The Risk of Shipping Interconnectivity

By Lieutenant Commander Dan Bell, U.S. Coast Guard

The captain stared in horror at the rudder angle indicator as the container ship Henry Hudson swung to hard left rudder. The engines shifted to all stop, with the ship gliding through the water, then the power went out. Transiting north past Pier 14 of Naval Station Norfolk at 10 knots, the ship lurched rapidly to port and directly at a southbound cargo ship. The collision drove the southbound ship sideways, causing it to run aground on the western bank of the Norfolk Harbor Channel. As the emergency generator kicked in and the captain began giving orders, the rudders swung rapidly hard right and the engines engaged at all back full. The crew frantically tried to stop the engines, to no avail. The Henry Hudson grounded on the eastern bank of the channel just north of Pier 14. The two ships effectively blocked the channel, pinning in the majority of the Navy’s Second Fleet.

Over the next few days, a massive cyberattack shut down ports and ships up and down the East Coast and compromised networks across federal, state, local, and private-sector partners. Shipping companies rerouted their fleets to West Coast ports, creating significant delays and logistical congestion. 

Media outlets declared it the start of a cyber war. Pundits opined about who might have launched the attack, but with little evidence to support their claims. The stock market dipped. Federal cyber response teams and investigators scrambled to get port operations back online while working to prevent additional incidents. 

The Coast Guard and FBI boarded the Henry Hudson, and cyber forensics teams seized the vessel’s data. During initial analysis, investigators identified a compromise in the onboard ship management system—designed to automate various shipboard activities and reduce administrative burdens—that enabled attackers to access a back door into the ship’s network. The system generated an infected advanced notice of arrival (ANOA) document for the vessel that was forwarded to several port partners, including the U.S. Coast Guard, giving the attackers access to the networks of everyone who opened the document by exploiting a zero-day vulnerability. When the shipping company rerouted its fleet, the ship management system sent new compromised ANOAs to those port entities, allowing attackers access to additional ship and port networks. 

The forensic analysis discovered modified files ending with .nvhtr resulted in the compromised ANOAs. Dubbed the “Navihater virus,” the malware targeted port compliance software. Although definitive attribution proved elusive, investigators and the intelligence community suspected a hacking collective with ties to the Chinese government.

The Coast Guard, Navy, and Army Corps of Engineers worked around the clock to clear the Norfolk Harbor Channel, and after two weeks the first aircraft carrier was able to leave the Tidewater area. After several weeks and millions of dollars in lost revenue, the affected commercial ports reopened with stringent operating guidelines. While agencies and businesses patched their networks, some port operations regressed to analog processes, creating significant backlogs. The resulting supply chain disruptions drove up consumer prices, creating inflation and pushing the nation toward recession. The developer of the targeted ship management system, which had been deployed across dozens of major shipping companies and hundreds of vessels, filed for bankruptcy, and a Chinese company acquired it along with its customer data and ship information. The President declined to take military action given the lack of definitive attribution, instead sanctioning known individuals of the hacking collective and affiliated Chinese officials. Economists estimated it would take more than a year for the United States to recover.

Ship management software and systems are a burgeoning market in the maritime industry, with products to make fleet and ship management easier and less personnel intensive, from onboard system monitoring to document and regulatory compliance. Most of these products advertise some form of cloud accessibility, and a number also offer automated services. Many products offer a variety of data analysis for ship and fleet owners to glean insights and maximize efficiency through the collection of significant amounts of data.¹ 

Shoreside, port community systems offer port operators similar opportunities to gain efficiencies through data analytics, increased automation, and facilitated logistics. By connecting the various port partners, sometimes numbering in the dozens, the systems aim to provide users a one-stop shop for completing a number of port processes.² To achieve this, they collect massive amounts of data and make it accessible to users. 

Beyond their promised benefits, ship management and port community systems have another attribute in common: They increase the attack surface for malicious cyber actors. 

Attacking the Shipping Ecosystem

With advances in communications and technology, ships increasingly remain connected to the internet, with more and more equipment connected to shipboard management systems. Two recent attacks highlight how a threat actor could exploit these systems to compromise the ships, their companies, the port facilities they visit, and the governments that regulate such facilities.

On 25 December 2022, the administration of the Port of Lisbon, Portugal’s third largest port, suffered a ransomware attack. The LockBit group claimed responsibility and said it had exfiltrated “financial reports, audits, budgets, contracts, cargo information, ship logs, crew details, customer PII, port documentation, email correspondence, and more.” The group demanded $1.5 million to have the files returned; otherwise, it would release them publicly. It also offered to sell the compromised information to interested buyers for the same amount. It is unclear whether the port facility paid the ransom.³ 

On 7 January 2023, the Norwegian maritime classification company DNV suffered a cyberattack on its ShipManager software system, potentially compromising the system on more than 1,000 vessels owned by 70 operators.⁴ DNV’s ShipManager system includes various data and automation modules, such as crew scheduling and payment, automating procurement, and managing port compliance issues. DNV also offers a related product called Navigator Port, which automates the creation and submission of required entry documents such as crew manifests for ports and appears to operate on the same servers as the ShipManager system.⁵ No group claimed responsibility for the attack, and the compromised data has not yet been observed on the dark web.⁶ 

While the Port of Lisbon and DNV incidents appear to be separate attacks using different techniques, the information potentially compromised—port documentation, for example—is similar. This information could be used to develop malware that creates malicious port documentation files and submits them through a ship management system. 

