Drug dealers have tricked shipping cargo tracking systems to think drugs are “bananas” and unknown actors have jammed GPS signals in northern Norwegian waters. Fixing these problems requires understanding how seafarers themselves perceive cyber risks — so they can do a better job protecting themselves and their vessels.
It was the afternoon of June 27, 2017, when nearly every computer serving the Danish shipping giant Maersk went dark. A piece of malware called NotPetya, created by Russians to attack the Ukraine, had accidently snuck into the company’s system when a Maersk finance executive in Odessa asked his IT Department to install accounting software that — unbeknownst to them — opened the door to the cyber attack.
Vessels are now more integrated with the shore organisation, and more are connected to the internet — and that also creates vulnerabilities on the vessel.
While Maersk wasn’t the target — the bug had been created by Russian hackers to cripple Ukrainian businesses and government infrastructure — the shipping company, along with thousands of other companies across the globe, were collateral damage. Merck, the pharmaceutical manufacturer, lost $870 million while FedEx’s European subsidiary lost $400 million.
The thing that set Maersk apart, however, was that this was by far the biggest cyberattack on the maritime industry. As reported by Andy Greenberg in Wired magazine, Maersk, “responsible for 76 ports on all sides of the Earth, and nearly 800 seafaring vessels… representing close to a fifth of the entire world’s shipping capacity, was dead in the water.”
The attack ended up costing Maersk an estimated $300 million, but cybersecurity experts widely agree that’s likely an underestimate.
Yet there was one component in the Maersk system that managed to escape the attack: its ships.
While the malware shut ports, it didn’t affect the ships themselves. All of Maersk’s ships at sea were essentially isolated from the cyber attack.
“But it is a real risk,” says Marie Haugli Larsen, a PhD candidate studying maritime cybersecurity at the Department of Ocean Operations and Civil Engineering at NTNU in Ålesund. “Vessels are now more integrated with the shore organisation, and more are connected to the internet — and that also creates vulnerabilities on the vessel.”
The importance of human behaviour
Larsen’s research focuses on the human side of cybersecurity — that is, figuring out how to get seafarers to take the steps necessary to protect themselves and their ships from malware and other cyber attacks. While most people think of cybersecurity as mainly an IT issue, human behaviour frequently causes cyber incidents, Larsen said.
That means finding out how seafarers perceive the problem, she said.
“I’m trying to understand how seafarers — the operational crew —experience cyber risk in order to give them proper training,” she said. “I’ve been interviewing the people in charge on ships, deck officers and captains, about how they experience cyber risks towards their vessels today. Then I’m trying to see what influences this perception in order to develop targeted risk mitigation measures. The idea is that you meet people where they are, and give them the tools they need to protect themselves.”
Larsen has a secret weapon when it comes to meeting seafarers “where they are”. She herself is educated as a deck officer, and has worked for two years aboard different vessels before beginning her research.
“Part of my journey has been thinking about how little I’ve thought about cyber risks,” she said. “When I worked at sea, I never thought maybe I shouldn’t use this USB stick, or maybe I shouldn’t charge my phone in this equipment. Or maybe I need to be more careful what I’m connecting to the internet or what I’m using the bridge computer for, because I didn’t think about vulnerabilities or what kind of cyber risks that could be there. So I’ve used my own experience to think about how to talk to others in the same situation.”
Hackers controlling ships
Larsen says shipping companies have known for some time that they could be victims of a cyber attack, much like what happened to Maersk. “It’s no longer a question of if it is going to happen, but when it will happen,” Larsen said.
If hackers want to, they can target the vessels’ operational systems so they can steer the ships. We haven’t seen it happening yet. But the tools are there.
A recent research paper looked at 46 cyber attacks in the shipping industry from 2010 to 2020, and noted that there was a 7-fold increase in attacks over the reporting period — which makes addressing the problem all the more important.
It was here that researchers described incidents where shipping systems that were fooled into thinking that smuggled drugs were bananas, and where GPS systems were hacked or jammed, including on the northern Norwegian coast.
The increasing availability and use of the internet aboard ships themselves opens the possibility for new, increasingly unnerving situations, Larsen says.
“If hackers want to, they can target a vessel’s operational system so they can control it. We haven’t seen it happening yet. But the tools are there,” she said.
Imagine, Larsen says, that hackers get control of an oil tanker, the largest of which can hold more than 2 million barrels of oil, or nearly 320 million litres.
