Commercial Shipping Is the Next Cybersecurity Challenge
there is a misbelief that ships are not vulnerable to cyber incidents, leading to an approach where the industry will only do the bare minimum to comply with existing regulations.
Quotes from Chronis Kapalidis, ISF Principal
In recent weeks, a series of attacks on commercial shipping in and near the Persian Gulf have been unofficially attributed to Iran, including a drone attack that killed two mariners in the Gulf and an attempted hijacking of a commercial vessel in the Strait of Hormuz. Along with another suspected attack, in which several ships simultaneously reported difficulties in steering, these incidents highlight both the importance of commercial shipping to the global economy and the sector’s vulnerability to asymmetric tactics, including cyberattacks. They also show how Iran is using cyberattacks to demonstrate its capabilities, and signal what to expect from the new political leadership in Tehran.
The drone attack, which targeted an Israeli-operated tanker off the coast of Oman in late July, left one British and one Romanian national dead. Days later, in the first week of August, armed assailants boarded another ship, the Asphalt Princess, off the United Arab Emirates and ordered it to sail to Iran; the hijacking attempt was foiled when the crew disabled the ship’s engines. In the same week, up to six vessels reported the loss of their steering control in the Gulf of Oman.
Theoretically, it is possible that all six ships simultaneously suffered mechanical or electrical failures, and Iran has denied responsibility for the incidents, as well as for the other attacks. But maritime experts judge it more likely to be a coordinated cyberattack. What’s more, they bear a striking resemblance to the kinds of targets identified in a collection of documents obtained by Sky News, dated from November 2020, allegedly compiled by the cyber unit of the Islamic Revolutionary Guard Corps called “Shahid Kaveh.” The 57-page file covers a wide range of potential targets, from cargo ships and fuel pumps to petrol stations.
Chronis Kapalidis, a maritime security expert with the Information Security Forum, told me that the sections on shipping found in the Iranian documents are based on “pretty basic” open source intelligence. And some of the attacks mentioned—such as one interfering with the ballast water, which could cause the vessel to become imbalanced—would be quite difficult to carry out in practice. Nevertheless, both the files and the recent activities attributed to Iran do appear to signal an intent and a capability to disrupt critical elements of the global fuel supply chain.
It is difficult to overestimate the importance of shipping to the global economy—and of the Strait of Hormuz to the global fuel supply chain. Shipping represents 90 percent of goods traded globally, with 11 billion tons of goods transported by sea each year, or 1.5 tons per person on the planet. As a relatively less polluting form of transportation, maritime trade volumes are expected to triple by 2050.
The Strait of Hormuz, a narrow passage between Iran and the UAE just 21 miles wide, is a vulnerable chokepoint in the world’s oil supply, of which approximately one-third is shipped through it each year. Considering that in May a ransomware attack on a single but important conduit of gasoline and jet fuel in the U.S., the Colonial pipeline, caused a spike in domestic prices at the pump to more than $3 a gallon for the first time since 2014, imagine the impact of an attack that took out shipping in the Persian Gulf.
The other unfortunate component in this risk scenario is the poor level of cyber-preparedness in global shipping. According to Kimberley Tam and Kevin Jones, writing in the Journal of Cyber Policy, there are several distinctive factors that make the cybersecurity of commercial shipping a challenge. These include the duration of these container ships’ voyages, which can last for months, and the age of the ships, which now averages over 20 years old. Rounding out the challenges are “the mix of old and new systems, a nominally low bandwidth while at sea, and alternating between extreme isolation and global connectivity at international ports.”
Kapalidis told me that within the maritime industry, there is “a misbelief that ships are not vulnerable to cyber incidents,” leading to a compliance-driven approach, where industry will only do the bare minimum to comply with existing regulations. There have been some improvements in the tools, technologies, policies and procedures used to protect the industry’s “crown jewels”: the ships. But, Kapalidis concludes, “There is still a long way to go.”