The marine industry is categorized as shipbuilding, shipping and port industry. It is a significant area that plays a large part in national competitiveness. In 2017, maritime safety committee(MSC) of the international maritime organization(IMO)
began to discuss marine cyber security due to increased threat from cyber space targeting the marine industry. In this article, the marine cyber security cases and the cyber security guideline’s trends of global maritime organization will be
examined and those meanings will be considered.
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Cyber piracy threat analysis
1. Cyber Piracy Threat Analysis
Yong-Hyun Jo*
, Jun-Mo Kang**
, Young-Kyun Cha***
*Graduate School of Information Security, Korea University
Summary
The marine industry is categorized as shipbuilding, shipping and port industry. It
is a significant area that plays a large part in national competitiveness. In 2017,
maritime safety committee(MSC) of the international maritime organization(IMO)
began to discuss marine cyber security due to increased threat from cyber space
targeting the marine industry. In this article, the marine cyber security cases and
the cyber security guideline’s trends of global maritime organization will be
examined and those meanings will be considered.
I. Introduction
The maritime industry through ocean, which
accounts for 70% of the earth, accounts for
more than 90% of international trade and the
shipping market is estimated at $720 billion
in 2010 to $1.2 trillion in 2030. The size of
the Korea’s maritime industry is 217 trillion
won as of 2016 and the total revenue of the
shipping industry is 26 trillion won as of
2016, which is the seventh largest revenue in
the domestic industry. The government
announced the plans for the development of
the shipbuilding and shipping industry since
2018 and is pushing ahead with strategies to
build new ships and develop the shipping
industry. Information and communication
technologies are also applied to the marine
industry as well, so that various navigation
systems on ships are digitalized. It also helps
to connect the devices on ship each other,
ship with ship, ship with port by
communication network. This change is due
to changing to smart ship environment based
on ICT technology because of the
requirement of law/regulation implementation,
increase of requirements of shipper, position
of ship, sailing information, analysis of fuel
use performance, application of IT technology
for the implementation of environmental
regulations, application of satellite
communications to ships, personal e-mail for
ship welfare and popularization of maritime
network for using internet, the network
configuration of ships’ engines and route
control devices, application of IT based ship
management system between ship owners,
ship and operators.
Conventional pirates refereed to armed
groups that hijack/seize the vessels, cargos,
kidnap crews as hostages, that negotiate with
shipping companies and government for the
cost of their release. But recently, people who
sell and distribute legal software in large
quantities refer to cyber pirates.
However, maritime related industries such as
ship, shipbuilding and shipping change to IT
technology based, there has been a case of
hacking, information leakage or cyber crime
linked with hacker and crime organization.
These cyber attacker targeting maritime
industry is defined as cyber pirate in this
article.
In the maritime industry, importing or hiding
of explosives or weapons into ships or ports
was defined as a major threat according to
the law on the security of international
sailing ships and port facilities but turn to
digitalization, cyber security issues such as
hacking to ship, port or something, malware
infection, system disruption come to the fore.
According to survey data from the Baltic and
international maritime council (BIMCO) In
2016, one in five respondents said they were
victims of the cyber attack and only 40
percent of respondents said they took
preventive measures. In order to respond to
maritime cyber security threats, ENISA
2. classified the maritime sector as critical
infrastructure along with ICS SCADA, smart
grid, financial, health. The international
maritime organization(IMO) marine safety
commission(MSC) proposed the plan for
managing maritime cyber risks in accordance
with the increased risk of cyber security and
decided to enforce them on January 1, 2021.
In this article, the cyber security cases, global
security standards and guides for the
maritime industry will be analyzed.
II.Maritime cyber security trends
2.1 Security issue cases
The issues of maritime cyber security in
[Table 1] are as follows.
