Blockchain processes could be hacked by experts who have demonstrated ways to compromise this transaction technology’s security
Blockchain technology is not as secure as people anticipate and can be hacked, believes Pen Test Partners senior partner Ken Munro. Blockchain is an online trading system that enables several companies and organisations to track and enact financial transactions in shipping. It is thought to be a ‘silver bullet’ for secure transactions but Mr Munro thinks there are ways to hack it.
“Blockchain solves some security issues but also opens up new and concerning security problems,” he told Marine Electronics & Communications. Its security is assumed because of consensus algorithms, “which most people probably do not understand” he explained. To demonstrate this, Mr Munro described some hacking methods that might be used to break into a maritime blockchain.
Private key compromise
This is also known as hacking an organisation’s “wallet”. Permissions to use a blockchain are governed by each user’s private key address, more commonly known as their wallet, he explained. Therefore, if someone gains access to a user’s private key, they would control their wallet and transactions. These wallets are protected with a password, which may not be secure.
“Consider someone in your supply chain using a tablet to manage container movements at a terminal,” Mr Munro suggested. “Have they set a strong password for their wallet?” If the tablet is stolen and the password is easily cracked, then there would be a problem. “Even though blockchain may be secured by consensus, if a genuine account is compromised there is no stopping illegitimate use,” Mr Munro warned.
Cryptography can be, and has been in the past, broken because of computing advances. A next-generation technology in computing, also known as quantum computing, has the potential processing power to crack cryptography that secures a blockchain.
“Once cracked, all trust in the blockchain is lost”
“Once cracked, all trust in the blockchain is lost,” said Mr Munro. “If cracked, an immediate switch to stronger encryption would be required.” All old transactions and wallets would be frozen and the new blockchain would begin from the last frozen block.
“The cost of such a change could be enormous, potentially eclipsing the cost savings from the blockchain itself,” he added.
Miners are the security of a network. They implement the blockchain by supplying the ledger and work together to ensure consensus. “The amount of mining nodes you have on a network determines how secure the network will be,” Mr Munro explained.
The design of a maritime blockchain is important in this respect. If one organisation controls the majority of the miners, they control the whole network.
“If an attacker can gain control of 51% of all mining nodes, they can control the network and can change historical data,” he explained. Another vulnerability of the scale of 2017 cyber attacks that involved WannaCry or NotPetya and affected shipping companies, “could be the one that destroys a blockchain by deleting the ledger on all nodes, thus deleting all historical data for shipping,” Mr Munro explained.
As an example of where blockchain technology could be useful, he referred to the global stock of more than 40M shipping containers. Keeping track of all their movements is going to significantly increase the scale of blockchain in maritime “and the amount of disk space needed for a miner to keep the ledger could become so large that it would become unmanageable,” he said.
If a miner is not under constant supervision, hard disk space could be filled and prevent the ledger being updated, he said. “Hard drive space of this scale will be expensive” so “one might decide to have fewer miners on the blockchain to keep down hard disc storage costs. Fewer miners leads to less consensus, less distribution and less security.”
Some blockchains support smart contracts, also known as decentralised applications, which are coded programs can be run within the blockchain.
“This brings a whole new chapter of vulnerabilities into the mix,” said Mr Munro. “Already blockchain applications have had flaws abused.” For example in one 2017 hack, an attacker ran a coded function before a transaction should have been executed “and ended up stealing millions of dollars by becoming the very wallets which the program was in the process of creating”.
“Already blockchain applications have had flaws abused”
“They effectively jumped the gun,” he continued. “This type of hack is just as real in the maritime environment. Many blockchain exchanges and wallets have been hacked in a similar fashion.”
With these security flaws in mind, Mr Munro asks whether the maritime industry will get security of the blockchain 100% right ﬁrst time. He said that more thought needs to be given to the structure of maritime blockchains and the interfaces with other systems.
“It is clear to us that blockchain has a purpose in the maritime industry and could generate significant cost savings,” said Mr Munro “But it is not a silver bullet for security – your security problems will not go away if you implement a blockchain; they will just be very different and potentially rather more complex,” he concluded.
COSCO achieves a cyber first in shipping
COSCO Shipping Aries is the first container ship to receive Lloyd’s Register’s (LR’s) cyber-enabled ship descriptive note, writes Rebecca Moore. Its 20,000 TEU newbuild, under construction by Nantong COSCO KHI Ship Engineering Co, received LR’s notation Cyber AL3 Secure Perform for its energy management system.
This means the boxship complies with the revised version of LR’s cyber-enabled ships (CES) ShipRight procedure, issued in December 2017.
AL3 is defined in LR’s notation as “cyber access for autonomous/remote monitoring and control (onboard permission is required, and onboard override is possible)”. COSCO is hoping to apply LR’s CES notation to some of their other vessels.
LR innovation strategy and research director Luis Benito told Marine Electronics & Communications “The significance here is that operators have a way of ensuring that their energy management system integrates with the rest of the systems on the ship with no side effects. Therefore, it checks that it works in harmony with the rest of the ship and has a foundation level of [cyber security]. Clients rely on such systems for business decisions, so it is important that they can rely on the data being cyber secure.”
He said the AL3 notation has additional significance as it means the energy management system is certified to operate in an autonomous way without human intervention. “Once the owner sets the parameters, the system is left to operate the ship within these thresholds automatically and will deliver what it needs to without human intervention.”
However, the human is kept in the loop, as the system is set to allow crew to override it if needed, then reset it to be autonomous again.
Mr Benito expanded “This is so new to everyone, including ourselves. Many ships have been using energy management systems for decades, but what is new is that in the past no one paid attention to the risks of having a connected ship streaming data.”
But, as he explained, there is now an industry realisation that ship operators should look at the risk of data streaming and connected assets.