Addressing the Cyber-Security of Maritime Shipping
Mohammed J. Alghazzawi, Universitat Autónoma De Barcelona, Elisa Heymann, Universitat Autónoma De Barcelona, Barton P. Miller, University of Wisconsin-Madison
We show how maritime shipping relies on the ICT, and how that makes our freight systems at high risk from serious vulnerabilities.
We identify the main problems, and then propose a new approach for improving the security of our freight systems.
The maritime sector is crucial to the world economy, and the computer technology that manages it is critical to its successful operation. Five years ago, 52% of the goods traffic inside of Europe was carried by maritime shipping, and today that number is 60%. Maritime shipping uses millions of containers and employs millions of people to move billions of tons of freight annually. The European economy is therefore critically dependent upon the maritime movement of cargo and containers. As a consequence, it is dependent upon the software systems that control their operations.
Maritime freight transportation increasingly relies on Information and Communication Technology (ICT) to manage and optimize its operations and services. ICT makes the essential operations not only manageable but also cost effective; this technology is involved in many areas, from traffic control communications to container freight tracking to the actual movement of containers. As a consequence, there is an increased dependency on electronic communication and processes with little human interaction. The flip side of these operational benefits is that freight ICT systems can be extremely vulnerable to cyber attack.
Freight ICT systems are large and complex. This software system has many components used by different principals involved in the supply chain. Some of these components are used by the general public, for example the Port Community System (PCS) to book and track shipments. Other components are intended to be used by port operators, for example the Terminal Operating System (TOS) to control containers movement and storage in the maritime port. There is also a back-office management and integration system, which allows companies to manage, link and share internal processes with suppliers and customers. Attackers can take advantage of the complexity of this diverse collection of software. For example, in 2013 drug traffickers recruited hackers to breach the ICT systems that controlled the movement and location of containers in the Belgian port of Antwerp, in an attempt to reroute a container carrying drugs.
The software that manages and controls freight transportation systems must be hardened against cyber-attacks. Disruption or unavailability of these ICT systems could have disastrous consequences in cost and availability of goods. Attacks against vulnerabilities in the software can lead to a wide range of consequences. These consequences include service disruption, cargo being shipped to an unintended destination, threat to human lives (for example, remotely controlling the twistlocks of a container spreader to release it over a person), and unauthorized operation of a crane. Therefore, there is a critical need to ensure the robustness of the ICT, and to secure it against cyber attacks. Improving the security and protection of maritime freight information system from crime and terrorism should be a priority for the European community and broader world.
Up to now, the assessment of the security of maritime freight systems (in both the EU and U.S.) has had two significant limitations. First, existing studies have been directed at taking the important first step of identifying risk, but have not taken the critical and expensive next step of actually identifying the vulnerabilities present in these systems. Second, these studies have focused on overall port operations. While such an overview is important, and has resulted on overall recommendations for changes in policy, they have not provided a detailed evaluation of security issues in the ICT systems that control these ports.
Therefore the current approaches are not sufficient to address the challenges ahead to prevent cyber-attackers from accessing and controlling the software systems that would grant the attackers control to the freight transportation chain.
As a result of this situation, we need a focused, low level, in-depth vulnerability assessment of the software that manages freight systems. This would include a deep analysis of the software including a low level code review that goes beyond using automated assessment tools. The ultimate goal is to find critical vulnerabilities so that the software providers could remediate them before the attackers are able to exploit them.
In this paper we survey the state of the art in cyber-security for freight ports, identify the main problems and current initiatives, and then propose a new research direction and approach for improving the security of our freight systems.
Association for European Transport