Digital Piracy Returns to Sea: Protecting Autonomous Ships from Online Attacks
In June 2017, the shipping giant Maersk was hit with a major cyber attack. Malicious software locked files on employee computers, completely halting Maersk’s port operations. Even with a supposedly quick response from Maersk, the attack shut down 76 port terminals and ended up costing the company $300 million.
Commercial shipping has made major strides in recent decades toward digitalization. Supply-chain concerns, green technology, and costs across the industry have led to a new push for automation. This promises greater efficiency, but it also creates a massive new target for cyber attacks. Where the internet once borrowed the term “piracy” from the maritime domain, we are rapidly reaching the point where it will be possibly to digitally hijack a container ship on the high seas.
To address this risk, the International Maritime Organization should issue specific guidance and standards for securing large autonomous networks, including listing uniquely vulnerable systems. Many have questioned the enforcement capabilities of the International Maritime Organization. But its guidance works, both in building consensus and in driving specific changes within the global shipping industry. Working with port authorities, shipping companies, and national governments will require major adaptations to the existing cyber security space. The threat environment will continue to evolve. The shipping industry should adapt to new cyber security challenges to stay afloat.
Existing Vulnerabilities
Commercial ships are already equipped with many systems that can be exploited by cyber attacks. Traditionally, system vulnerabilities are broken up into those that effect information technology and operational technology. Information systems deal with data and business information, whereas operational systems deal with a vessel’s onboard hardware and software. The Maersk attack was identified primarily as an information system attack, affecting ships only through business side delays and changes. When traversing maritime spaces, ship operations rely on limited business data and information systems. Thus, the primary concern with onboard cyber security surrounds operational systems. However, as interconnectivity becomes increasingly common and necessary, this distinction is quickly becoming outdated.
With billions of dollars’ worth of goods crossing the ocean every day, a close watch on what occurs on each ship and the proceedings of crews is a necessary part of the industry. All large commercial ships contain vital operational systems including global positioning systems, which track the position of each ship, automatic identification systems, which communicate with ports for ship identification purposes, and electronic chart display and information systems, which provide advanced navigation. Combined with a handful of other navigation and communication systems (including dynamic vessel positioning, NAVigational TEleX, and radar), these electronic networked systems constitute the conventional operational cyber attack surface area.
The most effective attack vector on traditionally networked ships is physical onboard intrusion. Intrusions onto ships and advanced at-sea piracy remain threats to physically based systems. Even docking at port can precede physical intrusion, as onboard systems can be infected with the injection of malicious software through careless use of USB-based storage devices. If chart display systems are tampered with, ships can be pushed off course, resulting in major delays at best and deliberate ship collisions at worst. Penetration testing of major chart manufacturer systems revealed multiple vulnerabilities that can be exploited relatively easily.
In addition to physical intrusion on individual ships, relevant operational subsystems are networked to each other with internationally standardized protocols, namely National Marine Electronics Association (NMEA) communication standards. The standardization of shipborne control networks under unified protocols means that an individual or group that can access one ship can likely already access an untold number of ships. The current industry standard, NMEA 0183, controls a variety of subsystems, including propulsion, steering, and global positioning systems. The shift from physical cable communication and intraship remote networking creates significant vulnerabilities. NMEA 0183 can be easily accessed through a variety of means, including physical computer-based attacks and, more recently, remote attacks. Remote network intrusion or phishing attacks can occur on modern vessels, but operational systems are traditionally best accessed through physical intrusion. This is why current cyber security guidance “starts with the crew.” These guidance principles are still upheld, but increasing connectivity has started to make them less relevant.
Risks of Autonomous Shipping
In recent years, new developments in autonomous ships have emphasized cost savings and logistical efficiency. First, autonomous ships offer major financial benefits, as crews account for 30 percent of current maritime shipping costs. Second, human error accounts for up to 96 percent of maritime accidents. This, coupled with improvements in energy efficiency and environmental concerns, makes autonomous ships an inevitable development in shipping. The International Maritime Organization has defined the development path of maritime autonomous surface ships in four degrees: automated processes, remote-controlled ships with onboard crews, remote-controlled ships with no onboard crews, and fully autonomous ships. The United Nations has already called for updated legal frameworks and rulemaking to accommodate the development of new ships and systems. But despite international attention and massive potential benefits, a future of fully autonomous ships creates even more security threats.
