It’s easy to forget when you’re on dry land that 90 percent of the world’s goods are shipped on boats. While we worry about the cybersecurity of power grids and nuclear missile silos, most of us have never thought about whether the container ships and ports that bring us our clothes, electronics, food—everything—are secured against digital threats.
Spoiler alert: They’re not.
The April newsletter from maritime cybersecurity consulting firm CyberKeel contained a scary stat. According to a spot check the group conducted, 37 percent of maritime companies with Windows webservers haven’t been keeping up with installing security patches from Microsoft. As a result, more than one-third of these sites are vulnerable to denial of service attacks and certain types of remote access.
We already know that companies are slow to protect their networks. On the first anniversary of the discovery of Heartbleed last month, one study showed that 74 percent of companies on the Forbes Global 2000 list hadn’t comprehensively patched their systems against what was possibly the worst vulnerability ever discovered. Maritime companies, though, are responsible not just for customer data (which is already extremely valuable), but for physical goods. If their systems suffer an outage, companies might not know where their ships are, or ports might not be able to unload cargo. Doesn’t this sound kind of, um, important?
Over the last few years, groups around the world have been working to bring maritime cybersecurity to the fore and begin talking about the reality of the threats. When breaches occur, private companies currently have virtually no incentive to disclose them, because it will only generate bad publicity and breed distrust among customers and investors. Incidents have started to come out, and this first step toward transparency is promising.
But those steps are taking a little too long, given how critical maritime infrastructure is to everyday functioning in the U.S. and abroad. A 2013 report on maritime cybersecurity from Brookings explained, “The potential consequences of even a minimal disruption of the flow of goods in U.S. ports would be high. … [S]helves at grocery stores and gas tanks at service stations would run empty.”
When 90 percent of goods come through maritime shipping, it’s not that hard to imagine that situation coming to fruition. CyberKeel co-founder Lars Jensen says that when he and partner Morten Schenk began working on maritime cybersecurity consulting in January 2014, the prevailing idea among maritime executives was that digital threats either didn’t exist or were highly theoretical. But, he says, “The thing that started to scare us a little bit was that some of things … where we said, ‘This is clearly Hollywood-scenario stuff’ had already happened.”
Many of the incidents that have occurred have, as you might expect, been kept quiet. But examples are trickling out. For example, at a January public meeting to discuss maritime cybersecurity standards, the Coast Guard said that in 2014, a U.S. port (it’s not clear which one) suffered a seven-hour GPS signal disruption that crippled operations. Port cranes use GPS data to establish their own positions, the positions of the containers they are supposed to move, and the positions to where they are supposed to move the containers. The incident the Coast Guard described affected four cranes. Without GPS, ports have to switch to manual operation, which is extremely inefficient and time-consuming.
Four confused cranes probably don’t quite evoke the mayhem that the phrase Hollywood-scenario stuff might conjure in your mind. But remember that GPS is also crucial for navigation on board ships and for tracking the whereabouts of different vessels as they move. Jensen describes one possible scenario (which he says he hasn’t heard about actually happening yet) in which hackers could use GPS jamming as a way of holding a ship hostage, asking a small enough ransom that it’s cheaper for the shipping company to just pay rather than attempt to intervene.
GPS’s ubiquity is both its strength and weakness. “The government provides positioning, navigation, and timing through the GPS system,” says Dana Goward, president of the Resilient Navigation and Timing Foundation and the former maritime navigation authority for the United States. “It’s a free, highly precise signal that engineers have incorporated into virtually every technology. But because of that, it’s become a single point of failure for much of America. And you see examples of that in maritime.” The RNT Foundation advocates for the creation of a GPS alternative for emergencies. A 2004 presidential security directive to the Department of Transportation supported the initiative, but 11 years later, it still hasn’t moved forward.
Another troubling incident occurred in 2012, when malware took out about three-quarters of Saudi Aramco’s files across tens of thousands of PCs. An image of a burning American flag appeared on every screen. The company was able to contain and mitigate the attack relatively quickly, but since the oil company distributes its product through maritime shipping, it was a wakeup call about how big of an economic impact a port-related hack could have.
In March, Rutgers University held a maritime cybersecurity conference co-sponsored by the Command, Control and Interoperability Center for Advanced Data Analysis and the American Military University. “The threat is very real,” said Rear Adm. Marshall Lytle, the assistant commandant responsible for U.S. Coast Guard Cyber Command and the keynote speaker at the conference. “These intrusions and attacks are taking place every minute and every second of every day.”
One of the problems with incentivizing both disclosures and increased cybersecurity vigilance is the lack of international or even domestic port standards from governing bodies. “Right now there is nothing akin to the [International Ship and Port Facility Security Code] rules on the cyber side. Nothing whatsoever,” Jensen said. (The ISPS Code is a set of internationally agreed-upon minimum standards for physical ship and port security that was developed after 9/11 and enacted in 2004.) “There has to be some sort of consensus coalescing in the industry.”
At the Rutgers conference, Vice Adm. Charles Michel, who is deputy commandant for operations, outlined some of the Coast Guard’s plans for cybersecurity strategy. “Probably the most important part of the Coast Guard’s Cyber Strategy is in its key organizing principle: The strategy is all about embracing a policy framework that will allow our enterprise to begin to tackle these challenges.”
The issue hasn’t exactly reached peak urgency in either the private or government sector, but Goward thinks it needs to. “The sooner the better,” he says. “Opportunities for mistakes or for bad people to do malicious things just continue to grow. The solution can’t come soon enough.”
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.