Case No. 1: a Nigerian crime organization
that used to be armed in waters of West
Africa and hijacked/kidnapped vessels and
crews, worked with hacking group, has taken
over the personal information of officers and
staff of maritime companies in Korea, Japan,
Norway, etc. (User ID, password) and tried
business SCAM, which is a typical example of
a traditional pirate becoming cyber pirate
using cyber attack technology.
Case No. 2: Confirmed that the Dutch
shipping company’s e-mail system was
forwarded to an external attacker at least 11
months, resulting in about 500 sensitive
personal information of Australian national
employees.
Case No. 3, 4: Cases of data leaks or system
down of global shipping companies in UK
and Singapore caused by hacking.
Case No. 5: a serious vulnerability has been
found in the satellite communication system
used in the ship, and the vulnerability can be
exploited to allow attackers to penetrate the
vessel’s satellite communication system,
internal engine equipment, operation
equipment, etc. However, this system is in
end of service (EoS) status since June, 2017.
Vessels equipped with vulnerable systems are
threatened before the patch. But the
durability of vessel’s system is 20 to 30 years,
which is difficult to patch.
Case No. 6: in August, 2017, a US naval ship
collided with an oil tanker on Singapore
Strait, killing 10 crew members. The media
then raised the probability of a cyber attack.
In the US Navy 7 fleet of this ship, in June,
the Aegis collided with Philippines container
ship. Military vessel accidents were
continuously happened.
Case No. 7: according to the ship security
and risk report in 2017 by Allianz, a global
insurance company, the impact of cyber
security on vessel safety is expected to
increase as a result of North Korea’s cyber
attack on the South Korean vessel’s GPS
system in March, 2016. [1]
Case No. 8: Through the vulnerability of
accounting software in use at the Ukrainian
branch of the world’s largest shipping
company, Maesk Line, the NotPeya
ransomware has been transfered to branches
and ports around the world. For the purpose
of preventing further damage, the whole IT
system is forced down and the system is
restored for 3 months over 45,000 PCs and
2,500 applications. Maesk Line’s estimated
total damage amounted to about 300 billion
won. When the infection and spreading
symptoms were discovered at the very
beginning, giant corporation prevented the
leaving of customers by propagating the
damage and restoration measures through
Twitter, quick judgment to force down the IT
system, etc.
Case No. 9: a German container vessel (8,250
TEU) was hacked and lost control of the
vessel for 10 hours. In order to restore the
vessel to its original condition, the vessel
stopped sailing and IT system restoration
operation was executed. Container vessels
carry large quantities of cargos, which can
cause economic losses due to delays in cargo
transportation and an increase of fuel costs,
etc.
Case No. 10: leakage of personal information
of US navy crew through laptop of
maintenance company, which leaded to
leakage of navy information.
Case No. 11: in August, 2016, the Zeroday
sql-injection(CVE-2016-5817) vulnerability was
disclosured on ship Navis web-based system
of Cargotec corporation in USA which is used
by USA and 13 ports worldwide. The issue of
patch management in ship system has been
raised. [2]
Case No. 12: in 2016, 22,400 pages of
submarine data, including stealth technology
leaked from French defense company by
former navy officer.
Case No. 13: Pirates hijacked the global
shipping company’s vessel, they took away
only containers loaded with certain cargo and
escaped. As a result of a survey of shipping
cargo management system and bill of lading
management system of shipping company
suffered from pirate, malicious code was
3. Case
No.
Date Content
1 2018.04
The Nigerian hacking
group attacked shipping
companies in Korea, Japan
and Norway. Among
these, The personal
information of officers
and staff of 3 Korean
shipping companies are
taken and used for BEC
(Business E-mail
Compromise)
2 2018.03
The Dutch shipping
company's email system
was forwarded to an
external attacker for at
least 11 months through
the automatic forwarding
function, confirming that
about 500 sensitive
personal information of
Australian national officers
and staff was leaked
3 2017.12
Computer system of
Singapore shipping
company BW group went
offline due to hacking
4 2017.12
Clarksons, UK, was
threatened with data
leakage owing to refusing
to pay the amount
demanded by hackers
5 2017.10
Serious vulnerability was
found in related system
of satelite service
company
6 2017.08
About 10 crew members
were missing or killed by
crash accident of US Navy
ship John S.McCain. Some
have since raised the
probability of cyber
attacks or cyber bullying
7 2017.08
According to the
insurance company’s
safety and risk report, the
impact of cyber security
on ship safety is expected
to increase
8 2017.06
The world’s largest
shipping company, Maesk
Line, re-installed about
4,000 servers, 45,000 PCs
and 2,500 applications
owing to
ransomware(NotPetya)
attacks. The estimated
total damage is
approximately 300 billion
won.
