Can a Cyber Attack Control a Ship?

The digital age has introduced unprecedented conveniences, but it has also brought sophisticated challenges affecting every industry, including maritime operations. In this edition of Metis Insights, Dryad Global delves into the cyber threats facing the maritime sector —a critical lifeline of global trade.

Tomorrow’s Threats, Today.

Imagine a key vessel in the Red Sea falling prey to a cyber attack. No pirates or boarding parties—just pure digital infiltration. This scenario, detailed by experts like Dr. Rory Hopcraft from the University of Plymouth's CyberSHIP lab, Corey Ranslem, CEO of Dryad Global, and Ismael Valenzuela, VP of Threat Research & Intelligence at BlackBerry CyberSecurity, illustrates the growing threat to CSOs, vessel operators, and maritime industry professionals.

Key Topics

Understanding the Cyber Threat Landscape: Detailed discussions on the sophistication of cyber attacks targeting the maritime industry, including a case study of a potential cyber hijacking in New York City.

AI's Role in Cybersecurity: Discover how AI technologies like BlackBerry’s Cylance AI and Dryad Global’s CyberVoyager combat maritime cybercrime.

Proactive Threat Detection: Explore the power of AI in detecting and neutralizing threats before they wreak havoc.

Operational Efficiency: Learn how AI integration not only bolsters security but also streamlines maritime operations. Exclusive Insights: Benefit from expert knowledge and actionable advice.

Download your free Metis Insights now:

Expert Insight:

Dr. Rory Hopcraft and his team at the University of Plymouth's Cyber-SHIP Lab lead in maritime cybersecurity research, testing various ship networks to uncover vulnerabilities.

Corey Ranslem, CEO of Dryad Global Corey has over 30 years’ experience in the public and private sector working with ports, cargo lines, cruise lines and large yachts. A veteran of the U.S. Coast Guard and a recognized expert in U.S. Federal Court in maritime security.

Ismael Valenzuela, VP of Threat Research & Intelligence at BlackBerry. A leading cybersecurity expert with a strong technical background. Ismael has provided security consultancy, advice, and guidance to large government and private organizations, including major EU Institutions and US Government Agencies.

Dr. Rory Hopcraft and his team at the University of Plymouth's Cyber-SHIP Lab are at the forefront of maritime cybersecurity research. Their lab is equipped with a wide array of maritime devices, from superyachts to ultra-large container vessels. The team creates and tests various ship networks to uncover vulnerabilities in isolated systems and complex system integrations. 

In this video, Dr. Rory Hopcraft presents a dramatic and technically possible scenario developed a few years ago, based on identified vulnerabilities. The demonstration includes a real-time video combining 3D modeling and simulated footage with crew interactions. 

Watch now

Note: Tugs have been removed from the visuals to simplify the image. Scenarios are designed with input from master mariners and University of Plymouth experts to ensure operational accuracy. Some visuals have been simplified for clarity. 

The video depicts a large container vessel entering the Kill Van Kull channel on its way into New York. These vessels call semi-regularly, and with New York's plans for 2050 involving deeper dredging and raising bridges, their presence will likely increase. The channel is only about 250-300 meters wide at points. 

In the video, a skull and crossbones icon flashes, representing GPS coordinates. When the vessel hits these coordinates, an attack is triggered: the engines go full ahead, and the rudder turns hard over—actions not initiated by the crew. Indicators on the bridge show changes, and alarms may sound, alerting the crew to issues with the rudder. After a brief delay, the crew realizes something is wrong and attempts corrective measures, but commands from the bridge fail to reach the engine room, effectively locking them out. 

The vessel, now out of control, drifts off course and runs aground within two and a half minutes. The impact of this grounding is significant: a large container vessel stuck in the Kill Van Kull would block 90-95% of traffic into New York and New Jersey. 

