The warnings had been issued for years. The techniques were simple enough — penetrate the platform through the onboard navigation system and then go horizontally across the onboard networks to gain control of key systems such as steering and the throttle. The hackers did exactly this — surprisingly without foreknowledge of the specific systems they were to hack prior to beginning the penetration. They were in and through the navigation interface in a remarkably short time and had control of both the steering systems and the throttle in quick succession. From this effort came a coveted “Black Badge” from the Maritime Hacking village of the annual cyber security conference DefCon, held in August 2021 in Las Vegas.
The conference’s Hack the Sea Village “SeaTF” hacking challenge allowed teams of 3–5 individuals to gain hands-on experience hacking real maritime hardware in a controlled environment using Fathom5’s “Grace” maritime cyber security testbed. The simulated maritime bridge setup is meant to be an accurate facsimile of equipment typically in use onboard ocean-going vessels, allowing hacking teams to attack the afloat environment. Using realistic components and protocols, hackers were able to penetrate different maritime subsystems including navigation, firefighting, and steering systems. While this year’s challenge required hackers to tap into propulsion, steering, and navigation systems through a wired connection to their laptops, next year the hope is to provide a wireless environment.
Importantly, the 2021 competition once more demonstrated that hacking skills from land-based systems and environments are easily transposable to a maritime environment. The winning team had neither experience in the simulated environment or in maritime hacking in general. A skilled hacking team typically takes at most 14 hours to penetrate the system safeguards and remotely take control of both steering and throttle controls. While the simulation used at DefCon did require “plugging into” the equipment, remote-access hacking is possible as demonstrated in February 2017, when hackers took control of a German-owned container vessel traveling from Cyprus to Djibouti. The hackers compromised both steering and maneuver controls. It was only when an IT team came aboard to remediate that the ship’s crew regained control of the steering. Segregation of a ship’s internet protocol and serial networks can prevent this.
Maritime Chokepoints Make Attractive Targets
The vast bulk of the world’s critical economic and military traffic passes through a handful of narrow strategic waterways known as “maritime chokepoints.” While these waterways have always been prey to pirates, weather, and maritime accidents, these perils are now joined by maritime cyber attacks — whether conducted for ransom, malicious disruption, piracy, or as part of larger geopolitical conflicts. When a commercial vessel or warship is strategically delayed via sea-hacking, critical shipments are delayed by days or weeks. The massive size of modern container ships such as the Ever Given makes hacking their steering systems or forward speed a means of weaponizing the vessel. It is worth a bad actor’s effort to experiment with grounding a major new container ship remotely from land-based cells.
The Suez Canal could be one of the more lucrative cyber disruption targets due to the amount and expected speed of traffic flow through its two-lane and one-lane sections. 30 percent of the world’s shipping container volume carrying 12 percent of global trade passes through the canal. Ships, including the very largest container vessels, can cut an average 12 days off a three-week trip from India to Italy by transiting the canal. The 205-meter-wide canal is known to be challenging even at modest speeds for ships the size of the Ever Given. Its 120-mile-long narrow transit offers the opportunity for cyber-induced disruption, particularly if one wanted to stall oil and gas deliveries to the Mediterranean and Europe. If the canal is blocked companies must take the alternative route — around the Cape of Good Hope, adding 10–12 days transit time, fuel costs, and security costs. Comparatively, according to a 2006 Rand study, the closing of the Malacca Strait would increase transit time by only an additional three days.
With the grounding of the enormous container ship — the Ever Given — on March 23, 2021, the world was reintroduced to the issue of “maritime choke points”. The giant ship blocked the Suez Canal for six days. The Ever Given was not a cyber target this time but its grounding demonstrated the potential impact on global trade when a ship blocks a chokepoint. For example, the BBC reported that fears that the blockage would tie up shipments of crude oil resulted in crude prices rising by 4 percent on international markets. The Ever Given was launched in 2018, and is one of the largest ships in the world. It was built and is owned by a Japanese firm, leased and operated by a Taiwanese company, and sailing under a Panamanian flag. Similar-sized ships carry an increasing percentage of global trade, and the relatively recent 2015 addition of a second channel to the Suez Canal was undertaken in part to accommodate them.
The canal is wide enough to accommodate such large vessels but physical clearance on either side of both channels is currently still limited. Mistakes in speed or understanding of wind effects on huge vessels can (and did in this case) come from human error. But they can also be stimulated by difficult-to-detect cyber intrusions into the navigation and steering systems of these ships, especially in newer vessels. The internet protocol networks used for steering and navigation are often not segregated effectively for cyber security. They are connected to the serial bus networks that make up the Supervisory Control and Data Acquisition systems critical to ship operations. The blockage caused by the grounding of the Ever Given demonstrates to cyber-competent terrorists or adversaries the potential for disruption if they are able to manipulate or disrupt transit mechanisms from the ships themselves, their containers’ content, and pilotage management systems. Even basic electricity supplies for locks such as those in the Panama Canal offer disruption options to a world of bad actors who have already demonstrated a willingness to attack critical infrastructure. The 900-kilometer-long Malacca Strait carries 40 percent of the world’s maritime trade, including a quarter of the globe’s seaborne oil supplies and 80 percent of the Middle East’s oil and gas supplies to China. Traffic congestion is its major challenge, particularly where the strait narrows to just 2.7 kilometers wide near Singapore. In addition to posing a lucrative target, these chokepoints also afford the opportunity, both from shore and through remote means, for potential bad actors to track…