June 13, 2018 By Douglas Bonderud 2 min read

Physical movement of goods relies heavily on ships and airplanes. According to the International Chamber of Shipping, water-based transport accounts for approximately 90 percent of world trade, while a recent Boeing white paper noted that air cargo traffic will more than double in the next few years.

Given this rapid growth, recent research suggests that both the aerospace and shipping industries may be on a crash course with cybersecurity compromise thanks to their use of outdated (and often unprotected) technology.

Shipping Industry Faces New Threats

To stay on course and ensure that cargo arrives on time, most ships use Electronic Chart Display and Information Systems (ECDISs). Security firm Pen Test Partners recently demonstrated that vulnerabilities in these systems are extremely simple to execute. While they’re also easy to mitigate against, many shipping companies don’t recognize these inherent flaws.

Pen Test Partners tested multiple ECDIS systems and found that most were running old operating systems, such as Windows NT. If compromised, cybercriminals could send ships off course by changing the perceived location of GPS receivers. Since autopilot is often used for regular transport routes, crew members may not even realize the ship is being diverted.

The researchers demonstrated the ability to trick the ECDIS into thinking that ships are a kilometer wide and then transmit this data to other vessels, forcing unnecessary course corrections that could impact shipping lanes. It’s also worth noting that systems such as steering, engines and ballast pumps communicate using NMEA 0183 messages sent in plaintext without authentication, making them easy to compromise.

Finally, Pen Test Partners leveraged a database compiled by device search provider Shodan to create a vulnerable ship tracker. In the wild, this data could enable cybercriminals to target specific ships for maximum impact.

Fight or Flight?

In addition to shipping industry fleets, cargo flights are also under threat. As noted by Avionics, Robert Hickey, aviation program manager within the Cyber Security Division of the U.S. Department of Homeland Security (DHS) Science and Technology (S&T) Directorate, was able to accomplish a “remote, non-cooperative penetration” of a commercial 757 within two days — and without any physical insiders aboard the plane.

According to Newsweek, meanwhile, security researcher Ruben Santamarta noted that entire fleets of aircraft remain accessible via the internet. He also claimed that threat actors on the ground could potentially use satellite communications networks to compromise devices on aircraft in flight. Just like their shipping counterparts, breaches to these networks could send aircraft off course and cause major havoc around high-traffic international airports.

While ships and planes remain integral to worldwide shipping, cybersecurity uptake hasn’t kept pace with technology adoption. As a result, savvy cybercriminals could hijack both navigation and communication systems to steer ships off course or compromise aircraft operations.

More from

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of 2022…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

What should an AI ethics governance framework look like?

4 min read - While the race to achieve generative AI intensifies, the ethical debate surrounding the technology also continues to heat up. And the stakes keep getting higher.As per Gartner, “Organizations are responsible for ensuring that AI projects they develop, deploy or use do not have negative ethical consequences.” Meanwhile, 79% of executives say AI ethics is important to their enterprise-wide AI approach, but less than 25% have operationalized ethics governance principles.AI is also high on the list of United States government concerns.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today