This scenario could be caused by various factors, but here, the focus is on a cyber attack. The vessel’s systems, listening to numerous sensors and GPS, receive a legitimate-looking but malicious command, leading to the attack. In this instance, the crew received an email from onshore support about a chart update, downloaded from a malicious website. The malware embedded in this download triggered the attack when specific GPS coordinates were reached. 

The University of Plymouth team has tested various attack vectors in their Cyber-SHIP Lab, from phishing emails to engineers bringing onboard compromised devices. In all cases, they’ve found that getting malware onto a ship is disturbingly easy. Older systems tested often contain existing malware, ready to be exploited with minimal effort. 

The impact of such an attack is immense. For example, a vessel blocking the Kill Van Kull for even a short time would disrupt significant trade. A six-hour delay could mean $180 million in disrupted goods, escalating to $1.6 billion over two days. Extended delays could impact 1-1.5% of global trade value, demonstrating how a single, simple cyber attack can have global repercussions. 

Currently, we observe that attacks are more area-focused. For example, with GPS spoofing around the Black Sea, it's clear that specific regions are targeted rather than individual vessels. However, the opposite can also be true. Take the scenario we discussed about New York: the attack isn't necessarily aimed at a single vessel entering New York. Instead, if malware is deployed on 1,000 vessels, it doesn’t matter which one triggers it upon entering New York; the impact will be significant regardless. 

So, while attacks are generally focused on areas, there is also the potential for widespread impacts across multiple vessels. The real concern is targeting critical chokepoints, which can cause significant disruptions, as seen with incidents like the Baltimore port attack, the Suez Canal blockage, and the NotPetya cyberattack.

Global Shipping Chokepoints 

Consider the global repercussions that a cyber attack on major shipping chokepoints could have: 

• Location: Between the Persian Gulf and the Gulf of Oman. 

• Significance: One of the world's most crucial oil transit chokepoints. Around 20% of global petroleum (about 17 million barrels per day) passes through this narrow strait. 

• Location: Connecting the Mediterranean Sea to the Red Sea through Egypt. 

• Significance: A vital route for oil and LNG shipments from the Middle East to Europe and North America. Approximately 12% of global trade passes through the Suez Canal. 

• Location: Connecting the Atlantic and Pacific Oceans through Panama. 

• Significance: Essential for maritime trade between the East Coast of the Americas and Asia. Handles about 5% of the world's maritime trade. 

• Location: Between the Malay Peninsula and the Indonesian island of Sumatra. 

• Significance: A key transit route for oil and goods traveling between the Indian Ocean and the Pacific Ocean. About one-quarter of all oil transported by sea passes through the Strait of Malacca. 

• Location: Between Yemen on the Arabian Peninsula and Djibouti and Eritrea in the Horn of Africa. 

• Significance: Connects the Red Sea to the Gulf of Aden and the Arabian Sea. Crucial for oil and gas shipments from the Persian Gulf to Europe and North America via the Suez Canal. 

• Location: In Turkey, connecting the Black Sea with the Sea of Marmara and subsequently the Mediterranean Sea. 

• Significance: Vital for the transit of oil and gas from the Caspian Sea region to international markets. Significant for Russia and other Black Sea countries' exports. 

• Location: Connecting the Baltic Sea to the North Sea. 

• Significance: Essential for the shipping of Russian oil and natural gas to Europe and beyond. Critical for trade between Scandinavian countries and the rest of Europe. 

• Location: Southern tip of Africa. 

• Significance: An alternative route to the Suez Canal for ships traveling between Europe and Asia. Used during times of Suez Canal blockages or by vessels that are too large for the canal. 

• Location: Southern tip of South America, between mainland South America and Tierra del Fuego. 

• Significance: A navigable sea route in southern Chile for ships traveling between the Atlantic and Pacific Oceans. Less critical than the Panama Canal but still significant. 

Addressing Maritime Cyber Threats 

Expert Insight: Ismael Valenzuela, VP of Threat Research & Intelligence at BlackBerry 

Insert BlackBerry logo and image of Ismael Valenzuela here 

Historically, the cybersecurity community hasn't focused much on these types of maritime hazards. However, similar scenarios have emerged, highlighting the need to leverage threat intelligence in these situations. 

