“We are in their system.” Ship attacked in ten minutes

Genoa - Hacking demo at Genoa’s Port Authority: virtual attack on an oil tanker. “We are controlling everything from here”.

Genova - “You’ll have to excuse me, I always say the most frightening things on these occasions... but I’m usually right.” Gianni Cuozzo is the 27-year-old CEO of Aspisec, a company that specialises in cyber risk consulting. From his underground beginnings (“I was one of the bad guys wearing hoodies”) he put his knowledge to use in the defence sector, creating one of the leading computer security companies in Northern Europe. In 2016, he decided to return to Italy. And all the Italo-German computer expert needs is a laptop, an internet connection, and 10 minutes to dismantle a ship’s security systems. Live hacking during a convention: unbeknownst to its crew, for a few minutes, hundreds of business people were able to see the data from a ship on the Adriatic Sea, his cursor hovering over the route’s data. Cuozzo used two open-source programmes, accessible to anyone, to identify the ship and the characteristics of its operating system, and then confirmed that the port for access to the AIS protocol (that is the online tracking for the ship) was not protected by a firewall (computer system protection). So having found an unprotected ship, the next barrier was the system password, but “70% of all electronic devices in the world are controlled by a default password set by the manufacturer.” In fact, Cuozzo guessed it on his first attempt by typing in “1234”. “At this point we could take control of all the ship’s systems, without anyone realising. Usually a company realises that it has been hacked six to twelve months after the penetration takes place. I have also worked in war zones: Syria, Ukraine,” Cuozzo explained, “And even in those contexts, the majority of hacks are mistaken for system malfunctions.” More than neglect, it is a cultural issue. Yet the damage can be considerable: Gian Enzo Duci, President of Federagenti, recalled the Maersk case, in which a hack cost the shipping company $300 million. This phenomenon “has changed our sensibility,” said Alessandro Morelli, SIAT’s COO, “But the maritime sector is lagging behind on this front, and insurance companies are still studying how to make a product that covers not only damage to ships, but also damage to third parties caused by hacking.” Cuozzo concluded, “On average, companies spend 90% on hardware and 10% on software, and it’s only 1% that is spent on firewalls.” In other words, only 1% of companies’ expenditure goes on protecting their operational core, the engine that keeps all of their activities running.

Pressed for time?

Get the best news of the week in your inbox

Subscribe ››