Multiple different targets, forms of attacks, motivations, and perpetrators can be involved in cyber-crimes.<\/p>\n\n\n\n Port, by Bill Dickinson<\/a> Attribution-NonCommercial-NoDerivs 2.0 Generic (CC BY-NC-ND 2.0)<\/em><\/p>\n\n\n\n Targets<\/em><\/p>\n\n\n\n Not all cyber-crimes discussed in this entry specifically target the maritime sector, but may instead aim to infect as many systems as possible.<\/span>2<\/sup><\/a><\/span> As such, there is a distinction between targeted and untargeted attacks.<\/span>3<\/sup><\/a><\/span> Even so, cyber-crimes pose an increasing risk to the maritime sector, even when untargeted. This is due to the specific dynamics of the sector\u2019s critical infrastructure.<\/span>4<\/sup><\/a><\/span><\/p>\n\n\n\n For example, the movement of ships across international boundaries exposes their systems to a larger number of unknown IT networks.<\/span>5<\/sup><\/a><\/span> Because many ships are relatively old (the average age of ships is over 20 years),<\/span>6<\/sup><\/a><\/span> they often have a mix of old and new systems, some of which may be obsolete. Many ships (including naval vessels) cannot upgrade these easily due to outdated hardware.<\/span>7<\/sup><\/a><\/span> Tam and Jones argue that the design cycle of newer ships is of a duration that means this problem will likely continue to exist.<\/span>8<\/sup><\/a><\/span><\/p>\n\n\n\n Other reasons ships are particularly vulnerable to cyber-attacks are their differing systems, the duration of their voyages which create large windows of opportunity for cyber-attacks, a nominally low bandwidth while at sea, and alternating between extreme isolation and global connectivity at international ports.<\/span>9<\/sup><\/a><\/span> Because ships often change crews, it can be difficult to ensure that all crews are aware of cyber-vulnerability, meaning human failure can also be significant risk factor for ships.<\/p>\n\n\n\n Ships are increasingly connected to networks through very-small-aperture terminals (VSAT), and their bandwidth capacity is increasing. This means they can access networks with greater regularity and share more information, making them more susceptible to cyber-attack.<\/span>10<\/sup><\/a><\/span><\/p>\n\n\n\n Shipping is also increasingly reliant on networked systems for its operation.<\/span>11<\/sup><\/a><\/span> Navigation depends on electronic systems such as ECDIS, GNSS, VDR and Radar\/ARPA, as well as the un-encrypted Automatic Identification System (AIS) network.<\/span>12<\/sup><\/a><\/span> In some cases, ships are unable to sail without these systems; many are designed to be paper-less and are therefore dependent on digital means of navigation.<\/span>13<\/sup><\/a><\/span> Propulsion too is increasingly automated, especially power control systems, and is often networked through integration with navigation.<\/span>14<\/sup><\/a><\/span><\/p>\n\n\n\n Ports are also at risk of being targeted. Computer systems undergird the global flow of maritime commerce. Ports incorporate a variety of networked OT systems, including modern gantry cranes, and scanning systems.<\/span>15<\/sup><\/a><\/span> The advent of \u2018smart ports\u2019 means more of the day-to-day operations are automated, increasing vulnerability.<\/span>16<\/sup><\/a><\/span> Port operators and agents also rely on IT for their management, such as freight management, operations data, traffic control communications, financial data, and corporate systems.<\/span>17<\/sup><\/a><\/span><\/p>\n\n\n\n These infrastructures are often connected, with data flowing between a large number of actors from across the globe.<\/span>18<\/sup><\/a><\/span> This means that a cyber-attack targeting or impacting on one actor can quickly spread to other actors and different infrastructures.<\/span>19<\/sup><\/a><\/span><\/p>\n\n\n\n Types of attack<\/em><\/p>\n\n\n\n Cyber-attacks can take multiple different forms.<\/span>20<\/sup><\/a><\/span> In order to provide a simplified overview, these will be explored through the effects they have \u2013 firstly, those that impact directly on operations, and secondly, those that are used to facilitate other forms of criminality.<\/p>\n\n\n\n The first type of cybercrime stops or limits operations, generally through a direct attack that damages systems or makes them either inaccessible or limited in such a way that continuing operations in ports or onboard ships and offshore infrastructure would be impossible or unsafe. Autonomous shipping, port services, navigation aid systems, offshore platforms and marine traffic control centres are all potential targets for these kinds of crimes.