BlackBerry’s Threat Research and Intelligence Team is dedicated to fostering cyber resiliency. Cyber resiliency goes beyond merely preventing attacks—since it's unrealistic to expect we can prevent all bad events. Instead, BlackBerry focuses on prioritizing threats that can significantly impact an organization and building defenses to withstand, recover from, and adapt to these incidents. 

The goal is not to prevent all attacks but to ensure that operations can continue despite them. This concept is crucial for businesses, including those reliant on cybersecurity assets, such as cargo ships. These vessels, like many other infrastructures, are vulnerable to cyber threats through vectors like USB devices or emails. 

BlackBerry's Cylance, in partnership with Dryad Global, works tirelessly to protect these vectors. 

Scenarios like the one presented by Dr. Rory Hopcraft might seem improbable because these exact events haven't happened before. However, attackers are always focused on creating impactful disruptions, and BlackBerry has seen similar scenarios globally. 

We've seen power outages due to attacks on infrastructure, notably in Ukraine, and water plants being hacked, which underscores the critical nature of these assets. While maritime cyber attacks on cargo ships, yachts, or cruisers might not be common, they represent a growing area of concern. 

The NotPetya attack wasn't targeting maritime specifically, but it demonstrated the fragility of interconnected systems. When one system gets hit, it can potentially spread rapidly across multiple sectors. 

How Can Cyber Attacks Impact the Shipping Industry? 

Expert Insight: Corey Ranslem, CEO of Dryad Global 

Dryad Global provides advanced solutions for maritime situational awareness and cyber protection, ensuring the safety, security, and operational resilience of maritime operations. By offering real-time vessel tracking, threat analysis, and environmental monitoring, Dryad Global empowers informed decision-making. Their comprehensive suite of services, supported by a data-driven platform and extensive risk model database, helps mitigate risks, optimize routes, and enhance operational efficiency. 

“The maritime industry is probably 10 or 15 years behind the rest of the world when it comes to just recognizing the problem of cybersecurity,” says Corey Ranslem, CEO of Dryad Global. 

In Q1 2024, US company Marine Max disclosed that they were a victim of a cyber attack, a situation that has impacted many other large top management companies. There is a huge amount of communication between management companies and vessels, which opens up attack vectors and creates a cascading effect. There is more data than ever flowing between vessels, crews, and their shoreside management. Legacy systems onboard that need upgrades and protection exacerbate vulnerabilities. 

Networks on vessels vary significantly based on their operation. The network setup on a large yacht differs from that on a cargo ship, which is entirely different from a cruise ship. This also affects the communication link between the ship and shore, and its security—or lack thereof. 

But it’s not just communication that poses risks. The cranes bought 10 years ago with vulnerable modems illustrate a broader problem. Port infrastructure is not the only concern; vessels face similar challenges. A ship takes about five to seven years from initial conception to hitting the water, meaning its systems are already outdated by the time it launches. With a vessel's life expectancy ranging from 25 to 30 years, this means dealing with 30- to 40-year-old systems. We have legacy problems now, and we will continue to have them in the future. 

Another important point concerns the differences in vessel networks. We used to have "sister ships" with identical setups, but that's no longer the case. While systems might be initially integrated and set up the same, once the crew takes command, variations occur. One vessel might receive updates and patches while another does not. Crew members may bring devices onboard that introduce new vulnerabilities. Different charters might result in different equipment being plugged into the network. Even if designed identically, these networks diverge once in operation. 

We've encountered situations where an air gap was assumed for security, only to find during inspections that an Ethernet cable was connecting the Master's computer to the ECDIS. This single cable undermines the security measures that were in place just six months prior. The dynamic nature of these networks requires constant vigilance and adaptation. 

