Blog: Maritime Cyber Security

Sinking container ships by hacking load plan software

Ken Munro 16 Nov 2017

In my previous article, we looked at the easiest route on to a ships network – the satcoms system. Even having compromised that, it could be a challenge to affect the ship’s navigation, propulsion and control systems – most of these networks are at least somewhat segregated from one another.

That got me thinking about a far more insidious form of attack against a container ship: the load planning system.

Load planning

Speed and efficiency is everything with containerised shipping. The Container Load Plan (also known as a bay or stowage plan, or Ship Planning System) is a key part of that.

I’ll explain the detail of the messaging format in a separate blog about BAPLIE EDIFACT syntax. There’s a lot one can do to cause chaos with this!

Load plan software tells the port where to put each container for optimal efficiency:

Load plan chaos

A Suezmax container ship can hold over 10,000 TEUs or “Twenty Foot Equivalent Units”. Most containers carried are double this length – FEUs or “Forty Foot Equivalent Units” – but that still means in the region of 5,000 containers.

Only around one third of that cargo is on-deck though – most is hidden in the holds, under massive hatch covers. To get a container out from the bottom of the hold could involve removing 50 containers from that hatch cover, removing the hatch cover, then taking a further 8 containers to access the bottom of a stack.

Screw up the load plan and you create chaos. What if the load plan, which is just a CSV list or similar, is hacked and modified? No-one knows what container is where. instead of taking 24-48 hours to load and unload, it could take weeks to manually re-inventory the ship. Time is money for a ship. Lots of money. Blocking a port for a period whilst the mess is resolved incurs enormous costs and could even jeopardise supplies to an entire country.

Even more sinister is the threat to the ship itself

Load planning software is used to place heavier containers towards the bottom of container stacks, and to prevent a stack from being overweight. This keeps the centre of gravity (CoG) low and maintains stability. Further, the balance or ‘trim’ of the ship is very important, so heavy containers are distributed evenly.

‘Metacentric height’ is a calculation of the distance between the CoG and the metacentre. Think of it a little like a pendulum – a bigger distance gives a slower but bigger roll, more comfortable for passengers but more prone to overturning. A short distance gives shorter faster roll, which is less prone to upsets. A too fast roll puts undue stress on container, but rolling too far does as well. The metacentric height needs to be carefully controlled through loading.

There are cost savings from better load planning too: for a container ship to be as efficient as possible, it must not sit too high or low in the water, and must be in trim. This can be controlled by taking on ballast water, which again takes time and reduces the weight of cargo carried.

Being out of balance is a significant issue: huge pumps move the ballast water from one side of the ship to another to ensure it doesn’t tip over. Get it wrong and this happens:

How about if a hacker manipulated the load plan to deliberately put a ship out of balance? Disguise the data, so that the loading cranes unintentionally put the heavy containers at the top and on one side? Whilst some balancing actions are automatic, the transfer pumps may not be able to cope with a rapidly advancing, unanticipated out of balance situation.

It really wouldn’t take much. You jeopardise lives and potentially block a tight shipping lane in to port with a shipwreck.

Then I discovered how load plans are sent from the ship to the port:

Floppy and USB. Yes, seriously!

Chatting to colleagues who used to work on board container ships, until fairly recently floppy discs were still in use. One recounted a story where the loading planning desktop PC on board had failed and been replaced. Panic set in as they arrived in port and found the new laptop had no floppy drive…

No floppy: no way to transfer the load plans between the ship and port, who only had floppy drives. No unloading, until everything was transferred by email.

USB is more common now, but this is still a potential disaster for security. What chance the machine that the load plan software was running on is also used for email, for browsing etc? Now you have a remote vector to attack the laptop and manipulate the load plan, let alone inject some malware.

The port, shoreside, ship etc. all have to work to get together to generate the plan, though it is important to note that the final say with loading is always with the ship!

EDI messaging can be communicated between some ports directly, so the load plan is less exposed, however there is still a significant lack of security in the validation of message integrity. It just takes a phish…

Stinky Reefers

Refrigerated containers (reefers) need to be loaded in to particular bays in the ship that have electrical connections. Put these in the wrong place: the stevedores and crew will be trying to provide power, then discover that the bays they’re in don’t have cabling. Either the food rots or the container has to be removed and reloaded elsewhere. Not a major problem, so long as it isn’t already under 8 containers…

Environmental issues

Ballast water may need to be offloaded on the journey from port to port as the balance of the ship changes. Load planning software helps calculate this, ensuring optimum ballasting.

However, the ship can’t just dump any water anywhere – the sensitive ecosystems for different oceans can be easily affected by for example dumping Arabian Gulf ballast water in Australian waters. Use the load plan software to create an out of balance/overweight situation and you may force an emergency offloading of ballast water and significant environmental problems and associated fines.

Fuel price issues

Efficiency isn’t just a factor of time for a ship: A large container ship may take on thousands of tonnes of heavy fuel oil at a time. Even a tiny price difference in a litre of heavy fuel oil between ports can make for enormous cost savings. A price difference of $30 per tonne over 10,000 tonnes of fuel oil quickly adds up. Container ships will have an optimal total load – too much or too little and it won’t make best speed and efficiency. Screw up the load plan, force the ship to add unnecessary ballast and you can’t get as much fuel on board. Bang go your fuel cost savings.

Some load planning software

I’m not going to publish zero day vulns in load planning software here. There are enough issues with the lack of security controls on board container ships to make 0-days unnecessary anyway – one could just compromise the laptop that runs the load plan software instead! However, here’s a list of some load plan software I found during research for this piece:

Conclusion

Ship security has a long way to go to catch up with the level of security we expect in corporate networks. They are remote, difficult to update and often offline for long periods. IT hardware is often old and not well maintained.

Interoperability between the ship load plan and the hundreds of ports it may visit is essential – this leads to a race to the bottom in terms of securing and transmitting the load plan to the port. Simple = USB = vulnerable

This is ripe for attack. The consequences are financial, environmental and possibly even fatal.

Money talks too: there is a very clear financial return for investing in security in this area. One manipulated load plan could lead to a very big bill for the shipping line.