Risk analysts release tips to boost maritime cybersecurity

P

The following is text of a news release from Pen Test Partners:

(BUCKINGHAM, United Kingdom) — Ethical hackers Pen Test Partners has spent a lot of time highlighting cybervulnerabilities within the maritime sector by speaking at various shipping conferences and events to promote the need for better cybersecurity.

One of the most common questions that senior partner Ken Munro gets asked following one of his presentations is: “Where do we start with maritime security?” 

In answer to this question, he’s put together a list of 10 tactical tips which maritime industry executives can put into practice right away to reduce the risk of becoming victims of hacking.

No. 1: Make sure your satcom system isn’t on the public Internet

Most airtime providers offer a private IP address space, so hackers can’t reach your satcom system as easily over the Internet. It’s easy to find out if your vessel terminals are public or not: put the IP address in a browser and see if you can route to the terminal Web interface from the public Internet. Or you could port scan it. Speak to your airtime provider and check.

No. 2: Check that your satcom system has its passwords changed from the manufacturer’s default

By far the most common problem: the satellite terminal installer hasn’t changed the admin passwords from the default admin/admin or similar. Ensure the passwords are complex and only known by those who need to know. 
 
No. 3: Update the software on the satcom system

Make sure it’s at the latest version and ensure it is updated every time the manufacturer publishes an update. Updates usually include fixes for security flaws, so the more out of date the software is, the more vulnerable it is. Check the terminal vendors software update pages regularly – security fixes are often hidden in the changelog and not easy to find. This takes time and effort, so to spare the legwork consider using a patch update alerting service.

No. 4: Check that your bridge, engine room, crew, Wi-Fi and business networks on board are logically separated

If a device on your vessel is compromised, segregated networks will ensure critical systems are kept safe from the hacker. Do crewmembers' personal laptops on the ship network have access to the navigation systems? Have you actually checked to make explicitly sure?

No. 5: Secure USB ports on all ship systems

It’s very easy to accidentally get malware on USB keys. We’ve already seen cases of ECDIS and other systems compromised by ransomware. How often do you see a phone charging from a USB port on a bridge console? Phones can be full of malware too. To prevent accidental introduction of malware to vessel systems, lock down USB access. If critical systems can only be updated by USB, keep dedicated USB keys in a secure location that are used for nothing other this purpose. This isn’t ideal, but is better than open USB access.

No. 6: Check all onboard Wi-Fi networks

Strong encryption, strong Wi-Fi passwords and good Wi-Fi router admin passwords are a must. Crew Wi-Fi for personal use must not connect to anything other than the Internet and/or onboard systems (e.g. media streaming) for personal use. Any ship systems that use Wi-Fi (e.g. tablets for comms and navigation) must have raised security levels, including stronger authentication.

No. 7: Don’t rely on technology

Officers of the watch must be reminded not to rely too heavily on technology and get fixated on screens. GPS can be spoofed, ECDIS position can be manipulated and even synthetic radar can be hacked to misreport. Whether it’s navigation, collision avoidance or loading, the Mark 1 eyeball must be employed to ensure the situation outside the bridge reflects what the technology reports.
 
No. 8: Teach your crew about cybersecurity

Resources such as Be Cyber Aware At Sea are great for raising awareness and helping your crew avoid inadvertently opening the vessel to compromise.

No. 9: Make your technology suppliers prove to you that they are secure

If you don’t ask for security, you don’t get it. Your technology and services suppliers won’t spend any time on security if they don’t think the market wants it. A third-party audit of your supplier would be a good start, though in the short term you should ask them for evidence of security accreditations such as ISO27001 or compliance with the NIST cybersecurity frameworks.

No. 10: Get a simple vessel security audit carried out

Some of the worst vessel vulnerabilities are the easiest to find and fix. Bear in mind that maritime security issues are often systemic: They don’t affect just one ship in your fleet, the same issue can affect them all.

“Developing a security policy, following IMO, ISO and/or NIST frameworks is important but it can take a long time for companies to implement particularly where process and mindset changes are required,” said Munro. “However, these tactical tips can be put into practice straightaway and every second counts.”

By Professional Mariner Staff