Lloyd's List is part of Maritime Intelligence

This site is operated by a business or businesses owned by Maritime Insights & Intelligence Limited, registered in England and Wales with company number 13831625 and address c/o Hackwood Secretaries Limited, One Silk Street, London EC2Y 8HQ, United Kingdom. Lloyd’s List Intelligence is a trading name of Maritime Insights & Intelligence Limited. Lloyd’s is the registered trademark of the Society Incorporated by the Lloyd’s Act 1871 by the name of Lloyd’s.

This copy is for your personal, non-commercial use. For high-quality copies or electronic reprints for distribution to colleagues or customers, please call UK support at +44 (0)20 3377 3996 / APAC support at +65 6508 2430

Printed By


Ethical hacker says ships are wide open to cyber attack

Hackers can get in through a wireless keyboard, an unguarded printer, or even by reading a device’s user manual to exploit weaknesses

Ethical hacker Weston Hecker detailed the increasing risk to ships’ operational technology and how basic carelessness leaves many companies vulnerable

A COMPUTER security specialist has explained the ease with which criminals can take control of ships.

Weston Hecker, of security firm Mission Secure, said the operational technology (OT) which physically moves ships was often vulnerable despite advances in information technology security.

With attacks on shipping rising 900% in the three years to 2020, companies are being urged to separate, or ‘air gap’ their OT and IT systems to stop hackers gaining control of both, but there are often ways to bridge the two, the Marsec21+ webinar heard.

Mr Hecker explained how in two hours he was able to hack into a company’s phone network, then its IT network, and ultimately its ships through the guest wi-fi in a customer’s home office.

“It’s amazing how many times wireless instances come up,” he said. “I’m using printers, wireless access points… there’s been several instances where it’s just been an unpatched system or actual network misconfiguration.

“You wouldn’t believe how many times they don’t even know — customers don’t even know — that they have these wireless access points on printers.”

Wireless keyboards and mice could also be exploited. Mr Hecker was once able to send keystrokes through a mouse to a ship’s propulsion system.

“People don’t think about those kinds of things, but those are the kind of exploits and attacks that the average attacker will take into consideration,” he said.

Hackers could develop custom tools to win access to systems by using “proofs of concept” easily found on the internet. They could spend months working on such tools, but other times exploits could be found by reading a device’s user manual.

“People think that it’s a very intricate process, and it still is to an extent, but it’s something where a lot of the off-the-shelf tools are getting pretty good, where it lowers the bar for the attack surface,” said Mr Hecker.

One company which had managed to separate its IT and OT systems was breached when a worker set up a new connection to a printer closer to his desk, thinking he was being more efficient.

Mr Hecker said he looked for open ports, media access control (MAC) addresses and keys while on site, then scanned each device for weaknesses.

“When I say on site, I mean yes, I am in a meeting room downstairs on the ship, but I could have done the exact same stuff from about a quarter-mile away,” he said.

Fuel and cargo systems could be hacked to trick a ship into thinking it was off balance.

“If the ship thinks it’s off balance, its propulsion will not work. And if you’re in a certain kind of canal, or if you’re in a certain type of water, that can be intentionally used to either clog up the canal or to cause piracy and things like that.”

webinar this week heard how cyberattacks were one of the biggest security threats to the shipping industry but incident reporting is “virtually non-existent”.

Related Content





Ask The Analyst

Please Note: You can also Click below Link for Ask the Analyst
Ask The Analyst

Your question has been successfully sent to the email address below and we will get back as soon as possible. my@email.address.

All fields are required.

Please make sure all fields are completed.

Please make sure you have filled out all fields

Please make sure you have filled out all fields

Please enter a valid e-mail address

Please enter a valid Phone Number

Ask your question to our analysts