Imagine you are a Chinese planner tasked with limiting US response to an impending campaign to seize Taiwan. Blocking the Panama Canal, and
capsizing roll-on-roll-off vessels in ports, to block our sea-lift capabilities would certainly be a good start. Let's review the elements involved in such an operation.
First, an attacker would have to get access to port facilities and their EDIFACT systems. This has already been done numerous times "in the wild". A noteworthy example was the breach of the Port of Antwerp discovered in 2012. Attackers used physical devices placed onsite, phishing emails, and other techniques to gain access to the port's C-Point Nxtport environment, and manipulate EDIFACT messages.
While the attack on Antwerp was focused smuggling contraband in cargo containers, the same access and capabilities could be used to sink vessels. Pen Test Partners, in the UK, explained how this was possible back in 2017.
Now we can move on to blocking those sea lanes like the DC Beltway at rush hour. We had a glimpse of how this could happen this week when the Ever Given, a container ship from Taiwan's Evergreen line, appeared to navigate in circles then lodged itself sideways in the middle of the Suez Canal before shutting down engines.
Attacking
the engines on a ship, to shut them down the way it happened in the
Suez this week, was something my team demonstrated with
Auto-Maskin controllers in 2018. I would also like to note that even after we notified authorities, and Auto-Maskin, little was done to address the security vulnerabilities, no effort was made to rush out a patched firmware update. The family of engine control units continued to be used by major marine diesel OEMs, often rebranded, leaving end-users unaware of the danger in their supply chain and engine room.
Now, let's talk navigation. A lot of researchers have demonstrated attacks on various components of a ship's navigation systems that could have easily resulted in
the "interesting" AIS tracks that preceded the wreck. One of them is my colleague Gary Kessler, who gave a talk about it at DEF CON last year. He described how an attacker could subvert systems like AIS and ECDIS, and even cause coastal navigation lanes and related buoys to appear to "move", leading to disaster. A number of maritime incidents over recent years could be examples of such attacks "in the wild", but I'll decline making an assessment without more evidence.
So, as it relates to what happened in the Suez this week, what do I think about the chances the attack was the work of a sophisticated, cyber threat actor? Well, I'm not saying it was aliens. But...