Cyberattacks on the high seas? Norwegian sailors, researchers sound a warning

Researchers at the Norwegian University of Science and Technology (NTNU) with a seafaring background are warning that cyberattacks on ships could have a devastating real-world impact.

Erlend Erstad, a Ph.D. candidate at NTNU, told Recorded Future News that he did not know of “any reported safety accidents at this moment,” but he cautioned that there have been “unexplainable” incidents that haven't yet been attributed to a cyberattack or a technical error.

“We know there are unreported events in the industry, as the ship owners and charterers haven’t had any official reporting schemes until recently. Sailors have handled cyber issues on the same basis as any other technical issue,” said Erstad.

Since the turn of this century, cyberattacks on industrial systems — from nuclear enrichment facilities in Iran to multiple parts of the power grid in Ukraine — have proven that digital interference can have a direct physical impact.

To date, there have been no publicly acknowledged cyberattacks that have similarly impacted a ship, although cyberattacks on other systems connected to shipping are known throughout the industry and maritime academia. The researchers warn that this lack of public acknowledgement does not mean the risks aren’t there.

“We are seeing spoofing and jamming more often now, with foreign governments trying to do different things to confuse the Western world and to create disputes about whether ships entered national territorial waters,” said Marie Haugli-Sandvik, a Ph.D. Candidate at NTNU.

Reports have suggested that Chinese actors have spoofed AIS (automated identification system) broadcasts required of ships under international law to signal their location to other vessels nearby while potentially unloading oil covered by U.S. embargoes to terminals on China’s eastern coast.

There have also been suggestions that the Iranian Revolutionary Guards Corps has deployed GPS jamming to trick merchant vessels into entering Iranian waters around the strait of Hormuz.

Haugli-Sandvik said the researchers had collaborated with the team at the Cyber-SHIP Lab at the University of Plymouth in England who “successfully hacked a rudder on a ship” during a simulation, and “made the ship run aground in such a timeframe that the deck officers wouldn't be able to stop it.”

Although this was a simulation, Haugli-Sandvik and Erstad — both of whom have previously worked as deck officers aboard merchant vessels servicing Norway’s oil rigs — said the risks of an attack directly affecting a ship are real and demand greater awareness and training among seafarers.

While a deck officer, Haugli-Sandvik said she didn’t think of a cyberattack on the ship as a possible threat. Erstad agreed: “Just like most people do today, they think that this won’t happen to me, so I don’t need to consider it.”

The industry, helped by their research, now assesses the risks very differently. During a recent training course they ran as part of their research, the pair looked at the effects of a compromised ballast water treatment system, and found that an attacker could make “the ship move uncontrollably to one side.”

This wasn’t based on a known vulnerability of the system. The point was to train sailors how to respond if something does go wrong.

“The learning outcome and the intention of the scenario was not to tip the ship over to make a disaster of some kind, because if you do that you don't get any learning points for the student,” explained Erstad.

“It was to get the student to reflect about how this safety issue can affect us. If something unpredictable is happening, which you don't have control over in the very critical time when you are close to a rig, it's a very safety-critical operation both for you and for people on the rig.”

“We know about a lot of vulnerabilities in vessels' systems and how they can be exploited. So we know what's possible. But there is a difference between what's possible and what's most likely,” said Haugli-Sandvik.

The researchers said they couldn’t comment on the likelihood of such an attack. Taking control over an entire ship was “very, very, very unlikely,” said Erstad, but compromising a single system and using that to imperil the whole vessel “might be doable.”

Humans as the best line of defense

The researchers want to raise awareness of these issues for seafarers and equip them with the knowledge of how to respond to such an attack — to raise the bar for attackers “enough so that shipping is not affected by all these known vulnerabilities which are publicly available information all over the internet,” said Erstad.

Sailors aren’t cybersecurity professionals and simply telling them that they were going to be hit by a cyberattack at some point doesn’t do much to encourage safe operations.

“We would like to raise awareness amongst seafarers,” added Haugli-Sandvik. “If we say ransomware is something you need to worry about because your company can go bankrupt, that's obviously something management would worry about, but if you have to worry about ransomware on your vessel because you can run aground, it's a different scenario [which seafarers themselves would pay attention to as well].”

Human behavior “can decrease cyber risk a lot,” she said. “That's where we put our pressure because we are not technical IT experts, we are former deck officers, so our main focus is on the crew, and how they can behave in the best way possible to protect both themselves to decrease the possibility of a cyberattack happening and know what to do in the first hours and days if you are hit by a cyberattack."

Last October, Norway’s prime minister Jonas Gahr Støre warned that Russia poses “a real and serious threat” to the country’s oil and gas industry amid criticisms that the Scandinavian country has acted too slowly to protect its petroleum sector — including the vital role that the merchant fleet plays — from cyberattacks.

“We see that OT [operational technology] and IT [information technology] are connected in very uncontrolled manners on ships today, and that also makes it possible for IT ransomware to be translated over to OT networks onboard the ships,” warned Haugli-Sandvik.

“People often don't understand the risks. … If you work on a vessel, you work on a floating computer, and there are some threat actors out there that can harm you, or your vessel, or could be interested in the information you have, if you are working within, for example, energy or oil and gas, and so forth,” she added.