9 2017.02
The navigation system of
8,250 TEU ship owned by
Germany was taken over
by the hacker for 10
found in shippping company system. It is
characterized by the fact that the pirates
hired hackers to cause criminal acts using the
shipping company’s computer system. The
security management system of the shipping
company means that the scope of the
security management system of the company
should be widely expanded to include cargos,
vessels and the company’s computer
management system.
Case No. 14: Vessel Data Recoder (VDR)
system, which serves as the BlackBox of the
aircraft, the vulnerability was found in this
system in 2015. It was announced that VDR
data could be remotely deleted and modified.
Therefore, it is judged that the integrity of
the digital evidence will be verified by
checking whether the vulnerability is patched
and whether the VDR data is remotely forged
during investigating vessel accident.
Case No. 15: World Fuel Services (WFS), a
major marine refueling company that supplies
fuel to vessels and others, suffered fraud
losses of $18 million with email SCAM in
October, 2014. Since then, Business SCAM
has continued steadily and in April 2018, a
concentrated attack targeting shipping
companies was found. [3]
Case No. 16: Drug dealers hired hackers to
break into the Belgian port of Antwerp
control system and identified containers that
have shipped cocaine and heroin and took
them out before arriving of legitimate cargo
owner. The hacker infected the relevant PC
through the Trojans attachment e-mail,
installed the USB after invading the office
that seizes the password. Hacker used an
attack method via e-mail and a method of
directly entering the office and plugging the
keylogger into the PC. [4]
Case No. 17: in 2011, a hacker hired by
criminal organization broke into Australian
customs and the cargo system and identified
the shipping container(shipment) information
that the authority custom suspects.
Case No. 18: in August, 2011, a hacker broke
into the Iranian shipping line server, damaged
charges, cargo number, shipping date and
location data information. [6]
4. hours which is sailing
from Cyprus to Djbouti.
10 2016.11
Sensitive information such
as social security numbers
of 134,386 Navy
personnel leaked due to
hacking of the laptop of
IT outsourcing staff
11 2016.08
Z e r o d a y
sql-injection(CVE-2016-581
7) vulnerability was
disclosured on ship Navis
web-based system of
Cargotec corporation in
USA which is used by
USA and 13 ports
worldwide
12 2016
22,400 pages of
submarine data, including
stealth technology leaked
from French defense
company
13 2016.03
Pirates hijacked the global
shipping company’s vessel,
they took away only
containers loaded with
certain cargo and
escaped. As a result of a
survey of shipping cargo
management system and
bill of lading management
system of shipping
company suffered from
pirate, malicious code was
found in shipping
company system
14 2015
Vulnerability of VDR
system which is a
BlackBox function of ship
was found. It ables to
delete/modify data
recorded in VDR remotely
15 2014
World Fuel Services (WFS),
a major marine refueling
company that supplies
fuel to vessels and others,
suffered fraud losses of
$18 million with email
SCAM.
16 2013.10
Drug dealers hired
hackers to break into the
Belgian port control
system and identified
containers that have
shipped cocaine and
heroin and tool them out
before arriving of
legitimate cargo owner.
