3 April 2024 (Lloyd's List) - ONE of the initial conspiracy theories to emerge from the Dali (IMO: 9697428) casualty at the port of Baltimore was that the vessel was a victim of a cyber attack.
While the real cause of the loss of power and steering will only emerge following investigations by the National Transportation Safety Board and other responsible bodies, the truth may end up being more prosaic.
This does not mean, though, that this type of incident that could not be caused by a cyber attack.
A simulation of an attack conducted by the University of Plymouth’s CyberSHIP laboratory describes a similar event carried out on a vessel entering the Kill van Kull channel leading into the port of New Jersey.
Using known attack vectors on proven vulnerabilities in ships’ navigation and control systems, the simulation show the effect of a simple power surge and loss of steering control in a narrow channel.
Following an attack triggered by passing a GPS location, it takes less than two-and-a-half minutes before the containership has drifted out of channel into the bank and its stern has been propelled around to wedge against the opposite bank, blocking the channel.
When Ever Given (IMO: 9811000) ended up in a similar position in the Suez Canal in 2021, it took a week to clear the casualty and caused major disruptions to international trade. While the incident described in the simulation would be less critical, the effective closure of New Jersey’s terminals would have far more impact that what has happened in Baltimore, for example.
“We need to talk about whether this is really possible and how can traditional cyber threat intelligence that is focused on IT help in this type of scenario,” said Ismael Valenzuela, vice-president of threat research and intelligence at technology firm BlackBerry CyberSecurity.
“Before the disaster in Baltimore, this was not something that was really discussed a lot in the cyber security community. But we have seen scenarios that are similar to this one.”
Preventing this sort of attack from taking place was increasingly difficult and would require a level of cyber resilience that the industry has not yet accounted for, he said.
“Cyber resiliency is not just the ability to prevent bad things from happening; that is not possible,” Valenzuela said.
“You cannot defend all of your assets against all of the threats. You have to prioritise. The goal is to anticipate the threats that can cause an impact and defend against those. Defence here means to withstand and recover and to adapt. The attacks will happen, no matter what.”
And when considering what sort of attack to prioritise and protect from, it was not enough to think that because something has not happened before, it was not a risk.
“The closest we have come in the shipping sector is the NotPetya attack on Maersk from 2017,” said University of Plymouth lecturer Rory Hopcraft.
“It was not targeting maritime, but it showed the fragility of the system. Because of the interconnectivity, when one system gets hit it can spread quite rapidly.”
Key vulnerabilities in shipping came from a ship’s systems’ interconnectedness and from bad security practices from crew on board.
Hopcraft pointed out it can be five years between a vessel’s systems being designed and that vessel hitting the water, and then those systems can be in place for another 25 years.
“The systems are designed at day one, which means they can be five years out of date before they even hit the water,” he said. “With 25 years’ worth of life expectancy you have 30-year-old systems. That legacy problem is still going to be around for decades to come.”
Moreover, the minute a crew take over a ship systems begin to change from their original design specification as updates are made and new devices added.
But technology was only one part of protecting ships from attack. Training was important to prevent vulnerabilities emerging in the first place, then to know how to respond when an attack took place.
“These are all skills that we need to learn,” he said. “If we are going into narrow waters with shallow draught we need to ensure we have someone manning the manual overrides. Reducing a response time by 30-40 seconds could make all the difference.”
Corey Ranslem, chief executive of security consultancy Dryad Global, warned that attacks were likely to become more targeted on shipping in the future.
“The maritime industry is probably 10-15 years behind the rest of the world when it comes to recognising the problem of cyber security, and that there is the potential for attacks,” he said.
In an increasingly fragmented world, vessel owners and managers needed to understand what was behind the threats.
“Cyber threat intelligence is about knowing the motivation and that often has a lot to do with geopolitics,” said Valenzuela.
“What is happening around the Red Sea is very particular to that region. What you see from a physical perspective in that area corresponds to what we see in the cyber world. It mirrors the threat landscape.”
The Red Sea, like the Suez Canal before it, showed the vulnerability of maritime choke points as high-risk areas for the sort of attacks that could have maximum impact.
“What we have seen from Baltimore, the Suez Canal and the Red Sea is that targeting single, communal choke points are the ones that will have the most impact,” Hopcraft said.
