Could the Dali container ship incident have been a control system cyberattack?

April 19, 2024
Improving the security, safety and resilience of U.S. commercial shipping vessels and maritime infrastructure

This blog is not about whether the container ship MV Dali’s crash was caused by a cyberattack. Rather, the question it takes up is whether the Dali’s crash could have been caused by a control system cyberattack.

If this mishap was the result of a cyberattack, then what can the Coast Guard, Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Transportation, the maritime industry and other stakeholders do to prevent future such mishaps? This blog addresses some of the control system cyber threats and vulnerabilities that we need to consider as we try to improve the security, safety and resilience of our commercial shipping vessels and maritime infrastructure.

I reached out to experts from maritime and maritime cybersecurity, logistics, lighting controls, cybersecurity, navigation and others for this blog. A large ship is effectively a “power plant with rudders.” It is also a “mini-city” with its own microgrid. From a control system cybersecurity perspective, the difference between a ship on or underwater and any shore facility is the importance of geolocation to the ship. Cyber vulnerabilities associated with load shedding, engine controls, power management, equipment maintenance and other aspects of vessel operation are either the same as, or very similar, to shore facilities.

It is too soon to tell whether the incident was an unfortunate safety-related mishap or something more sinister such as a cyberattack. The “immediate” proclamations by some government authorities that the Dali’s collision with the Francis Scott Key Bridge in the Port of Baltimore that the event was purely safety related are premature given the investigation of the mishap is in its infancy. It could take a long time to complete the safety mishap and other types of analyses, such as cyber-incident analysis.

In addition, there are very few control-system cybersecurity experts available to assess whether a cyberattack was a contributing factor in the collision. Furthermore, existing operational technology (OT) cybersecurity approaches might be ill-suited to recognizing control system cyber incidents since a Dali-type event may not be IP-network-related.

Given the importance of the Port of Baltimore, there are many reasons the Dali incident may not have been just a purely safety issue. I will focus on the technical issues with cyber that could have been involved, whether malicious or unintentional.

Without details on the control system design of the Dali and a preliminary report from National Transportation Safety Board (NTSB), my assessment in this blog article is speculative. It is too early to rule out an engineering casualty, and there could certainly be features of the shipboard systems that would explain the apparent emergency lighting outage, the continued ability to communicate by radio and other circumstances that have come to light about the accident.

Maritime control system cyber incidents are real. From my proprietary database, there have been more than a hundred control system cyber incidents that have affected ships and port equipment. They include loss of power, loss of view and loss of control. Most of these incidents were not identified as being cyber-related. There have also been thousands of cases where global positioning system (GPS) hacks by Russia, China and Iran have affected ships’ navigation.

In fact, on Apr. 2, 2024, a vessel captain reported “electronic interference” in navigation systems during a Middle East Gulf passage. U.K. Maritime Trade Operations said the incident took place over two hours. The unnamed ship experienced disruption to electronic navigation systems, including its GPS and Automatic Identification Systems (AIS).

Many shipboard control systems use GPS for inputs. A compromise of the GPS could result in compromised input to the control system, leading to an increase or decrease in the vessel’s velocity or the turning of a rudder.

Apart from GPS, modern autopilots and Electronic Chart Display and Information System (ECDIS) used for navigation utilize dead reckoning (which is different than GPS) to gather inputs from sensors, including speed sensors, wind sensors, gyroscope/inertial, echosounders (combined with seabed mapping). If there is a calculated deviation from the GPS position, the system will raise an alarm and the crew will be notified of the position insecurity.

Two specific cases are relevant to the Dali case. In 2021, the Ever Given container ship went sideways blocking all traffic though the Suez Canal. Prior to entering the Suez Canal, the Ever Given was wandering “aimlessly” as if GPS and/or the steering were comprised.

A more recent case involved multiple issues with a naval warship’s engineering SCADA system and process sensors. In one instance, it resulted in complete loss of control of the ship. In another instance, control system cyber issues with the main propulsion engine caused loss-of-steering. In yet another instance, there was a loss of communication between the engine room and bridge.

Dali ship history

MV Dali is a 91,128 gross tonnage container ship, completed in 2015 by Hyundai Heavy Industries, South Korea. In 2016, the ship was sold to Grace Ocean Pte Ltd. to be managed and operated by Synergy Marine Group, Singapore, where the Dali was registered. Initially, the Dali was repaired and serviced by the builder, Hyundai in South Korea.

