SINGAPORE (Reuters) – The next hacker playground: the open seas– and the oil tankers and container vessels that ship 90% of thegoods moved around the planet.

In this internet age, as more devices are hooked up online, sothey become more vulnerable to attack. As industries like maritimeand energy connect ships, containers and rigs to computer networks,they expose weaknesses that hackers can exploit.

Hackers recently shut down a floating oil rig by tilting it,while another rig was so riddled with computer malware that it took19 days to make it seaworthy again; Somali pirates help choosetheir targets by viewing navigational data online, prompting shipsto either turn off their navigational devices, or fake the data soit looks like they're somewhere else; and hackers infiltratedcomputers connected to the Belgian port of Antwerp,located specific containers, made off with their smuggled drugs anddeleted the records.

While data on the extent of the maritime industry's exposure tocyber crime is hard to come by, a study of the related energysector by insurance broker Willis this month found that theindustry "may be sitting on an uninsured time bomb".

Globally, it estimated that cyber attacks against oil and gasinfrastructure will cost energy companies close to $1.9 billion by2018. The British government reckons cyberattacks already cost UK oil and gas companies around 400 millionpounds ($672 million) a year.

In the maritime industry, the number of known cases is low asattacks often remain invisible to the company, or businesses don'twant to report them for fear of alarming investors, regulators orinsurers, security experts say.

There are few reports that hackers have compromised maritimecyber security. But researchers say they have discoveredsignificant holes in the three key technologies sailors use tonavigate: GPS, marine Automatic IdentificationSystem (AIS), and a system for viewing digital nauticalcharts called Electronic Chart Display and Information System(ECDIS).

"Increasingly, the maritime domain and energy sector has turnedto technology to improve production, cost and reduce deliveryschedules," a NATO-accredited think-tank wrote in a recent report."These technological changes have opened the door to emergingthreats andvulnerabilities as equipment has becomeaccessible to outside entities."

Tip of the iceberg

As crews get smaller and ships get bigger, they increasinglyrely on automation and remote monitoring, meaning key components,including navigational systems, can be hacked.

A recent study by securitycompany Rapid7 found more than 100,000 devices –from traffic signal equipment to oil and gas monitors – wereconnected to the internet using serial ports with poor security."The lines get blurry, and all industries and all technologies needto focus more on security," said Mark Schloesser, one of theauthors of the study.

Mark Gazit, CEO of ThetaRay, an internet securitycompany, said an attacker managed to tilt a floating oil rig to oneside off the coast of Africa, forcing it to shut down. Ittook a week to identify the cause and fix, he said, mainly becausethere were no cyber security professionals aboard. He declined tosay more.

Lars Jensen, founder of CyberKeel, a maritime cyber securityfirm, said ships often switch off their AIS systems when passingthrough waters where Somali pirates are known to operate, or fakethe data to make it seem they're somewhere else.

Shipping companies contacted by Reuters generally played downthe potential threat from hackers. "Our only concern at this stageis the possible access to this information by pirates, and we haveestablished appropriate countermeasures to handle this threat,"said Ong Choo Kiat, president of U-Ming MarineTransport, Taiwan's second-largest listed shipping firm bymarket value. The company owns and operates 53 dry cargo ships andoil tankers.

Virus-riddled

A study last year by the BrookingsInstitution of six U.S. ports found that only one hadconducted an assessment of how vulnerable it was to a cyber attack,and none had developed any plan to response to any such attack. Ofsome $2.6 billion allocated to a federal program to beef up portsecurity, less than 1 percent had been awarded for cyber securityprojects.

When CyberKeel probed the online defences of the world's 20largest container carriers this year it found 16 had serioussecurity gaps. "When you look at the maritime industry there'sextremely limited evidence of systems having been breached"compared to other sectors, said CyberKeel's Jensen. "That suggeststo us that they've not yet been found out."

Michael Van Gemert, a security consultant to the oil and gasindustry, said that on visits to rigs and ships he has foundcomputers and control systems riddled with viruses. In one case, hesaid it took 19 days to rid a drilling rig en routefrom South Korea to Brazil ofmalware which had brought the vessel's systems to a standstill.

"The industry is massively in need of help, they have no ideawhat the risks are," he said.

The main ship navigation systems – GPS, AIS and ECDIS – arestandards supported by bodies such as the International MaritimeOrganisation (IMO). Indeed, that body has made AIS and ECDISmandatory on larger commercial and passenger vessels.

Researchers from the University ofTexas demonstrated last July that it was possible tochange a ship's direction by faking a GPS signal to dupe itsonboard navigation system.

Marco Balduzzi and colleagues at anti-virusvendor Trend Micro last month showed that anattacker with a $100 VHF radio could exploit weaknesses in AIS –which transmits data such as a vessel's identity, type, position,heading and speed to shore stations and other ships – and tamperwith the data, impersonate a port authority's communications with aship or effectively shut down communications between ships and withports.

In January, a British cyber security research firm, NCC Group,found flaws in one vendor's ECDIS software that would allow anattacker to access and modify files, including charts. "Ifexploited in a real scenario," the company concluded,"these vulnerabilities could cause seriousenvironmental and financial damage, and even loss of life."

When the USS Guardian ran aground offthe Philippines last year, the U.S. Navy in partblamed incorrect digital charts. A NATO-accredited think-tank saidthe case illustrated "the dangers of exclusive reliance uponelectronic systems, particularly if they are found vulnerable tocyber attack."

"Most of these technologies were developed when bandwidth wasvery expensive or the internet didn't exist," said Vincent Berk,CEO of security company FlowTraq.

No quick fix

Fixing this will take time, and a change in attitude.

"Security and attack scenarios against these technologies andprotocols have been ignored for quite some time in the maritimeindustry," said Rapid7′s Schloesser.

Researchers like Fotios Katsilieris have offered ways to measurewhether AIS data is being faked, though he declined to beinterviewed, saying it remained a sensitive area. One Googleresearcher who has proposed changes to the AISprotocol wrote on his blog that he had been discouraged bythe U.S. Coastguard from talking publicly aboutits vulnerabilities.

Indeed, AIS is abused within the industry itself.

Windward, an Israeli firm that collects and analyses AIS data,found 100 ships transmitting incorrect locations via AIS in one day– often for security or financial reasons, such as fishing boatsoperating outside assigned waters, or smuggling.

In a U.N. report issued earlier this year on alleged effortsby North Korea to procure nuclear weapons,investigators wrote that one ship carrying concealed cargo turnedoff its AIS signals to disguise and conceal its tripto Cuba.

It's not clear how seriously the standards bodies treat thethreat. Trend Micro's Balduzzi said he and hiscolleagues were working with standards organisations, which he saidwould meet next year to discuss his research intoAIS vulnerabilities.

The core standard is maintained by the InternationalTelecommunications Union (ITU) in association with the IMO. In astatement, the IMO said no such reportof vulnerabilities had been brought to itsattention. The ITU said no official body had contacted it aboutthevulnerabilities of AIS. It said it was studying thepossibility of reallocating spectrum to reduce saturation of AISapplications.

Yevgen Dyryavyy, author of the NCC report on ECDIS, wassceptical that such bodies would solve the problems soon.

First, he said, they have to understand the IT security ofshipboard networks, onboard linked equipment and software, and thenpush out new guidelines and certification.

Until then, he said, "nothing will be done about it."

($1 = 0.5949 British Pounds) (Additional reporting by KeithWallis; Editing by Ian Geoghegan)