Ethical hackers Pen Test Partners have highlighted a vulnerability in the load planning processes used by container ships.
“Intercepting and modifying the messaging used in bay planning can be relatively straightforward if you know what you’re doing,” said Senior Partner, Ken Munro. “When asked to investigate this, we noticed a lack of security in the validation of the message’s integrity and a simple phishing attack is all it takes to gain access,” he continued. By modifying the messages, and therefore the loading plan itself, a hacker could cause a vessel to list by swopping the order that the containers are loaded. Hackers could also cause environmental damage and incur heavy fines for shipping lines by forcing emergency discharge of ballast water as a result of unexpected out-of-trim situations caused by bay plan manipulation. Refrigerated containers could be switched off spoiling thousands of pounds worth of perishable food and so the list goes on. Not only that, but Pen Test Partners have discovered that USB sticks are commonly used to transfer the load plans from ship to port. This poses a major security risk as a USB infected with malware could cause series issues for port authorities. “Ship security has a long way to go to catch up with the level of security we expect in corporate networks. They are remote, difficult to update, and their IT hardware is often old and not well maintained,” added Munro. “Ship owners and managers need to have a cyber security plan in place and should review their current IT systems to make sure that any potential weak points open to attack are closed as soon as possible.”