A blogger at security company Pen Test Partners has warned that container ship stowage plans can be hacked.
The issue stems from the absence of security in a messaging system used to create ship loading and container stowage plans from the electronic messages exchanged between shipping lines, port authorities, terminals and ships.
Instead of taking 24 to 48 hours to load and unload, it could take weeks to manually re-inventory the ship, says a company blog. “Even more sinister is the threat to the ship itself. Load planning software is used to place heavier containers towards the bottom of container stacks and to prevent a stack from being overweight. This keeps the center of gravity low and maintains stability...
“How about if a hacker manipulated the load plan to deliberately put a ship out of balance? Disguise the data, so that the loading cranes unintentionally put the heavy containers at the top and on one side? Whilst some balancing actions are automatic, the transfer pumps may not be able to cope with a rapidly advancing, unanticipated out of balance situation.
“It really wouldn’t take much. You jeopardize lives and potentially block a tight shipping lane in to port with a shipwreck.”
The company warns of using USB sticks to transfer data between terminal and ship. There is a chance that the computer with the load plan software is also used for email or web browsing, opening the potential for malware.
“Interoperability between the ship load plan and the hundreds of ports it may visit is essential – this leads to a race to the bottom in terms of securing and transmitting the load plan to the port. Simple = USB = vulnerable,” states the blog. “This is ripe for attack. The consequences are financial, environmental and possibly even fatal.”
The company encourages all operators, ports and terminals to carry out a thorough review of their messaging systems to ensure that tampering isn’t possible. “Already there is evidence of theft of valuable items from containers in port, potentially through insider access by criminals to load information. It doesn’t take much imagination to see some far more serious attacks.”