Background
This blog is speculative: there is little public information about what caused the Ever Given to run aground in the Suez Canal. I had several maritime experts review the blog. I find it curious that a ship of this vintage could have had the technical problems (which could have been caused by a cyberattack) at just the time the ship could entirely block the Suez Canal. Instead of “blame the Pilot or the wind” which was the immediate speculation, why was there not a serious commitment by the ship’s operator and others to perform a deep cyber investigation of this container vessel to determine if cyber played a role in causing systems to fail and the ship to lose steerage? The blog provides a rationale for why a possible cyberattack could have caused the Ever Given to lose power and go off-course fully blocking the Suez Canal.
As I am not a threat analyst, I will not provide a litany of the various countries or organizations that could have reaped economic and/or political benefits by having this event occur. Suffice it to say, many of those countries have the cyber capabilities for committing this kind of cyberattack. On the Ever Given’s last voyage culminating in attempting to cross the Suez Canal, the Ever Given was in Yantian, China for more than a day.
Background of the Ever Given
The Ever Given is a Golden-class container ship, one of the largest in the world. The ship is owned by Shoei Kisen Kaisha (a shipowning and leasing subsidiary of the large Japanese shipbuilding company Imabari Shipbuilding) and is operated by container transportation and shipping company Evergreen Marine, headquartered in Luzhu District, Taoyuan City, Taiwan. The ship was built at Imbari Shipbuilding in Japan and launched in 2018. It is currently sailing under the flag of Panama (https://www.vesselfinder.com/vessels/EVER-GIVEN-IMO-9811000-MMSI-353136000).
I could not find specific details on what type of equipment or cyber capabilities were included. Because of the modern vintage of the ship, it is expected the ship had multiple backup power sources. I was told that moving power around the ship is done through a manual switchboard process. It could also be expected that, since this is a modern ship, it would be equipped with state-of-the-art remotely accessible instrumentation, control systems, and communication systems.
Possible cyber implications
My control system incident database includes more than 30 maritime control system cyber incidents (out of more than 1,300 control system cyber incidents). Maritime control system cyber incidents include loss of propulsion, damage to ships' equipment, ships going off course, and dock cranes dropping containers. There have been numerous cases of hacking Global Positioning Systems (GPS) affecting ships, drones, etc. by Russia, China, Iran, and others. An article in the June 22, 2018 Times reported that poorly protected ships were at severe risk for cyberattacks from the electronic chart display and information systems (ECDIS) commonly used in cargo/container ships. The ECDIS systems are supposed to be updated at each port call. Compromising the ECDIS system could move a vessel’s apparent location by up to 300m, giving false readings to the ship’s crew and other traffic Small changes to navigation systems could cause collisions in busy shipping routes or cause ships to run aground.
There were “black boxes” collecting information on the Ever Given’s instrumentation and communications systems that are expected to be interrogated. Per https://www.theguardian.com/world/2021/mar/24/huge-container-ship-blocks-suez-canal-evergreen, Jamil Sayegh, a former captain and maritime law specialist with experience navigating the canal stated vessels passing through the Suez said that all ships are obligated to use Egyptian pilots to help them navigate the stretch. Sayegh went on to state that none of the vessels behind the Ever Given had run into similar troubles. I have not heard of any discussions about ships that were ahead of the Ever Given having similar problems.
Commercial ships tend to have flat computer networks. That is, these networks are generally unsegmented networks without firewalls or other cyber security measures in place. Default passwords are commonplace not just on firewalls, but also programmable logic controllers (PLCs) and satellite communication equipment as well. This is a potential safety issue as the PLCs that control the rudders can be remotely accessible. Additionally, there have been instances where navigation communication systems have been surreptitiously accessed in ways that would enable access to propulsion, steering controls, etc. There has been wide-spread industry experience with maliciously installed hardware backdoors in large equipment such as electric transformers sourced from various countries. Consequently, it would not be unexpected if there were backdoors installed in some of the critical equipment used for propulsion and steering, other cyber pathways exist to affect the software and/or hardware through pre-executable commands, or other approaches that could take control of the ship’s critical systems at specified GPS locations.
