The loading and cargo routing plans of container ships are easy to be compromised according to British cybersecurity specialist Pen Test Partners, Tech Wire Asia reported.
According to the report, this is possible due to an issue from the complete lack of security in the BAPLIE EDIFACT, a messaging system used to exchange information between shipping lines, port authorities, and ships.
This system is also used in order to create plans used to load each ship.
By extension, Pen Test Partners stated that it is through this that people will know which locations will house a particular container.
The messaging system was developed originally by the Shipping Message Development Group (SMDG).
According to the specialist, even simple manipulation of the messages exchanged in the BAPLIE EDIFACT could result in loss of life, wholesale fraud, or massive costs to shipping organizations, port authorities, and ultimately, leave countries without essential goods.
It explained that until recently, loading plans were exchanged through floppy disk between ports and ships and are still exchanged, in many cases, by means of a USB stick changing hands.
The BAPLIE EDIFACT is contained in a simple CSV file which shows how each ship should be loaded/unloaded.
According to them, by merely changing the simple codes in the document, a range of malicious activities could occur ranging from the merely annoying and slightly time-wasting to loss of life.
Furthermore, it stated that by changing the VGM (verified gross mass) record for any container, the port could load a ship incorrectly with heavier containers positioned high above the ship’s center of gravity, or off to one side, causing massive instability and a dangerous list.
Pen Test Partners added that the codes in the CSV document also describe the special nature of loads or their particular requirements.
It stated that loads that require refrigeration could be marked for loading away from power sources, meaning their contents would deteriorate, and the ensuing smell/effluent will taint other containers’ contents.
Alternatively, notifications of a container’s explosive contents or low flashpoint temperature could be removed or altered, meaning that lives and cargo are put at risk.
In light of this, the cybersecurity specialist stated that corrections to the load can, therefore, take hours, if not days to correct.
It added that in order to keep costs as low as possible, every ship is loaded with very exact amounts of fuel and ballast according to their load and the distance to be traveled.
Should the load details be changed, a ship can therefore easily throw out these calculations, causing them to be cast adrift at sea, or at best, overladen with unnecessary expensive fuel that will add to the load burden.
“I strongly encourage all operators, ports, and terminals to carry out a thorough review of their EDI systems to ensure that message tampering isn’t possible […] Already there is evidence of theft of valuable items from containers in port, potentially through insider access by criminals to load information. It doesn’t take much imagination to see some far more serious attacks,” said Pen Test Partners’s Ken Munro, adding that the integrity of the BAPLIE messaging system is critical for shipping.
Munro alludes that criminals are less interested in destabilizing or delaying ships but rather wanting to steal goods by rerouting containers by using “COPRAR/COPARN/CODECO/COARRI” messages instead of BAPLIE.
He explains that these cover shipping-to-terminal messaging and have been compromised by operators at ports physically changing codes at the dockside for quick gains, and allegedly rerouting or concealing “drugs traffic or for simple theft of whole containers”.
Because ship-board systems are often offline for months at a time, they rarely get much attention or updating. Their precarious nature is however at odds with the six and seven figure sums at stake that are put in jeopardy by even the slightest modification of data that has scant, if any, protection.
Port authorities and shipping lines need to tend to their security laurels as soon as possible, it transpires.