<\/p>\n\n\n\n Cyberattacks of this type can include mechanisms such as malware, software designed to damage systems, ransomware, software that blocks access to systems or publishes data unless a ransom is paid, and Distributed Denial of Service (DDoS – the flooding of a network with data to make it inaccessible). The Baltic and International Maritime Council (BIMCO) report a case where a shipowner opened an infected email attachment sent from two unwitting ship agents which made systems inaccessible until a ransom had been paid.<\/span>21<\/sup><\/a><\/span> Similarly, a large-scale destructive malware attack was targeted at the Maersk line in 2017.<\/span>22<\/sup><\/a><\/span> This saw malware spread across up to 76 ports causing widespread system outages. Both of these examples shut down operations by making information systems inaccessible. <\/p>\n\n\n\n Ships are also at risk from these forms of attack. In 2016 in South Korea 280 ships had to halt operations due to problems with their navigation systems.<\/span>23<\/sup><\/a><\/span> Viruses and malware have been shown to contribute to these issues, causing stoppages in operations due to safety concerns and an inability to navigate effectively.<\/span>24<\/sup><\/a><\/span> While these navigation systems were connected to the internet, even air-gapped systems (those not physically connected to an external network) have been shown to have dormant viruses.<\/span>25<\/sup><\/a><\/span><\/p>\n\n\n\n Many of these attacks are likely to have been untargeted. However, analysis by BIMCO suggests that targeted attacks are more sophisticated, because specific tools and techniques will be created for targeting the company or ship. These might include the manipulation of insider individuals; brute force (where many passwords are tried); and DDoS attacks.<\/span>26<\/sup><\/a><\/span><\/p>\n\n\n\n Spoofing is a targeted form of attack that has become a concern for ship navigation.<\/span>27<\/sup><\/a><\/span>. Spoofing involves convincing the positioning systems of the ship into believing a counterfeit signal in order to make unintentional course corrections.<\/span>28<\/sup><\/a><\/span> <\/p>\n\n\n\n One study conducted by Trend Micro demonstrated an ability to recreate a VHF frequency on AIS that could simulate a \u201cghost ship\u201d in a nearby port, which would alert vessels they were on a collision course and change their path.<\/span>29<\/sup><\/a><\/span> In a further study the University of Texas-Austin were able to effectively take remote control of a yacht in the Mediterranean by overpowering the onboard GPS.<\/span>30<\/sup><\/a><\/span> Spoofing can also cause ships to misreport or lose their own position, as occurred in the Black Sea in 2017 in an incident that impacted over 20 vessels.<\/span>31<\/sup><\/a><\/span> The diversion of ships through spoofing impacts negatively on operations, requiring the them to right the course manually or halt altogether until the issue is resolved.<\/span>32<\/sup><\/a><\/span> Jamming can also cause such issues by causing failures in navigation systems.<\/span>33<\/sup><\/a><\/span> <\/p>\n\n\n\n Data loss and theft resulting from hacking can be a serious targeted cyber-crime. In a case against an Iranian Shipping Line, for example, data loss relating to delivery and locations of containers meant that cargo containers could not be identified or located, causing financial loss.<\/span>34<\/sup><\/a><\/span> There have also been cases where companies have been extorted into paying hackers so that confidential business information is not released.<\/span>35<\/sup><\/a><\/span><\/p>\n\n\n\n A second type of cybercrime aims to facilitate other maritime crimes such as drugs trafficking, piracy, and fraud though various forms of cyber-attack, for example by hacking port systems that control and track container movement in order to hide shipments of illicit goods. An indicative case was the hacking of the Port of Antwerp\u2019s digital container tracking system in 2013.<\/span>36<\/sup><\/a><\/span> Containers trafficking drugs could be released without port authorities becoming aware, and traffickers could reach containers before their legitimate owners.