Security researchers have warned that it might be possible to destabilise a container ship by manipulating the vessel stowage plan or "Bay Plan".
The issue stems from the absence of security in BAPLIE EDIFACT, a messaging system used to create ship loading and container stowage plans – for example which locations are occupied and which are empty – from the numerous electronic messages exchanged between shipping lines, port authorities, terminals and ships.
The messaging standard is developed and maintained by the Shipping Message Development Group (SMDG).
Criminals less interested in destabilising ships but perhaps instead stealing goods by rerouting containers, would use "COPRAR / COPARN / CODECO / COARRI" messages instead. These deal with shipping line to terminal messaging and vice versa.
Evidence suggests that ship and terminal messaging systems have been abused at times in order to either conceal or re-route drugs or steal valuables. "We believe this was done using front end GUIs in port rather than manipulating the data itself," according to Ken Munro, a security researcher at Pen Test Partners.
BAPLIE messages, once their syntax is understood, might potentially be manipulated to change the destinations of cargo, money and more. Pen Test Partners was more interested in message subsets that are found in "LIN" line items about contents and handling for individual containers.
Most straightforwardly it's possible to manipulate container weight and thus the ship's balance.
A potential hacker would simply search the message for VGM (Verified Gross Mass). The trailing value is the weight, so changing this value to make it either lighter or heavier would mean that the vessel load-planning software would place the container in the wrong place for stability. "Some ports may intercept the wrong weight at a weighbridge or possibly at the crane, but overloading containers to save on shipping cost is already a significant issue in some regions," Munro explained.
Researchers explained that it might be possible, using similar trickery, to place a mislabelled heavy container at the top of the stack, moving the centre of gravity too high. For example, it's possible to set the handling for "load third tier on deck", so high up, out of the hold. Manipulating the weight distribution is an issue because the ship becomes more and more unstable if heavy goods are loaded higher up in the stack.
Certain attributes can be set for a container to flag that it needs special handling. Manipulating the message opens the door to all sorts of mischief.
For example, the status for an aggregation of explosive materials could be changed to an batch of regular liquids. Alternatively a potential hacker could modify the flashpoint of a flammable vapour.
Refrigerated containers need special handling, as they need to be located in certain bays that have power supplies. A particular code states that the container is a "reefer", so the load plan software will sign it to a powered bay.
Mischief-makers could change the designation of a batch of goods that need refrigeration could be changed to signify normal handling or (more subtly) that the refrigeration unit is inoperative, so the goods can be placed anywhere. The consequences for a batch of prawns, for example, of such trickery would be altogether malodorous.
Certain cargoes are sensitive to strong smells, particularly coffee. Handling codes are set to place them well away from smelly things. Pranksters could potentially change the designation so that the a container full of odour-sensitive goods, such as coffee, has its door open and locate next to a container of fishmeal, which will be tagged as odorous.
To make things even worse the combo could be assigned to a hold using the "keep dry" code where there's poor air circulation.
"Whatever happens, the coffee will stink of fish on arrival at port," Munro writes.
The integrity of BAPLIE messaging is critical to the safety of container ships.
“I strongly encourage all operators, ports and terminals to carry out a thorough review of their EDI systems to ensure that message tampering isn’t possible,” Munro concluded.
The BAPLIE protocol features a literal checksum that uses the total number of message segments, including itself, but excluding the UNH message header.
"So, if you remove or add a message segment, don't forget to update the UNT [message] trailer," Munro explained. "If you’re just manipulating segment values, you don’t need to worry about UNT."
The terminal/ship/port receiving a doctored message will probably respond with a CONTRL message, acknowledging receipt.
This is much of a stumbling block, either.
"If you're intercepting and forwarding the entire EDI message stream, be prepared to spoof a message back to the sender," Munro notes. "It's easy to generate the correct CONTRL message for your modified request: there’s a generator here."
"Already there is evidence of theft of valuable items from containers in port, potentially through insider access by criminals to load information. It doesn't take much imagination to see some far more serious attacks," Munro concluded. ®