However, beginning in 2020, China’s Yiu Lian Shipyard was contracted to perform repairs and perform maintenance on the Dali. Yiu Lian Dockyards is a wholly owned subsidiary of China Merchants Industry Holdings Co. Ltd. and focuses on ship repair, has technical knowledge in steel work, coating, painting, machinery maintenance, oil tanks’ conversion and offshore repairs and conversions.

Because maintenance of the Dali was performed in China, it is reasonable to ask whether any malware, Trojan horses or hardware backdoors might have been installed in the ship. Additionally, have Chinese equipment with hardware backdoors been installed in Dali during maintenance performed in China?

The potential control system cyber issues with the Dali incident can be separated into those at the port and those on the ship.

Chinese port cranes

The Dali unloaded and loaded containers at the Port of Baltimore. The cranes used to unload and load containers came from China. According to a recent congressional report, 12 cellular modems were discovered on Chinese port crane manufacturer ZPMC’s crane equipment and in a server room at a U.S. port. ZPMC never explained the reason why they were there, never explained their use, did not provide the configuration settings and downplayed the issue.

Moreover, the port authorities had not specified the need for modems and did not know why the equipment had been installed. Cellular modems can be used to identify what containers have been loaded or unloaded, where the newly loaded containers were located, and to send commands and potentially spoofed sensor signals to the port equipment or to the Dali. It is not known whether that happened, but it could have occurred.

Power outages

There were reports that the Dali experienced power outages while berthed in Baltimore. Julie Mitchell, co-administrator of Container Royalty, which tracks the tonnage on containerships coming in and out of Baltimore, told CNN the ship was suffering from power outages for two days prior to its departure, “citing a number of reefers [refrigerated containers] onboard which had been tripping circuit breakers" (load shedding).

Fuel issues

After collecting all available data, including correlating multiple AIS provider data, the workboat in Baltimore which approached the Dali did not onboard any new fuel. Therefore, the last prior loading of fuel occurred in Elizabeth, New Jersey (the Port of New York and New Jersey) on Mar. 20, 2024. This would preclude issues with “bad fuel.”

Internet access

Modern ships (the Dali was built in 2015) have multiple external access points: AIS, GPS and satellite links (e.g., Viasat and others). The satellite links provide communication for emergencies and routine updates to the home company (or charter company in the case of the Dali). Viasat was hacked by Russia at the beginning of the Russia-Ukraine war. As mentioned, Russia, China and Iran have demonstrated expertise in hacking GPS affecting ships. There is also the possibility of malicious updates. Usually, normal updates happen in port. This could be where malicious updates could be substituted. Chinese port cranes make this a possibility especially when the cranes come with equipped with unasked for modems and possibly other unknown equipment like with the Chinese transformers. 

Alarms, communication and steering

The actual collision with the Francis Scott Key Bridge seems to have been a complex incident. Numerous alarms were recorded on the ship’s bridge audio at 1:24 a.m. ET on the day of the incident. Around the same time, the voyage data recorder (VDR) stopped recording the vessel’s system data but was able to continue taping audio from an alternative power source. Two minutes later, the VDR resumed recording the Dali’s system data and captured steering commands and orders about its rudder.

It is unclear what caused the loss of data recording. That same minute, the pilot issued a very high frequency radio call to nearby tugboats requesting assistance for the stricken vessel indicating there was at least some emergency backup power available. At 1:27 a.m., the pilot ordered the Dali to drop the port anchor, along with other steering commands. The pilot also issued another high frequency radio call, reporting that the ship had lost all power and was approaching the Francis Scott Key Bridge.

From what is publicly known, the ship was not “aimed” directly at the bridge when it lost power. When all power was lost, the rudder position would not have been expected to change. Consequently, when power came back, the control systems had to change rudder position to hit the bridge head-on. It is unlikely the captain’s steering commands would have “aimed” the ship at the bridge structure.

Shipboard components

Components found in both port and shipboard equipment present a risk. In 2021, the U.S. Director of National Intelligence National Intelligence Council’s National Intelligence Estimate wrote: “China is the world’s leading supplier of advanced grid components for ultra-high-voltage systems, such as transformers, circuit breakers and inverters, which we assess creates cyber vulnerability risks.”