<\/span>37<\/sup><\/a><\/span> Initially this was done through the cultivation of insiders in the port system, which then allowed hackers to re-enter electronic systems remotely. In other cases, traffickers have been able to discover which containers are under suspicion in order to avoid collection, as occurred in Australia in 2012 <\/span>38<\/sup><\/a><\/span><\/p>\n\n\n\n Robbery and piracy can be facilitated by cybercrimes. By hacking a system, attackers can browse cargo and container lists to identify the most valuable goods for black markets, to then be stolen in the port or targeted for future piracy attacks when the ship is at sea.<\/span>39<\/sup><\/a><\/span> Between 2010 and 2011, for example, a Greek Shipping Company was targeted by pirates in the Gulf of Aden after hackers had gained access to route timetables and ship vulnerabilities.<\/span>40<\/sup><\/a><\/span> It has been suggested that spoofing can also make piracy easier, by making the ships appear to be elsewhere \u2013 either leading them into more dangerous areas or making rescue difficult.<\/span>41<\/sup><\/a><\/span> <\/p>\n\n\n\n Cyber-fraud, too, is an increasing problem. A number of maritime bunkering and fuel services have fallen victim to such frauds, including World Fuel Services, who were defrauded of $17.9 million by a faked order.<\/span>42<\/sup><\/a><\/span> Criminals were able to create a fake fuel supply tender, which led to a ship-to-ship transfer. When they attempted to bill the agency in the documents, however, there was no record of the transaction. Vulnerabilities are increased because many transactions occur over email.<\/span>43<\/sup><\/a><\/span><\/p>\n\n\n\n Perpetrators<\/em><\/p>\n\n\n\n Some attacks are undertaken by independent individuals and are relatively minor in scale and effect. These may be carried out by hackers outside of the system or disgruntled employees.<\/span>44<\/sup><\/a><\/span> The motivation for such attacks may be economic gain, but non-financial reasons such as a desire to cause vandalism, leak information, prove cyber skills and enhance reputation in the wider community, or even ideological motivations when wanting to damage operations to protest for an activist cause.<\/span>45<\/sup><\/a><\/span> Within these relatively small activities some may be opportunistic rather than planned and be undertaken without specialist knowledge of techniques and tools.<\/span>46<\/sup><\/a><\/span><\/p>\n\n\n\n Other cybercrimes are more organised. In the cases of trafficking facilitation above for example, there were links to South American organised criminal groups. Corrupt employees can also be implicated in such attacks. Attackers often need an in-depth knowledge of port systems and infrastructure, as well as expert knowledge of the techniques and tools for cyberattacks, both of which demand sophisticated organisational capacities.<\/p>\n\n\n\n Other groups engage in corporate or industrial espionage. <\/span>47<\/sup><\/a><\/span> These can include corporations seeking to create competitive advantage .<\/span>48<\/sup><\/a><\/span> They may act directly or through third parties with the aim of harming a rival by collecting business intelligence, stealing intellectual property, or disrupting operations to cause financial or reputational loss.<\/span>49<\/sup><\/a><\/span><\/p>\n\n\n\n Not all organised cyber-crimes are targeted or have a financial motivation. For example, the Maersk case discussed above was well-orchestrated, but seems to have been aimed at disruption as much as financial gain. This has led to a recognition of a distinction between vandalism, which is relatively small scale and disorganised on the one hand, and well-organised and intentional sabotage on the other.<\/span>50<\/sup><\/a><\/span> <\/p>\n\n\n\n A final difficulty is distinguishing between acts undertaken by criminal groups or independent hackers, and those carried out by states. State-led cyber-crimes tend to be viewed as issues of national security. Cyber-attacks are increasingly difficult to attribute,<\/span>51<\/sup><\/a><\/span> especially if they are undertaken by perpetrators with less clear state-sponsorship. Some of these criminal acts are thought to be undertaken by states due to the targets involved and the sophistication of the attacks. In 2020 for example, a cyber-attack in Iran\u2019s Shahid Rajaee port terminal \u2013 thought to have been conducted by Israel – halted operations.<\/span>52<\/sup><\/a><\/span> There are also increasing concerns that terrorist groups could engage in cyber-crimes.<\/span>53<\/sup><\/a><\/span><\/p>\n\n\n\n![\"\"](\"https:\/\/www.safeseas.net\/evidence\/wp-content\/uploads\/2022\/08\/16005967512_0deee0303a_c.jpg\")
<\/figure>\n\n\n\n
\n\n\n\nCharacteristics<\/h2>\n\n\n\n