Geopolitics and Cyber Warfare on the Seas 

“What you see from a physical perspective corresponds to what we see in the cyber world. It mimics these threat landscapes,” says Ismael Valenzuela, VP of Threat Research & Intelligence at BlackBerry. 

Cyber threat intelligence should enable decision-makers to make informed decisions by transforming raw data into actionable intelligence. This intelligence helps anticipate potential attacker actions and their impacts, identify assets at risk, and prioritize protection efforts. With numerous vulnerabilities to consider daily, it can be overwhelming. Therefore, Dryad Global uses threat intelligence to prioritize which assets need protection and ensure visibility, even from a telemetry perspective, on specific threat actors and vectors, such as USB devices on a vessel. 

We need the capability to hunt for indicators of an attack, to detect early signs of an attack, and to know if we have been attacked previously or are under attack currently. Many focus solely on stopping ransomware payloads, but before ransomware hits the system, there are early indicators in the attack chain that we can focus on. Detecting these early signs gives us an advantage because we can disrupt the attack sooner. 

It's crucial to investigate and contextualize these attacks to understand why they are happening and which threat actors are involved. This information is essential for an effective response. Responding to common financial Trojans is vastly different from responding to ransomware attacks, especially in critical infrastructure. 

Dryad Global originally started to provide maritime domain intelligence, offering a comprehensive picture of the maritime space to its worldwide clients. This traditionally focused on geopolitics, physical security, and operational issues, such as determining the safety of routes and port access, and assessing potential regional or national security risks. 

However, the focus has shifted. Increasingly, cyber threats pervade our intelligence reports. 

“Our teams are particularly focused on the potential for cyber attacks on vessels in specific ports or regions, or due to certain ownership or management characteristics. Whether it's a cruise line, cargo ship, or large yacht, we anticipate that cyber attacks will become more targeted in the maritime industry,” says Corey Ranslem, CEO of Dryad Global. 

Dryad Global’s partnership with BlackBerry and Plymouth University allows us to test theories and scenarios by running simulations to understand the potential for such attacks. Through collaboration, we can better identify attack surfaces and gather detailed information on potential threats. This information is then shared with our clients in the global maritime industry to enhance their protection measures. 

“Intelligence is constantly evolving, and I believe we'll see significant changes in the landscape over the next year. While ransomware, malware, and man-in-the-middle attacks are currently common, we expect the dynamics to shift, particularly with the introduction of artificial intelligence into the equation,” adds Corey. 

It’s impossible to separate the physical frame intelligence from the cyber threat intelligence. It's all about trends, security, and outcomes. 

GFX: Why are vessels diverting around the Horn Of Africa? (timeline of Red Sea events/incidents plotted on map) 

To ensure security, it's crucial to understand the current situation in specific regions, such as the potential for cargo ships to be hijacked by pirates in the Red Sea. Additionally, knowing the prevailing cyber threats is essential. 

CTA: BlackBerry Global Threat Intelligence Report. 

The BlackBerry Cylance suite for endpoint security and quarterly trend reports show the increase in unique malware used by attackers. 

In simple terms, each piece of malware has a unique fingerprint, known as a hash. An increase in unique malware fingerprints suggests that attackers are constantly trying to bypass traditional security measures. Over the past year, the rate of unique malware pieces targeting our customers has increased from about 1.5 per minute to 3.7 per minute, indicating a significant rise in automated attacks. 

Insert: Chart or data showing trends here. 

South Korea, Japan, and the United States have reached an agreement to defend against attacks originating from North Korea. China, Russia, and Iran are also very active in this area. Moreover, some of these actors are also highly active in the Middle East, indicating a broad scope of operations. 

Most of these attacks target what we refer to as critical infrastructure, with 62% of them aimed at such targets. These attacks often involve unique malware, identified by distinct hashes, which indicates deliberate targeting of these organizations. According to the Cybersecurity and Infrastructure Security Agency (CISA) in the US, critical infrastructure includes sectors like finance, healthcare, government, public sector, food and agriculture, utilities, and maritime transportation. 

