Being at sea turns out to be risky

Genoa - Worldwide, 90% of freight is transported by sea, and ferries transport 2.1 billion passengers annually, plus another 24 million travel aboard cruise ships. While a confusing array of national and international regulations, focused mainly on safety and pollution (criteria easily translated into dollars-and-cents by the industry) regulate merchant shipping and port facilities, however, in terms of cyber security, the International Maritime Organization (the UN’s maritime safety agency) is still struggling to come up with a draft law, and for now makes do with a set of non-binding guidelines for the main international organizations in the sector.

A study by the University of Coventry highlights that 67% of Company Security Officers (CSOs) within shipping companies felt cyber security was not a serious threat to international shipping, and, furthermore, 89% of CSOs did not believe cyber security was their responsibility.

In Italy, just as elsewhere in the world - in March this year Homeland Security described US ports as “poorly equipped” against attacks by hackers - there is no global shield in place to protect computer network systems in port terminals, port stakeholders (agents, freight forwarders, hauliers, tugs, pilots, boatmen, stevedores), government agencies, safety authorities and shipowners: each protect themselves separately. “Until now,” says Philip Roche, a partner at London law firm Norton Rose Fulbright, “cyber-attacks have not been perceived by the maritime sector as something that presents a risk of physical harm,” as, for example, happens conversely with a ship that sinks or a crane that collapses. “Instead, as ships and terminals are increasingly computerized, there are increasing risks of something going wrong. The threats do not always come from hackers: shipboard systems are connected to one common network, and it would only take a shipping agent’s laptop containing some hidden malware to create problems.”

In addition, up to now, the few actual cyber-attacks at sea have not produced victims nor caused great economic losses to businesses, and overall they number less than ten: too few to create widespread awareness. The weak points of port terminals can be seen in the inset above. A ship has at least 15 on-board systems controlled by a computer.

Presently, as noted by Yohan Le Godinec of TECNITAS, who spoke at IUMI, the huge world congress of maritime insurers that was held in Genoa last month, a ship’s weakest point for cyber-attacks is the on-board GPS system; this controls radio trackers, digital maps and electronic compasses.

In 2013, a group of students from the University of Austin managed to tamper with the GPS of a yacht, the “White Rose of Drachs”, while off the coast of western Liguria: her sailors thought they were charting a straight course, while in fact they zigzagged for hours in open waters. The equipment to conduct a hack such as that costs less than $3,000.

Over a two-year period, between 2011 and 2013, a criminal organization targeted the locators of unloaded containers at Antwerp, managing to retrieve smuggled cocaine contained inside boxes, before the containers were handed over to the legitimate receiver.

Other weak points: the AIS (Marine Automatic Identification System), the technology that identifies in real time the position of all ships in the world, “can be used, basically, as a shopping list by pirates,” or by anyone who wants to attack a ship, emphasized Le Godinec.

He also described two instances of oil rigs tilting, one of a customs system failure (Australia, 2012) and two computer failures at the terminals for system updates, in Genoa and New York in 2013. It truly is a world without borders.