As vessels become more crammed with electronics and dependent on sophisticated technology and connections, there are more ways for bad actors to inflict damage, with consequences that are not only economic but that impact operations and safety as well. Technical solutions are available but are far from foolproof — the bad guys just move too fast. The good news is that a substantial number of dangers stem directly from bad habits. Train your people right and there’s a good chance they’ll avoid the missteps that can lead to cyberdisaster.
Several issues related to the challenge are highlighted in a recent white paper, “Securely Connected Vessels — Vessel Communications and Maritime Cybersecurity,” by Dean Shoultz of MarineCFO in Houma, La. Shoultz states that ships are particularly vulnerable to cyberattacks because of their ad-hoc “cobbled together” communications systems. In many cases, vessels start with a variety of original equipment manufacturer (OEM) gear in their initial construction but experience fragmentation over their life span. Fragmentation of equipment can happen when a ship is repowered or when wheelhouse equipment is changed or upgraded. Because of the disparate components on most ships, very few vessels have a comprehensive “top-down” cybersecurity plan in place.
Further problems arise because shipowners often assume that OEM equipment is inherently secure, while OEM producers believe that cybersecurity responsibilities now fall squarely on the crew. According to the white paper, ships are subject to all of the same attacks that land-based systems experience: phishing, spear phishing, ransomware, botnets, waterholing and social engineering.
Not all systems are equally vulnerable. Among the most vulnerable components are bridge systems, cargo management systems, access control, power control and passenger management systems. Other vulnerabilities arise in public networks that serve passengers and administrative and communications systems, as well as edge or distributed computing devices that serve ships connected to the Internet of things (IoT).
Cyber-risks to ships are similar to risks faced by most businesses, according to Stephen Williams, chief executive officer of Anchor Shipping Group LLC of St. Simons Island, Ga. “Risks include the hacking of sensitive information concerning financial matters and cargo manifests, for example, as well as manipulation of automated onboard functions,” he said.
An increase in those autonomous functions will make commercial maritime operations more efficient, but it also will leave them increasingly vulnerable to cybercriminals, according to Joseph Carson, chief security scientist at Washington, D.C.-based Thycotic, a security vendor. Critical systems could be prevented from functioning, resulting in collision, pollution and environmental damage, and possibly the autonomous vessel being redirected, he said.
U.S. Coast Guard Academy cadets train on the Ship’s Control and Navigation System (SCANTS) in New London, Conn. The system simulates operations conducted on a vessel’s bridge, the components of which are among the most inviting targets for cybercriminals.
Courtesy U.S. Coast Guard
Freight and cargo hijacking is even a possibility. Ubiquitous GPS systems “can be disrupted in a region like New York Harbor using equipment that can be bought for about $30,” said Capt. David Moskoff, a professor at the U.S. Merchant Marine Academy at Kings Point, N.Y. It’s not just a matter of navigation, either. Moskoff pointed out that both terrestrial and maritime equipment often depend on GPS for accurate time information, so any disruption of GPS could have wide-ranging consequences for many infrastructure systems.
So how can maritime operators better protect themselves from potential disasters surrounding the growth of autonomous transport? A major yet simple place to start is the protection of passwords, Carson said.
Kate Belmont, an associate in the Philadelphia law firm Blank Rome LLP, agrees. As owners and operators continue to address the technical components of cybersecurity, it is just as important to focus on minimizing the risk of human error, she said. Human error is a significant factor in breaches and while technical upgrades are necessary, “developing an effective cybersecurity culture throughout your company is critical,” Belmont said. As such, a robust training program for employees — one that educates and continually reinforces the practice of good cybersecurity hygiene — is imperative.
According to Belmont, all information and communication technology (ICT) systems are vulnerable in some way to cyberattacks and breaches. In the maritime industry, vulnerable systems include navigation components such as ECDIS and GPS, where information may be manipulated by spoofing or jamming, as well as industrial control systems and access control and monitoring systems.
The threats and risks of cybercrime are continually evolving and advancing. Owners and operators must continually work to understand the risks and develop cybersecurity practices that are flexible, holistic and responsive to the rapidly changing threats, Belmont said. Owners and operators should seek available guidance on effective cyber-risk management from international organizations, governments and industry trade associations, she said.
Neither the U.S. Coast Guard nor the International Maritime Organization (IMO) has issued formal cybersecurity regulations, Belmont said. However, the Coast Guard continues to provide guidance for the maritime industry on cybersecurity practices, and in 2016 the Baltic and International Maritime Council (BIMCO), in partnership with Cruise Lines International Association (CLIA), International Chamber of Shipping (ICS), Intercargo and Intertanko, released the first set of cybersecurity guidelines targeted to shipowners and operators. “The Guidelines on Cyber Security Onboard Ships” was followed last year by the release of the IMO’s “Interim Guidelines on Maritime Cyber Risk Management.”
“Owners and operators should be familiar with these guidelines and evaluate them in light of their own cybersecurity programs and practices,” Belmont said.
While the International Maritime Organization has not issued formal cybersecurity regulations, the topic is increasingly gaining attention. After a meeting of the IMO’s Maritime Safety Committee in London in May 2016, the group approved interim guidelines for cyber-risk management.
Another related development involved the National Institute of Standards and Technology (NIST), which worked with the Coast Guard and maritime industry to create a cybersecurity document to improve safety when transferring hazardous liquids at U.S. ports. These bulk liquid transfers increasingly rely on computers to operate valves and pumps, monitor sensors and perform many other vital safety and security functions. This makes the entire system more vulnerable to cybersecurity issues ranging from malware to human error, and is the reason behind the new voluntary guide for the industry.
Vessel owners will need policies to control access to automated onboard systems, and they need to educate crews about the appropriate uses of a company’s data and resources, according to the “Securely Connected Vessels” white paper. To prevent hackers from circumventing weak controls, access policies should limit the availability of sensitive information at every point in the hierarchy of a ship’s organization, the report states.
Giving mariners at sea or in port sweeping administrative privileges aboard a vessel can grant hackers an invitation to breach the ship’s networks and potentially target a company’s network more broadly. Like an intelligence agency, maritime companies should think about compartmentalization and the “need to know,” the white paper states.
Every employee should be trained in how to prevent cyberattacks, regardless of the person’s rank or position in the company, and ships should create a distinction between personal and company resources, according to Shoultz. Vessel owners need to audit system-administrator privileges on a regular basis, adopt two-factor authentication and relinquish access rights when they are no longer needed. When possible, companies also need to consider biometric systems like fingerprint scanners or Transportation Worker Identification Credential (TWIC) cards that are less easily compromised than traditional passwords, the report states.
Beyond dealing with the human factors, cyberexperts say the standard fare for cyberprotection includes ensuring that all systems have the latest software updates and patches; implementing firewalls, anti-virus and anti-malware protection; and making sure Wi-Fi and other kinds of networks are secured.
The threats won’t go away anytime soon, but these steps can substantially reduce risks.