AI and Cybersecurity 

Although there's a lot of hype around AI, it's essential to understand that attackers are using it as a tool, just as we do. A friend recently told me, "AI won't take your job, but someone using AI will." Attackers are leveraging AI similarly, but they also continue to rely on well-known tools and techniques because they remain effective, especially against organizations without proper defenses. 

Changes to Regulation 

The US Coast Guard has issued a notice of proposed rulemaking, indicating upcoming changes to reporting requirements and other regulations for regulated facilities and vessels in the United States. Additionally, the IMO 2021 regulations are already in place. Talking to people within the regulatory environment, I anticipate that regulations will continue to tighten as governments worldwide focus more on critical infrastructure. 

A recent incident at the Port of Miami revealed modems in container cranes, purchased 10 years ago from China, were sending data back. This is just one example of the daily occurrences reported in the media, highlighting the ongoing threats across the cruise, yacht, and cargo industries. 

The key issue lies in the lack of reporting back to the industry. This is something we've observed across maritime sectors—whether it's large yachts, cargo ships, or cruise liners. We have been on board vessels that were victims of cyber attacks, yet these incidents were not reported back to the industry. 

In contrast, sectors like healthcare and finance are more transparent about reporting attacks. The Coast Guard's proposed regulatory changes aim to address this issue, emphasizing the importance of detailed reporting. Understanding the specifics of an attack vector benefits everyone, as it allows us to run simulations and analyze intelligence to improve security measures. 

The sector has traditionally relied on insurance companies to provide information on where losses have occurred, which helps us learn and improve. However, when it comes to cyber incidents, there are significant challenges. Cyber attacks often fall under exclusion clauses or have limited coverage, leading to underreporting. 

While concerns about reputation damage play a role, the lack of insurance payouts for recognized cyber attacks is a major issue. This situation hinders proper reporting and, consequently, our ability to learn from these incidents and strengthen our defenses over time. 

We are working with our clients to identify potential threats and vectors, and then anonymously sharing this information with partners like BlackBerry and Plymouth University. This collaboration helps us understand if these vectors could be used in actual attacks, providing valuable insights to enhance our defenses. It's a significant comment and a prevalent problem within the industry that needs to change. 

Potential Increase in Cyber Attacks on Shipping by State and Non-State Actors 

Absolutely, yes. We foresee an increase in potential cyber attacks against vessels, which could act as a precursor to physical attacks. Disabling a ship’s maneuvering capabilities makes it significantly easier for pirates to board. 

Attackers, whether state-sponsored or cybercriminals, focus on impact. Cybercriminals aim to monetize their activities, so if they can prevent a cargo ship from reaching shore and delivering goods, they achieve a financial gain. We've also observed pirates using AIS (Automatic Identification System) to track high-value targets, which is a natural progression of their tactics. Additionally, terrorist groups have been known to employ cyber experts to enhance their capabilities. Therefore, it’s only natural that these cyber threats will continue to evolve and grow. 

Differences in Training and Response Times Between Commercial and Military Vessels 

While commercial vessels might not have someone manning manual override stations, military vessels often do, which significantly reduces their response times. This highlights the importance of training in addition to technology. Detecting and responding to threats early requires skills and procedures that need to be learned and adapted, such as ensuring someone is manning manual overrides in critical situations. 

The military's quicker response times, as demonstrated in simulations, could make a huge difference in narrow channels or ports. However, commercial vessels also need better crew training and resources to understand and manage cybersecurity threats. 

Our first recommendation to clients is to understand their systems and identify vulnerabilities. This can often be done remotely and cost-effectively. The next step is protecting endpoints—computers, iPads, servers—onboard the vessel. Quarantining and stopping malware at these points can prevent it from spreading throughout the system. Many ships are disconnected from the internet for long periods, so their systems must function offline. Continuous internet connectivity, common in IT environments, isn't feasible for vessels at sea. That's why Dryad is working with BlackBerry to develop solutions that operate in low-bandwidth environments for vessels.