While the International Maritime Organization has been at the forefront of developments in autonomous ships and has been important in standardizing and guiding autonomous ships, it has lagged in understanding the cyber security risks. The future of autonomous shipping relies on interconnected networks, not only within ships, but also between ship and port. The development of remote-controlled systems means operational systems will be connected to information systems. This means the International Maritime Organization will have their work cut out for them, as regulation and guidance enforcement will be in the hands of port regulators and port authorities. Cyber security is already a large component of port security, but direct access to shipping operational systems will inevitably increase risk.
On the boats themselves, human-in-the-loop systems necessitate that a remote pilot have access not only to ship propulsion systems but also to external data collection and analysis systems. As an interim to full autonomy, semi-autonomous control with or without onboard crews revolves around the increased digitization and networking of almost all shipborne systems. More specifically, semi-autonomous ships rely not just on decision-making processing centers, but also on a robust sensor package that integrates information and operational systems. This includes voyage information, real-time navigation information, and object detection. The integration between situational awareness tools, voyage logistics systems, and ship propulsion systems has been traditionally provided by human pilots and onboard crew. Without a human pilot, however, these previously disconnected systems are routed through a decision-making processing unit, marrying information and operational. Integrating multiple systems through a central processing center increases the area in which an attack can occur. This highlights the importance of break once, break everywhere resistance.
Automation will significantly increase remote hijacking risk. International organizations will have to be aware of the massive amounts of information coming in and out from each ship and the risks associated with different port authorities and different boats. With crewless ships, the development of systems to ensure the safety of cargo and shipping assets will be paramount for effective maritime security. Furthermore, special care should be taken for different ships. The amount of information shared between larger ships with more complex systems will likely be greater than between smaller ships with fewer systems.
Connections between ship and control center are increasingly provided by the Long Range communication technique. Within the Long Range umbrella, Long Range Wide Area Network protocol has become the strongest candidate for novel ship networking. The Long Range Wide Area Network is a unique tool that allows for remote command and control, allowing for a center to track and evaluate ship movements from thousands of miles away with real-time connectivity. Additionally, the navigational challenges that rougher waters, like the Arctic, present are ones that Long Range Wide Area Network communication protocol is uniquely equipped to tackle.
Unfortunately, Long Range Wide Area Network communication is vulnerable to hijacking. Internet device communication through the network can be intercepted, decrypted, and spoofed. These methods are already known to attackers, giving malicious actors access to ship systems anywhere in the world. Moreover, internet devices are designed to augment and enhance existing systems. NMEA 0183 is currently being phased out for the more modern NMEA 2000 protocol. NMEA 2000-compatible and internet-enabled devices are increasingly common. However, NMEA 2000 appears no more secure than other existing ship communication protocols and exhibits the same issues as NMEA 0183. This means that not only can remote hijacking of communication packages occur but, in many cases, attackers also will be able to access operational systems like propulsion, steering, and ballasting. In the event that a ship is hijacked with no physical crew onboard, remote systems patching is the only possible way to deter or resolve potential cyber attacks.
Another emerging technology that could potentially replace Long Range techniques is SpaceX’s Starlink system. Columbia Shipmanagement has begun to try out Starlink systems on vessels already, testing robust connections between information and operational systems through the internet. Because of the novelty of Starlink, cyber attack development is at a much earlier stage than it is with Long Range communication. However, Starlink has its own vulnerabilities. Satellite networks mean that global access would be theoretically possible given the right attack vector. With relatively simple and cheap off-the-shelf devices, researchers have already accessed Starlink-enabled devices, which in a maritime context could give attackers access to ship systems.