Counterfeit Chinese process sensors have been found in Asia and North America. Some of these components can be found on ships as ships use process sensors, circuit breakers, inverters and other related electrical components. Building automation systems such as HVAC and lighting control are vulnerable to cyberattacks. The digital nature of building automation systems allows two-way communication between devices, so that a device can report a failure, or answer a query about its status or other information. The bi-directional communication makes building automation an attractive cyber infiltration target.

Process sensors and actuators

Process sensors measure pressure, level, flow, temperature, etc. They generally have no cybersecurity, authentication or cyber logging. Yet, the need to calibrate process sensors whether analog or digital sensors involves connections to the Internet.

According to the chair of the NTSB, process sensors are not an input to the VDR. However, it is possible they were connected to the Internet, especially if maintenance was performed while in port. A common process sensor network for ships with analog process sensors is Wired HART (Highway Addressable Remote Transducer). This is an older protocol with, at best, minimal cybersecurity.

As mentioned, there have been cases where ships have lost all power and control at sea because of process sensor issues. The Dali had passed previous inspections during its time at sea, but during one such inspection in June 2023 at the Port of San Antonio in Chile, officials discovered a deficiency with its "propulsion and auxiliary machinery (e.g., process sensors) that were subsequently addressed. Process sensors, actuators, drives and related components are not explicitly addressed in the draft U.S. Coast Guard maritime cybersecurity standards, nor do the proposed standards require expertise to identify control system incidents as being cyber-related.

Lessons from other major cyber incidents

A cyber incident is electronic communications between systems and systems and people (e.g., displays) that impacts the confidentiality, integrity or availability of the system. This can be either unintentional or malicious.

As demonstrated by Stuxnet, a sophisticated cyberattack can be made to look like an equipment malfunction rather than a cyberattack. NTSB’s history with control system cyber incidents, such as the Olympic Pipleine Company’s gasoline pipeline rupture and PG&E’s natural gas pipeline rupture in California, has not adequately addressed the control system issues. Immediately stating an incident is not a cyberattack without detailed analysis is unwise and can be counterproductive. 

Control system incidents take a significant amount of time and specific expertise to identify the incident as being cyber-related as there is often no cyber forensics or appropriate training available. This is not the first time that the government and organizations like the North American Electric Reliability Corporation, and in this case NTSB, have immediately stated that a control system incident was not a cyberattack and then said it would take days to weeks to understand what actually occurred. 

There have been millions of control system cyber incidents in all sectors, including the maritime sector. Very few of those control system cases were identified by the Coast Guard, NTSB, Department of Homeland Security, Environmental Protection Agency, Transportation Safety Administration, Chemical Safety and Hazard Investigation Board or the Nuclear Regulatory Commission as being cyber-related. This is why I wrote the ISA MicroLearning Module “Identifying Control Systems Cyber Incidents.”

As I prepared this blog and had it reviewed, I learned about several alternative means of cyberattacking the ship to gain control of the steering and propulsion. These were innovative approaches that go beyond just trying to insert malware in the IT network and would not be detectable from IT or OT monitoring. 

Summary

The impacts from control system incidents are obvious, but their causes are usually less clear, especially when they might be cyber-related. However, control system cyber incidents have impacted the behavior and operation of ships as well as critical infrastructures. GPS hacks have altered ships’ positions and displays. Some Chinese critical infrastructure such as port cranes and large electric transformers have backdoors to take control of equipment.

The Dali had multiple control system cyber vulnerabilities and threats including maintenance performed in China, loading containers, from Chinese port cranes, use of cyber vulnerable ship equipment, etc. In the case of analyzing the Dali incident, expertise is needed in all facets of ship monitoring and control, logistics, reconstruction, and cybersecurity (IT and control systems). It is critical that maritime cybersecurity requirements include control system field devices and be expeditiously reviewed considering the Dali incident.

This blog was originally hosted on Control.

 

Joe Weiss is an expert on instrumentation, controls, and control system cyber security. He authored Protecting Industrial Control Systems from Electronic Threats. He has a database of almost 12 million control system cyber incidents. He is an ISA Fellow, Managing Director of ISA99, an IEEE Senior Member, and was featured in Richard Clarke’s book- Warning – Finding Cassandras to Stop Catastrophes. He has patents on instrumentation, control systems, OT networks, is a professional engineer, and has CISM and CRISC certifications.