The Ever Given could be seen traversing the Suez Canal in a winding not straight manner. I was told the ship’s speed varied - speeding up and slowing down. Before the ship turned and became lodged, it was stated the ship lost all power even though there were back-up systems to maintain steerage. Following the incident, there were interviews with ships’ Masters one of whom said there were three backup power generators to stop this from happening and could not understand how all power had been lost to the ship and the anchors not deployed. There should be processes for these sorts of failures in the ship’s Safety Management System. It has been explained to me that if the ship’s Master was in control (Pilots call out instructions, but it’s still the Master’s responsibility), and if the Master had time to respond, the anchors should have been dropped. There are generally safety instrumented switches on the bridge to actuate in such an emergency.
I was told the two most logical explanations for the ship’s erratic behavior was either bad fuel or a cyberattack. Bad fuel should have led to numerous alarms and not affected rudder control whereas a cyberattack could suppress any or all of the alarms and potential compromise rudder control. I have not been able to find out if any of the alarms were initiated due to degradation or loss of power, steering issues, etc. or if those alarms were intentionally silenced. If the ship lost all power, it is expected there would be no systems available to the bridge and rudder position should not change.
There are certainly more questions than answers. Some of the questions that come to mind are:
- How long after power was lost before the ship ran aground?
- Were anchors dropped following the loss of power?
- Did alarms indicate power degradation in the primary and back-up power sources?
- Were key systems being remotely accessed from questionable locations?
- Why was the ship not steering a straight course through the Suez Canal before it made the final turn?
- After losing power, why did the ship effectively make a left turn into the Suez Canal bank rather than continue in the forward direction?
My relevant background
I am a control system engineer with considerable experience in instrumentation and equipment diagnostics. My first experience analyzing maritime equipment was when I was managing the Electric Power Research Institute (EPRI) Nuclear Plant Instrumentation and Diagnostic Program in the late 1980s to early 1990’s. Operators of commercial nuclear plants needed to understand how much remaining life was available on large rotating equipment such as pumps, valves, compressors, etc. Commercial nuclear plants have yearly or multi-year fuel cycles where the plant should not be shut down because of equipment maintenance during the operational fuel cycle. The US Navy has a similar need for the large rotating equipment on their ships to operate through extended voyages. Consequently, I met with representatives from a US Navy Research Center to exchange information on equipment monitoring as the equipment was the same (i.e., a ship is essentially “a power plant with rudders”). This is relevant as vibration monitoring systems are common with both power plants and ships. Many of those systems are vulnerable to cyber threats and are remotely accessible. I first became interested in the maritime cyber issues in the 2000-time frame when there was an unclassified article about the use of remotely accessible Siemens PLCs - the same PLCs compromised by Stuxnet in the centrifuge facility in Iran - in the new generation of US nuclear-powered aircraft carriers. Additionally, several years ago, I had a meeting with the US Navy at one their key shipyards regarding the adequacy of cyber monitoring of process sensors used on board their ships.
Conclusions
Cyber threats provide the ultimate deniability in modern warfare. Cyberattacks that could have caused the Ever Given incident have already occurred. As such, the ability to stop navigation in a shipping channel using a civilian ship can be a new approach to compromising economic and military capabilities. In 2017, there were a series of crashes at sea with US Navy ships and civilian ships. The collisions were blamed on the Navy ships rather than having cyber investigations of the civilian ships to determine if they were the actual cause of the collisions. The Ever Given and other infrastructure incidents should require a protocol for performing control system cyber forensics consisting of both network and engineering forensics. As I wrote at the beginning of this post, this is speculative and may not be a definitive account of what specifically happened in the Suez Canal. But the questions seem worthy of investigation.
Joe Weiss
