its offensive cyber capabilities, including for targeting industrial control systems (ICS). One document focuses on sinking a container ship using cyber means.

The routine hacking of ships from space is coming. Currently the Global Navigation Satellite System constellation includes the American-run GPS, the Russian GLONASS, the European Union’s GALILEO, Japan’s QZSS, China’s BeiDou, and the Indian system known as NAVIC. Each nation’s ships tend to use their own national system. No nation’s commercial ships are as secure as necessary today, and they lag in securing the shipboard systems in the near and medium term. There is some talk of using older but functional radio wave technology as a more secure alternative to satellite-based systems, but the discussions are only just beginning. It is questionable how rapidly or widely alternatives such as eLORAN will spread. It will take investment and a sense of urgency on cyber security from major shipbuilding firms and shipping lines to accomplish this. As one researcher states, “[Electronic charting] systems pretty much never have anti-virus.” The anti-virus industry that protects land-based personal computers in the United States and Europe started over 30 years ago, but a multitude of huge ships launched during that time with complex computer architectures contain only basic cyber protection.

U.S. and allied warships — as well as most of the world’s exporting economies — plan on free transit through the Suez Canal and other chokepoints. Iranian intelligence services have collected maps, means, and incentive to use maritime cyber weaknesses for Iranian campaigns. In the mid-1990s, Osama bin Laden’s al-Qaeda group experimented with a variety of attempted attacks using public transit, notably in Paris. Six years later al-Qaeda used commercial airliners against the Twin Towers in New York City on Sept. 11. The maritime cyber environment is abysmally insecure. The technical means to exploit these ships is well distributed across land-based hackers with no prior maritime systems experience. It doesn’t take much to mess with a passing ship. The opportunities are well-known, from the chokepoints and the ship dependence on external networks, clouds, and satellite navigation communications. The motivation is as varied as the adversary, ranging from the ransomware criminal, to the “just because they can” opportunist, to the state adversary and its proxies.

The gauntlet is on the deck for the westernized democracies to pick up or ignore. Positive discussions of increasing national support for U.S. shipping — dangerously dependent on Chinese or other foreign shippers — don’t address the lagging cyber security and global disruption potential from hacking huge container ships. 90 percent of the world’s trade travels by sea and 40 million U.S. jobs depend on trade. In classic military strategic thought, the triad of means, opportunity, and motivation lacks only the final “when.”

National security strategic actions should include a dramatic change in commercial shipping’s incentives that ensure — not merely indemnify — cyber defense of the vessels. The threat to maritime traffic can’t be ignored. The threat is real, bigger than merely assuring ports and hulls for the U.S. Navy. Serious national security responses should include both a carrot and stick. We suggest requiring proof of cyber security for container and other commercial ships that enter U.S. waters, and vastly increased federal financial support for cyber security for the ports, shipping, and shipbuilders that serve the needs of the U.S. maritime industry.

In effect, the U.S. maritime industry should extend the 2020 National Maritime Cybersecurity Plan and the proposed bills in the current negotiations behind the SHIPYARD Act beyond ports alone to include container ships as an urgent first step. New policies need to require proof of and enable funding for cyber security upgrades in all container ships delivering cargo to U.S. ports. This is a strategic and national response that ought to be in concert with and cooperatively implemented with the other established seafaring nations. United with democratic allies, the U.S. government can strongly influence what is considered normal but is grossly inadequate in the construction, operations, and insurance of the worldwide maritime fleet. The United States and its allies are major stakeholders in the global maritime socio-technical-economic system. It is the same system that America’s major adversary, China, intends to dominate with ships, ports, export volumes, political and personal coercion, military saber-rattling, and technological command. Cyber vulnerabilities feed their lead in all these areas throughout the globe. Either the United States directly addresses the problem with commercial and government stakeholders, or it will spend much more in blood and treasure when adversaries attack at the time and place of their choosing. As the DefCon exercise demonstrated, even hacker curiosity could make a ship into a weapon.

Lt. Col. (ret.) Michael L. Thomas, Ph.D., is currently assigned to Maxwell Air Force Base as a professor of cyberwarfare studies at the U.S. Air Force Cyber College. He is a graduate of both the Air Command and Staff College and the Air War College.

Chris C. Demchak, Ph.D., is Grace Hopper Chair of Cyber Security and Senior Cyber Scholar, Cyber Innovation Policy Institute, U.S. Naval War College. Her manuscripts in progress are “Cyber Westphalia: States, Great Systems Conflict, and Collective Resilience” and “Cyber Commands: Organizing for Cybered Great Systems Conflict.”

Opinions, conclusions, and recommendations expressed or implied within are solely those of the authors and do not represent the views of the Air University, the U.S. Air Force, the U.S. Navy, the Department of Defense, or any other U.S. government agency.

Leave a Reply

Your email address will not be published. Required fields are marked *