The hacker infected the
relevant PC through the
Trojans attachment e-mail,
installed the USB after
invading the office that
seizes the password
17 2012
A hacker hired by a
criminal organization in
2012 broke into Australian
customs and the cargo
system and identified the
s h i p p i n g
c o n t a i n e r ( s h i p m e n t )
information that the
authority custom suspects
18 2011.08
Hacker broke into the
Iranian shipping line’s
server and damaged
charges, cargo, cargo
numbers, shipping date
and location data
information
[Table 1] Maritime cyber security cases
This concept is similar to personal
information internal management plan of
Korea’s personal information protection act,
vessels must establish their own security plan
and obtain the approval of the government.
After receiving the government’s security
evaluation, the vessel is required to furnish
international ship security certificate (ISSC,
Term of validity: 5 years) while operating.
Each vessel has enforced to mark
permanently their unique identification
number (IMO number) on its hull, but some
nations or groups of criminals are deleting or
falsifying this IMO number when transporting
illegal weapons.
A vessel without security certificate will have
problems such as docking refusal, port
embargo, etc. It is also not allowed to sail
internationally. Ports should appoint their own
port security officers, establish security plans
after conduct port security evaluation, and
need to obtain government approval.
2.3 Trends of international maritime
organization
IMO, an international organization established
to deal with international issues related to
shipping and shipbuilding, warned that the
spread of electronic and communication
devices equipment and operation would lead
to serious maritime safety problems such as
hacking, information leakage and cyber
terrorism.
In MSC 94th, USA and Canada suggested to
5. enhance cyber security in various maritime
areas of shipping logistics systems, maritime
facilities on vessels and ports, in MSC 95th,
USA, Canada and others argued that is
urgent to develop integrated guidelines for
cyber security of ports, maritime facilities and
equipment other than ships, but the proposal
submitted to MSC 96th includes only the
ship’s cyber security guideline, reflecting the
opinions of other countries in MSC 95th.
This guidelines includes contents such as
understanding cyber risk, the need and
purpose of cyber risk management,
identifying risk management procedures and
proposing an activity list to be added to the
risk/security management system by owners
and operators.
The MSC 98th session has defined guidelines
for cyber security and made it mandatory for
safety management systems to include the
cyber security management field (Maritime
cyber risk management), as of January 1,
2021, and this applies to all organizations of
the industry.
III. Maritime cyber security guidelines and
guide
3.1 IMO
IMO cyber security risk management
guideline presents shipping and cargo
management, passenger management, engine
and communication system as the vulnerable
system of the ship.
This guideline presents an efficient risk
management framework with the function of
identification-protection-detection-response-rec
overy five steps. This framework is NIST’s
cyber security framework. [7]
For the best risk management, it is
recommended to refer the latest version of
all of relevant guidelines and standards such
as BIMCO’s guideline (Baltic and International
Maritime Council), ISO/IEC 27001, NIST cyber
security framework, etc.
3.2 BIMCO
The 2.0 version was released in June 2016,
following the 1.1 version of the guidelines on
cyber security onboard ships[8]. In this
version, the guidance was specified,
considering continuity planning from cyber
intrusion and vessel’s remote environment
from reponse and recovery planning chapter.
This guide aims to provide essential guidance
for cyber security management.
Chapter 1 is about cyber security and safety
management. It defines that maritime cyber
security protects people on board (passenger
and crew), cargos and ships from
unauthorized access, operation/interruption
and loss of data. Major concerns are integrity
damage of vessel’s electronic part display and
information system (ECDIS), obstacles
resulting from the maintenance and patching
of marine software, damage of satellite
navigation system caused by loss or
manipulation of critical sensors on the vessel.
Chapter 2 identifies the threats of maritime
cyber security as company, ship, operation
and transaction, and suggests that experience
in other industries such as financial
institutions and public institutions can be a
case of sucesseful cyber attack mitigation. It
also suggests that employees of the company
may be exposed to cyber attacks, both at
sea and on land.
Chapter 3 identifies systems that can be
exposed to vulnerability on ships. This is
identical to the ship systems presented in
IMO which is in this article 3.1.
