Hackers Could Use ChatGPT to Infiltrate Vessels
The threat of cyberattacks against vessels is not new and has historically been limited to jamming and spoofing navigation signals. However, the situation is rapidly changing as the threat from cyberattacks on vessels is increasing. Recently, the shipping industry witnessed an attack on DNV's ShipManager software system that affected almost 1,000 vessels. While many vessels still maintained their offline functionalities, this attack demonstrated the potential widespread reach of cyberattacks against vessels.
Attackers can gain significant benefits from attacking a vessel, as demonstrated by the recent blockage of the Suez Canal by a containership in 2021. Criminal hackers discovered that they could manipulate stock market changes associated with a grounded vessel to make a profit.
One way attackers can compromise a vessel is through phishing emails. Phishing emails encourage crew members to click on insecure links, leading to the download of harmful content onto their computer. Writing such emails has traditionally been a manual exercise. However, a newly released AI tool, ChatGPT, developed by OpenAI, is changing that.
Attackers have found a way around ChatGPT's internal barriers that prevent it from creating malicious material and are using it to produce persuasive phishing emails. The AI chatbot produces convincing and emotionally manipulative phishing emails that include a malicious link as an attachment. ChatGPT writes in good American English, making it challenging to distinguish illegitimate emails from legitimate ones, such as those with typos or unique formats.
The threat posed to the maritime industry by ChatGPT is significant. Shipping is a global industry, and disruption could be deeply costly. Vessels with networks taken down due to a cyberattack cannot deliver essential commodities on which industries rely, like raw materials. A hacking event could even result in a grounding on a main trade route, with wider financial implications. As a result, increased security measures, like staff training, are required to raise awareness of the threats posed by clicking on malicious links.
