The cyber security risks to ships
The increasing digitalisation and use of computer systems in shipping has brought benefits but it has also introduced a new vulnerability and risk factor that has become a big topic across all industries not just shipping. Cyber attacks can come in a variety of forms from targeted ransomeware to less dangerous malware and viruses.
This is not something that has just happened as most operators have experience dating back to the 1990s of virus attacks on PC supplied for stowage and loading purposes and as word processors for preparing various documents. Mostly these were caused by crew members loading pirated computer games on the machines and the consequences were either a need to reload all official software or in the worst cases arrange for a replacement machine.
Since the PCs were stand-alone devices, the problem was limited if in some cases quite costly to put right.
Today a cyber attack is likely to be more problematical and have a more malicious intent. Shipping has been quite silent in publicising attacks at least until the summer of 2017 when AP Møller Maersk was the victim of a cyber attack. After recovering from the computer issues triggered by the NotPetya cyberattack, Maersk revealed that the problems would cost the company as much as $300m in lost revenue. Maersk first announced that it had been hit by NotPetya — a ransomware attack that prevented people from accessing their data unless they paid $300 in bitcoin.
There is no shortage of advice in the shipping industry on tackling cyber security: the IMO, BIMCO, Class societies, P&I clubs and others have all produced documents dealing with the issue. The IMO has issued MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management which provide high-level recommendations on cyber risk management and include functional elements that support effective cyber risk management. The MSC at its 98th session in June 2017, also adopted Resolution MSC.428(98) - Maritime Cyber Risk Management in Safety Management Systems.
The BIMCO Guidelines are the results of input from no less than 16 organisations from shipping companies to communications providers. In the classification society sphere, most leading societies have published their own guidance and some have also devised class notations for vessels where best practices are employed.
For those interested in reading the advice, copies of the various documents can usually be accessed from the issuing party’s website. Free of charge in the case of BIMCO, ABS and LR.
In addition to all of the advice issued by shipping bodies there is a much wider choice of general advice available from other industries and governments around the globe. All of these documents can be studied to gain an understanding of the issues involved, but in many cases much of the advice requires an in-depth knowledge of IT and is sometimes on a level that is too technical for non-experts in the field to understand.
The advice suggests systems that can be put in place to guard against cyber attack and areas that need to be identified for further examination. Security measures such as protecting systems with passwords and other means and also limiting access to essential systems to approved personnel only.
Such advice will be of little use to many shipowning and operating organisations not least because of the diversity that exists in terms of size and sophistication. Large scale operators with ‘armies’ of shore staff will probably have little difficulty putting some of the advice into practice but that may not be true of smaller organisation and since the average fleet size across the industry comes out at around 10 ships, that is the vast majority of operators.
Protective systems such as passwords and limited access work in theory but require dedication if they are to continue to remain effective. Passwords are often revealed unintentionally and even shared against company policy if work circumstances are eased by doing so – especially at sea where time pressures and illness make ad hoc arrangements necessary. Then too there is the issue of staff leaving organisations and passwords not being changed immediately so that person can continue to have access. Issues such as that are worsened when password access to elements of a network is also granted to customers and clients. Segregated networks can assist to some degree, but not when media is moved between workstations on different segregated nodes.
Up in the air
The Cloud has become a modern buzzword with regard to computing but in essence it is no more than a remote server and information stored there is only as secure as the safeguards put in place by the service provider. