Most ship cyber security breaches are consequent of human error but can easily be avoided by implementing cutting edge technology and policies to prevent crews from inadvertently infecting shipboard systems.
Whether in machinery, navigation or communication systems, programmable control systems are a longstanding and essential part of ships and offshore units, but the increasing integration and connectivity of these systems represents an ever-larger target for cyber-security threats, said Knut Ørbeck-Nilssen, CEO of DNV GL – Maritime.
As 150 million emails are sent globally every minute by more than 4 billion Internet users, it is safe to assume that some of these will be infected and opened by unsuspecting crew members.
The 50,000 ships sailing the sea at any one time have joined an ever-expanding list of objects that can be hacked. Cybersecurity experts recently displayed how easy it was to break into a ship’s navigational equipment.
This was one of the key take-away from a major maritime cyber conference held in London recently and at which delegates were informed of the potentially catastrophic consequences when Operational Technologies are hacked.
“The problem is that when crew or operators use USB sticks to upload system files or log on using their own mobile phones, laptops and tablets or open an infected email, they can potentially upload a malware virus or worse,” Naval Dome CEO Itai Sela told delegates attending the European Maritime Cyber Risk Management summit.
“The biggest issue is the internal attack and the human element is definitely part of the problem. Crew training alone is not a solution,” said Sela. “Also, when a technician boards a vessel and connects a laptop or equipment directly to the ECDIS or RADAR to fix or service these systems, can they verify their own systems are secure and have not been infected?
There are many different classes of vessel, all of which operate in very different environments. These vessels tend to have different computer systems built into them. Significantly, many of these systems are built to last more than 30 years. In other words, many ships run outdated and unsupported operating systems, which are often the ones most prone to cyberattacks.
But there is also an external threat, warned Sela. “Since headquarter and vessel operations go hand-in-hand, it is important to know that when a shipping company’s offices have been hacked it means the company’s vessels are also compromised.”
It emerged at the summit that many systems onboard are still based on old operating systems, such as Windows XP, Windows 7, or Linux – systems designed and manufactured without consideration of the cyber threat.
That many of these systems remain unprotected with critical PC-based IT and OT systems frequently using the same Internet connection was a significant concern raised by Lloyd’s Register’s Elisa Cassi, Product Manager, Cyber Security.
“Industrial control systems may still run on separate networks, but true physical isolation is becoming the exception rather than the norm. Even with no direct connection, malware can bridge air-gapped networks by exploiting human activity and operator error.”
Templar Executive’s Director MCERT Chris Gibson said that 47% of ship’s crews have been targeted, with IT and OT systems “very vulnerable to attack”.
“The Maritime sector is a keystone of a modern, digitised world, but remains vulnerable to cyber-attack.”
Acknowledging the introduction of legislation and guidelines designed to help safeguard the industry from cyber intrusion, such as the Europe’s General Data Protection Rules, TSMA3 and IMO’s MSC.428(98), which will be in included in the ISM Code, he said there remains a number of maritime industry challenges. He intimated that its fragmented, cost-conscious and competitive nature can make the maritime industry an attractive target for hackers.
Gibson, Sela, Cassi and others speaking at the event all urged the industry to assess their response capabilities. Cassi said: “The earlier the detection point in the chain, the greater the chance that the ship operations center will be able to identify malicious activity, contain it and prevent it from spreading laterally.”
It was also suggested that the industry should implement an anonymous cyber-attack reporting scheme and consider establishing a Maritime Charter of Trust to establish industry-wide protocols for dealing with the threat.
The maritime industry is undoubtedly behind other transportation sectors, such as aerospace, in cybersecurity terms. There also seems to be a lack of urgency to get the house in order. After all, the cyber-specific amendments to the ISM and ISPS don’t come into force until 1 January 2021, and they only represent the beginning of a journey.
Catching up with its fellow classification societies, this month, DNV GL announced the release of its first class notations to help shipowners and operators protect their assets from cyber security incidents at Posidonia this week.
The steady approach to development of cybersecurity regulations at least provides the opportunity to learn from other sectors and fully understand maritime cybersecurity risks, rather than make hasty ill-informed decisions. Development of robust maritime cybersecurity regulations is going to be a very slow process.
(References: Naval Dome, DNV GL, The Independent)
Sea News Feature, June 26