“If hackers take control of the ship and open the valves, then you have an environmental catastrophe,” she said. “Or what if the ballast tanks of a cruise ship are hacked, and the hackers cause it to list, so that it tilts? I’m not sure you can actually capsize it, but it can have enormous safety consequences for the people on board.”
There’s a whole branch of behavioural psychology that deals with perceived risk, which Larsen is relying on for her research.
No, this is something that’s happening elsewhere. It’s not happening on my ship.
“A part of decision making is how we perceive risk,” Larsen said. “If you don’t think there is any risk for your systems on the ship, if you don’t think it will be attacked by hackers, then you’re probably not being too careful with your systems. Or maybe you are a bit careless, because you’re not thinking about the risk. And if we can help people by giving them more information and enhanced awareness then we can also affect their risk perception.”
When people perceive various risks, they can often rely on something called cognitive biases. One well-documented bias is the optimistic bias, which has to do with people thinking that they themselves are not at risk, even if the activity they are involved in has risks. One classic example of this, is why people smoke, she says.
“If you ask someone why they smoke since they can get cancer, they tend to say, ‘that’s something happening to others, not to me’,” she said.
Mariners have the same cognitive biases as other people, and since cyber incidents may occur in regions far from where the mariners work, they can experience unrealistic optimism, Larsen said.
“All the people I have interviewed have said, ‘I believe the cyber risk to be low in the areas I’m working in, and it’s not likely that a cyber-attack will happen on my ship. That is something happening elsewhere, like the Gulf of Aden or around the Cape of Good Hope’,” she said.
People are also less likely to worry about something if they or people they know haven’t actually experienced the problem, she said. But of course, that doesn’t make the risk go away.
The Internet of Ships
The “Internet of Things” is a phrase used to describe how more and more of our appliances and other items contain sensors that are connected to the internet and can be controlled and interacted with digitally.
It’s common to find this technology in everything from your washing machine to the lock on your front door or in different components in your electric car.
The same trend is happening at sea, Larsen said, which increases a ship’s exposure to cyber risk. At the same time, however, instead of making a mariner’s work easier, digitalization can actually make their work harder, she said.
“Before, a ship was more autonomous or free from impacts from shore, but now, you have sensors that monitor the vessel’s performance in different settings, and you have a shipping company that needs to save money, for example, or has green values,” she said. “And all of these factors mean that ships need to be more efficient.”
While that’s a good thing, it can put crews in a difficult situation, she said. For example, if a captain feels like the ocean conditions aren’t safe, he or she may decide to stop, or go to port. But both customers and the shipping company can now monitor this behaviour and question the captain’s judgement.
“By use of these new parameters, companies are now suddenly making statistics for their vessels’ daily operations. And captains have to address this, they experience getting questioned about why they are using more fuel than other captains, for example,” she said. “They have much less self-governance. And that they don’t feel very good about that.”
Digitalization can be seen as red tape
This situation also can increase cyber risks, she said, because deck officers can be overwhelmed. More and more systems are being digitalized, which increases the reporting required of seafarers.
You think that digitalization means efficiency, but that’s not their experience.
“And this is connected with increased digital exposure, because seafarers can feel overwhelmed because they experience that there is more and more information that needs to be processed digitally, for example,” she said. “They have to report numbers in five different places now because there are so many systems and still they have to print it out and hang it up on the whiteboard.”
“You think that digitalization means efficiency, but that’s not always the seafarer’s experience. Their experience is that digitalization can create more administrative work, or bureaucratic red tape, as some of them called it. So they feel like technology and this increase in utilisation gives them less freedom and flexibility.”
Identifying these issues will allow Larsen and her colleagues to develop measures that can educate mariners and the companies they work for to protect themselves against cyber risks.
“We have to implement mitigation measures on different levels in the shipping companies,” Larsen said. “We need to target the individuals, the vessels and management to the maritime industry improve their cyber security.”
Larsen, Marie Haugli; Lund, Mass Soldal. (2021) Cyber Risk Perception in the Maritime Domain: A Systematic Literature Review. IEEE Access. vol. 9.
Larsen, Marie Haugli; Lund, Mass Soldal; Bjørneseth, Frøy Birte. (In review) A Model of Factors Influencing Deck Officers’ Cyber Risk Perception in Offshore Operations. Maritime Transportation Research.