Firm Warns of Hackable Containership Loading Plans
Ken Munro, a Partner at UK-based security testing firm Pen Test Partners has published a blog on the potential cybersecurity vulnerability of containership loading plans.
Container load plans, also known as a bay plans, stowage plans, or ship planning systems, are key to efficiency of loading and unloading in ports.
Load plan software tells the port where to put each container for optimal efficiency.
If a hacker were to modify the load plan, which may be just a CSV list, then no one would know what container is where and it could take weeks to manually re-inventory the ship, Munro advises.
The hacked ship would also block a port for the period, incurring enormous costs and harming the local economy.
Further, hacking data to dislocate the centre of gravity for a ship creates the potential for a shipwreck.
Munro said: “How about if a hacker manipulated the load plan to deliberately put a ship out of balance? Disguise the data, so that the loading cranes unintentionally put the heavy containers at the top and on one side?
“Whilst some balancing actions are automatic, the transfer pumps may not be able to cope with a rapidly advancing, unanticipated out of balance situation.
“Then I discovered how load plans are sent from the ship to the port: Floppy and USB. Yes, seriously!
“Chatting to colleagues who used to work on board container ships, until fairly recently floppy discs were still in use. One recounted a story where the loading planning desktop PC on board had failed and been replaced. Panic set in as they arrived in port and found the new laptop had no floppy drive…
“No floppy: no way to transfer the load plans between the ship and port, who only had floppy drives. No unloading, until everything was transferred by email.
“USB is more common now, but this is still a potential disaster for security. What chance the machine that the load plan software was running on is also used for email, for browsing etc? Now you have a remote vector to attack the laptop and manipulate the load plan, let alone inject some malware.
“The port, shoreside, ship etc. all have to work to get together to generate the plan, though it is important to note that the final say with loading is always with the ship."