Old ships using outdated computer systems have contributed to cyber defences in shipping being years behind other industries despite the rising threat, according to a leading researcher.
The comparative ease with which hackers can extort money or disrupt global supply chains makes shipping an attractive target for both criminal and state-backed groups, said Stephen McCombie, a professor of maritime IT security at NHL Stenden University of Applied Science in the Netherlands.
His department has compiled a database of cyber attacks against shipping, going back to 2001, which highlights the threat, with a notable surge since last year of ransomware attacks that lock computer systems unless payment is made.
It has charted more than 160 incidents, including Russia spoofing the location of Nato ships visiting Ukraine in the Black Sea in 2021.
The Russian attack made it appear that British and Dutch warships were near the coast of Russian-occupied Crimea entering Russia’s main naval base, but the locations were false and the ships were elsewhere.
McCombie’s department has also created a phantom ship system designed to lure hackers to assess the scale and nature of the threat.
The online-only ship — known as a honeynet and created for the sole purpose of being compromised — has attracted millions of hits with the most determined hackers penetrating the entire system, McCombie said.
But in contrast to the advanced techniques being used by hackers, the maritime industry is way behind the times, he said.
“If you compare them to banks or insurance companies, they’re probably 10 years behind and the attackers are doing the same stuff against all the targets,” McCombie told TradeWinds.
He said new bridge systems were being delivered using old versions of Microsoft operating systems, because of cost implications, which are more vulnerable to attack.
Outdated systems
“Maritime technology just hasn’t caught up with what’s happening elsewhere.
“So they’re still delivering systems on outdated operating software, which just wouldn’t be allowed in other industries. It’s outrageous.”
The Russian invasion of Ukraine and attacks on shipping in the Red Sea have raised geopolitical tensions and led state-backed hackers to target trade flows.
Cyber attacks on the maritime sector charted by NHL Stenden, gleaned from public sources, suggest that Russia-based actors carry out the most, followed by China, North Korea, Iran and the US.
The total number trebled to more than 60 in 2023, compared with the previous year, but is likely to be much higher with cases not publicly reported.
McCombie said he has obtained evidence of messages between Russian hackers discussing ship tracking information of a US cargo ship moving weaponry intended for Ukraine.
The potential to disrupt international trade is huge within the increasingly connected shipping industry, where shore-based technology suppliers can be linked to hundreds of ships.
In 2019, researchers from Cambridge University identified a hypothetical cyber attack against 15 ports in the Asia-Pacific region that jumped from ships to ports, which could lead to an eventual bill of $110bn, with the vast majority not covered by insurance.
One of the biggest cyber attacks to affect the industry saw AP Moller-Maersk suffer losses of $300m in 2017 after hackers stopped it from processing shipping orders.
The attack was blamed on the NotPetya strain of malware attributed to Russian military hackers targeting Ukrainian institutions. Maersk was affected through a single computer in its Odesa office, according to technology site Wired.
A study, which has not been publicly released by researchers at the University of Plymouth’s Cyber-Ship lab, showed how a cyber attack could block New York Harbour, McCombie said.
Last year, a study by classification society DNV suggested that more than three-quarters of maritime professionals believe a strategic waterway or major port will be shut down within two years because of a cyber attack.
“The problem about cyber attacks is the ability for them to reach a scale that you don’t see in physical attacks,” he said. “If you can hit one ship, you can hit 1,000.”