Impacts of Autonomous Cyber Security Risk
Systems that are interconnected will need to be protected differently than conventionally separated and relatively isolated systems. The capacity to defend the shipping industry from cyber threats no longer revolves around the crew alone, but also involves international standards, central planning, network vendors, and network administrators.
Current attack vectors on self-driving cars are a glimpse of possible effects on autonomous ships. The most visible threat is direct hijacking of ship propulsion and steering through access to operational systems. These threats are most apparent in second- and third-degree autonomous ships, where propulsion systems can be controlled remotely. Hijackers taking control of a ship and causing a major shipping delay through deliberate collisions or simply throwing ships off course would cost stakeholders billions of dollars. The blocking of Suez Canal traffic in 2021 cost $9.6 billion per day. A capable actor with malicious intent could feasibly do significantly more damage to even more trafficked areas like the English Channel. On ships with active crews, hijacking could lead to not only billions of dollars in financial loss, but loss of life as well.
Increasing the degree of autonomy on shipping shifts the threat environment. With fourth-degree autonomous ship routes, direct remote control of propulsion subsystems becomes more difficult. However, studies indicate that the more vulnerable subsystems in autonomous ships will be in their navigation systems. Intercepting and tampering with global positioning system communication or chart systems would not only give attackers access to up-to-date and specific information on ship whereabouts (increasing potential physical security risks) but would also give attackers the ability to replace input navigation data. Relative isolation between navigational systems and propulsion is impossible for fully autonomous systems. With fully autonomous ships relying on navigation data to move, faulty inputs or blocked data could lead to collisions or altered courses, resulting in the same hefty financial losses as direct hijacking.
New Guidance for New Threats
Increased cyber security vulnerabilities via autonomous ships are not an unknown development. Security frameworks are actively being developed by independent researchers, and many different actors are trying to do their part. To their credit, the International Association for Classification Societies, the Digital Container Shipping Association, and the International Chamber of Shipping have published their own studies and guidelines for autonomous cyber security. As recently as 2022, NATO published its own study on cyber security, including explicit analyses of information and operational systems, although it did not establish guidelines for autonomous ship development.
However, a major gap in guidance exists coming from the International Maritime Organization. As an organization under the United Nations, this body has a crucial responsibility to fulfill. The International Maritime Organization does publish cyber security guidance, giving a broad overview of potential issues in shipping. The most recent version of the organization’s guidance contains two references to automation, both in the introduction. Updated International Maritime Organization standards between 2021 and 2022 do not include updated guidance for the automated shipping environment despite accelerating developments in autonomous ships occurring each year.
Staying ahead of the curve requires that the International Maritime Organization predict and adapt quicker than it historically has. The International Maritime Organization’s 107th Maritime Safety Committee session convened in June 2023 and promised to discuss, among other things, issuing new cyber security risk guidelines for autonomous ships. New guidance has not been published yet, nor has the existing the information/operational distinction been reconsidered. Instead, the Maritime Safety Committee cyber risk management guidance doubles down on it. To combat cyber vulnerabilities, the International Maritime Organization should break away from the notion that information and operational will remain separate and mutually exclusive.
Understanding the convergence of information and operational technology will allow individual shipping companies and the industry writ large to better harden themselves against cyber attack. International Maritime Organization cyber guidance remains a series of recommendations. However, they can draw attention to the need for network encryption and the isolation of operation-critical instruments, thereby pushing the industry to improve its practices. The best case scenario would be for the International Maritime Organization Legal Committee to establish legal guidance with binding effects. At the very least, International Maritime Organization guidance can encourage more frequent risk assessment and emphasize the risks specifically associated with autonomous ships. If its cyber security guidance does not reflect an expansion in cyber attack vectors, the future of security in autonomous shipping is in dire straits.
Alex Li is a masters of international affairs student at the School of Global Policy and Strategy at the University of California, San Diego. His work and research have focused on conflict and national security, particularly the intersection between industrial economies and war.
Image: U.S. Navy photo by Chief Mass Communication Specialist Roland Franklin