In such an instance, the target may not necessarily be the ship, but rather some or all the port facilities the ship plans to enter. Ports generally have few alternatives for obtaining the required data without affecting maritime commerce, especially if there are notice-of-arrival requirements. The attackers also might target the government agencies that regulate port facilities. In the United States, port documentation frequently is emailed to the Coast Guard as part of the port state control (PSC) process. Malicious files could target the specific Coast Guard sector’s networks and potentially spread across the service’s entire network. 

Making a Blockship

Of course, the ship might be the target, with the intent of weaponizing it to attack or impede critical infrastructure or waterways. The intentional sinking of vessels to block waterways is not a new concept in naval warfare. History offers multiple examples, with the most recent being Russia’s sinking of two antiquated vessels to trap the Ukrainian fleet in Crimea during its 2014 annexation of the peninsula.⁷ A 2021 Proceedings article outlined a potential scenario in which the U.S. Navy could use obsolete vessels rigged with myriad tools and explosives to create a blockship that could be used against adversaries.⁸ 

Most adversaries, however, would be able to create blockships at far less cost and effort by hacking the control systems of commercial ships. With the proliferation of ship management systems and automation to reduce the need for crews, attackers need only find a way to gain control of a ship’s critical systems to weaponize it. And while blockships generally are discussed in a military context, the M/V Dali allision with the Key Bridge shows that U.S. port infrastructure is also vulnerable to such tactics. The economic loss for the Port of Baltimore for the 11 weeks the main shipping channel was fully or partially closed is estimated at around $1.2 billion.⁹

Attackers do not need to target large commercial ships to have an immediate effect. Blocking U.S. rivers and waterways could significantly disrupt trade, especially as climate change decreases water levels on the Mississippi River and its tributaries, limiting navigable waterways and creating major choke points.¹⁰ In addition, smaller maritime transportation companies and vessels may not have the means to invest in robust cybersecurity. 

Ports: A Data-Rich Environment

At first glance, ports may not seem any more susceptible to cyberattack than many other critical infrastructure facilities around the nation. However, the port environment is a data-rich ecosystem with dozens of smaller networks within or connecting to the main port network. As the U.S. Maritime Trade and Port Cybersecurity Subcommittee of the Department of Homeland Security’s Public-Private Analytic Exchange Program noted in its 2023 report:

Given the necessity of interactions between dozens to hundreds of entities, port facilities potentially have hundreds to thousands of network access points and application programming interfaces (APIs) that could allow hostile actors to gain a foothold and maintain persistent access to the network. To increase efficiency and productivity, ports connect, communicate, and share data with a variety of third-party stakeholders, including intermodal landside connection operators (i.e., freight rail, pipelines, and trucking) and other critical infrastructure sector facilities operating at the port (i.e., assets under the Energy or Chemical Sectors).¹¹

An attack on these facilities could have an outsized effect.

Malicious nation-states also might attack port community systems as a means of economic and corporate espionage. China, for example, has its own port community system, LOGINK, a “one stop shop for logistics data management, shipment tracking, and information exchange needs between enterprises as well as from business to government.” To promote adoption of the system globally, China provides the software for free to port facilities, but the security of the software is unknown, with the Chinese government potentially able to access data through the platform. The U.S.-China Economic and Security Review Commission noted, “LOGINK’s visibility into global shipping and supply chains could also enable the Chinese government to identify U.S. supply chain vulnerabilities and to track shipments of U.S. military cargo on commercial freight.”¹²

Automation and Antiquated Processes

Ship crews and husbanding agents frequently send critical ship documents by email or upload them through portals.¹³ Within the Coast Guard, documents are emailed to the applicable PSC team at the Coast Guard sector in which the ship plans to arrive. The team then uploads those files to applicable Coast Guard systems and databases for retention and access across the network. Relying on the service’s cybersecurity applications to block all malicious signatures in attached documents is risky, but the PSC team needs the documents prior to the ship’s arrival to ensure quick and efficient processing. The team could wait until a ship arrives to inspect the documents in hard copy, but physically visiting and inspecting each ship—especially at ports such as New York/New Jersey and Los Angeles/Long Beach, which handle thousands of ships per year—is not practical. 

Port facilities and regulatory agencies continue to operate using emailed documents, and ship management systems increasingly automate those processes, removing crew input beyond making a couple mouse clicks. Automation makes processes simpler for the crews, but it also means they will be less likely to know how ship management software and systems work, preventing them from identifying potential glitches that could indicate a compromised system. In addition, the drive toward semiautonomous and fully autonomous vessels will shrink crew sizes, removing more potential observers from the process. Advances in generative artificial intelligence also will challenge cybersecurity efforts, as malware becomes more sophisticated and complex autonomous systems create larger attack surfaces.¹⁴

Supply Chains, Global Shipping, and War

Cyberattacks on ships thus far have been rare, and attacks on port facilities generally have focused on financial gain by ransoming stolen intellectual property. However, in a future conflict, infiltrating and exploiting strategic seaports and other points along global supply chains could be a way for adversaries to disrupt the United States’ ability to deploy or resupply military forces. Adversaries also may target the ships themselves to disrupt their operations or convert fully autonomous ships into weapons by using them to ram other ships or port and civilian infrastructure such as oil terminals and bridges.

The Navihater malware is fictional, but the threat malware presents to global shipping and port operations is not. Such attacks may not ignite the next conflict between the United States and its competitors, but strategists and war planners should consider such tactics as likely during the early days of a conflict. Federal regulators should work with port operators at each of the 18 National Port Readiness Network commercial strategic seaports to develop cybersecurity standards for implementation of port community systems to mitigate potential threats to critical national security capabilities. Otherwise, adversaries may be able to achieve Sun Tzu’s advice to subdue the enemy without fighting.

source : usni