Print Friendly, PDF & Email

Cyber attacks still seem to be perceived as a rather abstract threat in the maritime industry. While the automation technology grows rampantly, the biggest cyber security risk has always been on board, writes Felix Selzer

The cyber threat is real. »It is not approaching, it is actually happening,« says Pantelis Skinitis, Manager Strategy and Business[ds_preview] Development at American Bureau of Shipping (ABS). According to DNV GL Subject Matter Expert Patrick Rossi attackers come in many flavours with motivations to cause harm through disruptions, espionage or financial extortion. »What companies need to keep in mind is that attackers can operate not only from the outside but also from within the organisation, e.g. a disgruntled employee.«

The effects of cyber attacks vary from case to case depending on the ship type and the effected system, Rossi says. He can tell of one case, last year, when ransomware found its way on a bulk carrier and shut down the vessel’s high voltage switchboard following the encryption of a hard drive, rendering the vessel inoperable. »You can imagine how this situation could have escalated if it had taken place during critical operations,« he says.

Nobody knows the real number of unrecorded cases of attacks and disruption of business. No ship owner wants to be on the news and ruin his reputation, Skinitis guesses.

On the vessels’ and systems’ side, things are complicated. Shipping lines typically operate a mix of owned and chartered vessels, that often carry an »analogue heritage, being built for analogue control, with digital solutions grafted on later often with only minimal consideration given to security issued,« says Inmarsat’s Maritime Security Head, Peter Broadhurst. Industry guidelines and initiatives by organisations like IMO or BIMCO all recommend standardized industry practises regarding cyber security.

Cyber secure systems are not mandatory, yet. Inmarsat’s Peter Broadhurst sees an IT-landscape »littered with custom-built solutions, which have undergone limited systematic testing of cyber issues,« as industry standards for maritime back-end systems are few and far between. At the same time, especially the container shipping market has reached a stage where business without digital solutions would hardly be possible. But the focus has to be much wi­der than that. Information and operation technology must not be seen as two separate worlds any longer. Automation and connectivity increase and an attack on one system could also affect other areas, making a vessel inoperable in the worst case. »Cyber security and safety are now so ent­wined that there is a growing realisation that they must be viewed through the same lens,« says Broadhurst.

But even the regulators at the IMO or the US Coast Guard recognize that imposing hard rules is not the way as now two organisations in the industry are the same and the technology changes at a rapid pace. Instead, they propose a risk based approach.

Understand your ship

»It all starts with asset understanding,« says Pantelis Skinitis. For a risk based approach he stresses the need of having a good inventory of all systems on board: »Make a catalogue of what you have on board, how it works, what the interdependencies are and what is critical.«

It has to be clear what the possible threats are, what could happen, what can be done to prevent that from happening and finally what to do when it happens. What sounds easy often is quite complicated. Who to call when a cyber attack shuts down the engine? The IT department, the technical department?

Skinitis also recommends shipping companies to establish consistent practises when it comes to installing software and hardware and assigning access rights to systems and networks. »Establish responsibilities within your organisation and document everything,« he says.

Of course, ship networks should be protected by firewalls and anti-virus software just like any PC on shore. But cyber criminals do not necessarily hack into systems actively. According to e-learning provide Seagull Maritime 97% of all successful attacks have used so called »social engineering« techniques. »Here attackers gained enough understanding of the emotional triggers of specific people or profiles that they can trick their victims in opening doors for them long enough for them to install permanent backdoors on the company network for later and more elaborate attacks, for example looking for sensitive information, granting themselves access to restricted systems or transferring money,« Jens Hansen, Managing Director of Seagull Maritime Information Technology explains.

Security starts with the crew

Even state of the art cyber defence systems are worthless if proper training is not given to help people recognise these traps. Also personal hardware and usage of board IT for personal matters is a risk. Experts recommend that all connection of personal laptops, tablets, phones or USB memory sticks to the onboard operational system should be prohibited. Seafarers downloading data from the internet via a computer connected to the ship network could unwittingly open the door for malware. The same is true for possibly infected memory devices.

Another threat are weak passwords or login data that not only authorized crew members know. Default manufacturer passwords can sometimes be easy to find out. Also login names and passwords posted to the wall beside the computer are not exactly safe, but common practise.

Jens Hansen thinks that personnel interfacing with cyber systems should be sensitized, but management also needs to get sufficient understanding of the threats so they can allow for adequate resources »to match their risk appetite«. »Incidents should be tracked and reported so that the organisation can learn from them, much like it is done for safety incidents,« he says.

»Shipping companies are already investing in security systems at one level or another. How efficient these solutions are depends on the understanding of how they should be deployed, configured and upgraded,« Rossi explains. Shipping companies that have only recently started considering the cyber risks should look for guidance on how to start approaching these issues. »In these cases, there are training courses for management out there that can help them quickly get up to speed. The crew and staff who are interfacing with the cyber systems can easi­ly be trained on maritime cyber security risks via CBT training during voyages or in the office,« he says.

Also insurers like Allianz say that the threat of cyber-attacks continues to be significant (see also pp 36–38). Time will tell how big the chances for major cyber related incidents really are. But the risk awareness will change when a major attack happens that concerns more that one stakeholder.


Felix Selzer