However, an engine performance monitoring
system, which is a system communicates ship
with onshore(a port or vessel operating
company, shipping company), vessel
maintenance system, cargo and crew
management system, navigation management
system, and so on. Such communication
systems are additionally identified to check
and control sailing on land.
Chapter 4 is about the risk assessment which
states that senior management is responsible
for the risk assessment as well as the risk
assessment guides and control items
presented in K-ISMS and ISO 27001. For the
assessment of impacts, the CIA Model[9] is
used. The maritime industry and ship
environment must be considered. For
example, sensitive information includes ship
location, system status/reading, cargo details,
authority and certificates. The ship’s power
management system includes the SCADA
system and it is responsible for power
distribution and control for the entire ship.
The system is connected to the ship’s
communication system and is configured to
monitor from onshore company.
Chapter 5 is about protection measures. The
protection measures should be implemented
under the responsibility of senior
management for the risks presented as a
result of the risk assessment. Protective
measures are consist of procedures and
guidelines. These provide technical and
administrative means. Especially, when the
ships are using satellite and wireless
communication as a protection measure, the
6. Allianz Global Corporate & Specialty,
[1] Safety and Shipping Review 2017,
Aug, 2017
[2] https://ics-cert.us-cert.gov/advisories/IC
SA-16-231-01
[3] https://shipandbunker.com/news/world/
670152-wfs-in-court-over-18m-bunker-s
cam-claim
[4] https://motherboard.vice.com/en_us/arti
cle/bmjgk8/how-traffickers-hack-shippin
g-containers-to-move-drugs
[5] https://www.kaspersky.com/blog/maritim
e-cyber-security/8796/
[6] https://www.csoonline.com/article/32458
03/security/defeating-21st-century-pirat
es-the-maritime-industry-and-cyberattac
ks.html
[7] NIST, Cyber Security Framework, April,
2018
[8] https://www.bimco.org/news/press-relea
ses/20170705_cyber-g
[9] NIST, Standards for Security
Categorization of Federal Information
and Information Systems, Feb, 2004
[10] UK Department for Transport, Ship
security: cyber security code of
practice, Sep, 2017
system and specifications of satellite
communication systems must be considered.
The method to prevent unauthorized access
to the ship must be also considered. The
management interface with the control
software is mainly provided in the form of a
web-based user interface, the protection of
which must be considered from the time of
installation on the ship.
Chapter 6 is about business continuity
planning. In case of ships, the following must
be considered: Availability or exploration
integrity of electronic navigation equipment,
data loss, availability or integrity loss of the
global navigation satellite system (GNSS), loss
of essential communications with the coast,
disruption of the Global Maritime Distress
and Safety System (GMDSS), loss of
availability of industrial control systems,
including ship propulsion systems, auxiliary
system and industrial control systems, loss of
integrity of other data management and
control systems, loss of ransomware or denial
of service (DoS).
Chapter 7 is about incident response plan.
For example, it is necessary to establish a
recovery plan, an incident response plan and
an investigation plan when the electronic
chart display and information system (ECDIS)
is infected with malicious code.
IV. Conclusion
In this article, cyber attackers targeting
maritime industries such as shipbuilding,
shipping companies and ports were defined
as cyber pirates and their damage cases were
examined. The maritime industry is composed
of ship-port-support facility-company (ship
owner company, ship operating
company)-shippers(customer), etc. When such
a system is exposed to cyber attack, it can
give rise to damage of ships, cargos,
passenger’s material and their life. As a
result, the relevant international organizations
resolved to establish a cyber security
management system for the maritime
industry. The ministry of transport of the UK
government has proposed guidelines (Code
of practice: cyber security for ships) for
countering cyber threats in the maritime
industry (ship operator, ship owner, crew, etc)
in September 2017. [10] This moves are
expected to have a close impact on the
Korean maritime industry. It is believed that
maritime cyber security research is essential
for safe shipbuilding and shipping.
[References]