New research suggests that maritime vessels are under significant threat of cyber-attack because they were not designed with cyber security in mind and carry outdated software.
In a research paper published in Engineering and Technology Reference researchers from the Plymouth University’s Maritime Cyber Threats Research Group suggest that cyber attacks would most likely target systems responsible for navigation, propulsion, and cargo-related functions. The financial incentive is there, they argue: over 90 per cent of world trade occurs via the oceans. And the software in these systems on board major shipping vessels is outdated and not designed for modern cybersecurity.
Professor Kevin Jones, Executive Dean of Science and Engineering, lead author on the paper, said “In an increasingly connected and technologically dependent world, new areas of vulnerability are emerging. However, this dependency increases the vessel’s presence in the cyber domain, increasing its chances of being targeted and offering new vectors for such attacks. Longer term, there needs to be a fundamentally different approach to security of the entire maritime infrastructure meaning there is great need for specific cyber security research programmes focused on the maritime sector.”
Last March, Verizon released a Data Breach Digest which described how pirates used a data breach to target specific vessels at sea. The pirates knew not only where the containers were on board, but also what they contained.
“As things stand, there are fundamental issues with securing the technology used in the maritime industry and the sector is probably the most vulnerable aspect of critical national infrastructure.,” the Plymouth University’s Maritime Cyber Threats Research Group report said. “Both security firms and hackers have found both general flaws and specific, real-world, flaws within the navigation systems of ships, and it seems plausible that similar outdated systems for propulsion and cargo handling may also be compromised and abused by cyber-attackers.”
There is some similarity with Industrial Control Systems which were not designed for connectivity, but now find themselves increasingly online.