How cyber criminals are hacking shipping and goods transport

Sometimes the aim of these attacks is to disrupt a country’s infrastructure. Indeed, in 2015 and 2016, Russian cybercriminals were found responsible for attacks on Ukrainian power grids, and they have since targeted Ukrainian telecommunications companies. But the threat of digital incursions extends to our transport of goods and services too. Finding the weak point in a transport chain can cripple the distribution of vital goods, such as food and medicine, across entire continents. And those weak points can come in the most unlikely of places, as risk management commentator Lisa Lewis explains.

Lisa - So the story I'm going to tell you about is a location, it was a terminal in Europe, it's actually an issue that involved hacking a terminal operating system. So remember we're talking about maritime terminals that are different to ports. Ports are where ships go for safety to hang out, as it were. Terminals are used for loading and offloading, whether it's people or freight. It can be bulk, it can be cargo in container boxes. So they're very high functioning, high performance kind of workplaces. Terminals are increasingly automated. They are more and more relying on AI and internet of things to track and move the goods. The systems that control those movements are as complex as you, I'm sure you can imagine. And that's called a terminal operating system, a TOS. And that typically will interface with multiple other systems and data sets within the terminal and externally in terms of customer invoicing and national border control systems.

Lisa - And that becomes really relevant for this example, the terminal team working around it noted there was a real uptick in increase in incidents and these were around cargo theft and illicit substance fines. These are a standard thing that happens in terminals because of the nature of what's happening there. So on investigation, they did some digging and they understood that the terminal operating system itself had been breached. And this enabled the hostiles to access the whole system in terms of physical access as well as the assets. So the cargo in terms of the boxes that were being moved on and off the ships, and also the workers. And in terms of the non-physical access in terms of remote, they were able to access manifest. These are the papers that go along with the cargo in terms of where it's coming from, where it's going to, who it belongs to, and who's paying for the movement.

Lisa - So the target of this incident, the hack, was around the smuggling of goods in terms of cocaine and the serious and organised crime gangs that were doing these crimes were infiltrating the terminal operating system to find their drugs in these large, if you imagine these very large kind of places and many, many millions of boxes on there. And to hide the evidence of their smuggling and the route that they got in terms of their back door to get into the system, it was very innocent in appearance. It was a light bulb, it was a smart light bulb, but still it was a light bulb. And the fatal error that allowed this incident to occur was not segmenting this device from the rest of the network.

Will - It's the definition of a chain that is only as strong as its weakest link, isn't it?

Lisa - Oh absolutely. I mean, it couldn't be more true. I think, you know, there is increasing evidence, not just in maritime, but domestically, in people's homes and all kinds of commercial settings. And I mean even in the public sector where something as innocent as a toaster could potentially be your backdoor into your system.

Will - That's a pretty extreme case. I hope it's fairly extreme and I hope it's not all widespread, but are there vulnerabilities in other parts of the goods and transport chain that people are concerned about?

Lisa - There are, absolutely. I mean, if we start with the Internet of things, it's a layered system. So what you have is different layers of data which are talking to each other, that's how IT works, right? You have your device, you know, your refrigerator or your light bulb or whatever it is, and then that has software and that needs to communicate with things and that tends to go through the cloud. And on the cloud there are applications. So, you know, there are multiple layers that need to interface in order for this to work. If you think of a container of goods, it's going to move by rail potentially, and by road and ship and through a port. And at each point it's going to maybe be touching on multiple technology devices and systems and data sets, which potentially where there's complexity, you do get vulnerability. So all of these are potentially vulnerable to attacks, including hacking where people are getting in and spoofing, which is when you pretend something is not as it is.

Lisa - So, if you picture those mission impossible kinds of movies where people see something on a CCTV and it's a recording and it's not what's actually going on, you can do that with PNT systems. So in maritime there's use of smart containers. So these big boxes I was talking at before, they can be applied with widgets that detect the position of the box, its motion, and any tampering in terms of has somebody tried to attack it from the outside or inside, you know, movement sensors or CO2 monitors if people are put inside them for whatever reason, these tags rely on all sorts of different ways to communicate their location, radio frequency, wifi, bluetooth signals from satellites. And as we all know in terms of GPS signals on our mobile phones, these don't work a hundred percent of the time. So they're vulnerable anyway. If you add into that hostile actor who's trying to get access to information, everything that's connected is vulnerable

Will - Because I've got you, I do have to ask about something that's been increasingly more pressing in the marine sphere, which is the presence of autonomous vehicles. Because if you are stripping all human elements of a vehicle away, does that not make it more prone to an incursion?

Lisa - It's an evolving area. Risk management is already mature and progressed by regulators and industry, you know, in the maritime world. So if we think about autonomous vessels, these are slowly being rolled out. Don't want anyone to think that they're already out there as it were, but not the large scale and not the high hazard kind of materials on board. So they are designed to remove people from the ships and use land-based surveillance instead, really? So if you imagine a ship's offshore, it's moving around, a port is coming into the port, instead of having the people on the bridge looking at the port, you would have an operator on the land with cameras and various other things feeding that data to the controller. Now, if a vessel or a landside system gets hacked or spoofed, if you had people on the vessel, they'd notice if something went awry, for example, if you are trained to believe the dials, you'll be standing there looking at the dials.

Lisa - And then if somebody goes into the system and changes the position to make you give you a false reading, for example, you would then follow that information. However, as a human being, you would use your eyes and you would look out of the window and say, hold on, the sun's not where it should be. And then you would attempt to take back control and correct the course and your location and things. If you are relying on electronic feed on the shore, then you, you don't, you lose that layer of protection as it were that other kind of check and balance to make sure that everything's okay. So, you know, potentially there, there have been instances globally where things have gone awry and there have been significant consequences for people and assets in terms of shifts grounded colliding or being stolen with cargo and just disappearing off the grid, right? So it is an issue, but it is, it is recognised by regulators and industry and it is being managed in an organic kind of way.