What procedures are followed when importing BAPLIE and similar data to the vessel?

What processes are in place to ensure that USB keys containing loading data are free from malware?

Are USB keys ever given to third parties to load data on to? Are USB keys from third parties ever inserted in to vessel systems?

If data is transferred over the internet (e.g. email) what processes are followed to ensure that the files are safe to use?

Ask how the crew would detect if loading data had been tampered with?

Do sufficient procedures exist to rapidly correct a significant out of trim or GM situation?

The verified gross mass for a container is passed in an EDIFACT message. The vessel bay plan software will use the VGM in order to determine where to place the container for optimum GM, trim and load/discharge efficiency in port.

It may be possible for a motivated hacker to tamper with message to fool the planning software in to placing containers inappropriately and changing GM or causing delays in discharging loads as containers are incorrectly buried deep in the stack.

However, of greater concern is the ability to steal containers from the port using the same messaging system. Legal documents published around a case between Glencore and MSC show that a hack of an agent resulted in container PIN release codes being compromised and two containers of metal cobalt worth >$1M being stolen from a port.

Similar techniques may be used to cause containers to be discharged at the wrong port in to the waiting hands of criminals.

Finally, targeted piracy has been reported that appears to involve knowledge of the bay plan by the perpetrators. After boarding, instead of holding the vessel ransom, a small number of containers of high value items are emptied and the pirates leave.

EDIFACT messaging includes information about the description and value of the cargo. That’s clearly of great interest to criminals.

To quote wikipedia: “United Nations/Electronic Data Interchange for Administration, Commerce and Transport (UN/EDIFACT) is the international EDI standard developed under the United Nations.”

EDIFACT is a development of EDI, with its beginnings in the standard shipping message formats first developed and used to manage the logistics of the Berlin Airlift in 1948

Today, EDIFACT messaging is used for almost all containerised transport movements. The message format is managed and developed by SMDG.

SMDG is a non-profit Club, run by and on behalf of companies and organizations working in the maritime industry, like container terminals, ocean carriers and related companies and organizations.

SMDG develops and promotes UN/EDIFACT EDI-messages for the Maritime Industry and is an official Global User Group, recognised by the UN/EDIFACT Board.

Ships are becoming more and more integrated with shoreside operations because digital communication is being used to conduct business, manage operations, and retain contact with head office. Furthermore, critical ship systems essential to the safety of navigation, power and cargo management have become increasingly digitalised and connected to the internet to perform a wide variety of legitimate functions such as:

engine performance monitoring

maintenance and spare parts management

cargo, loading and unloading, crane, pump management and stow planning

voyage performance monitoring.

The above list provides examples of this interface and is not exhaustive. The above systems provide data, which may be of interest to cyber criminals to exploit.

Modern technologies can add vulnerabilities to the ships especially if there are insecure designs of networks and uncontrolled access to the internet. Additionally, shoreside and onboard personnel may be unaware how some equipment producers maintain remote access to shipboard equipment and its network system. Unknown, and uncoordinated remote access to an operating ship should be taken into consideration as an important part of the risk assessment.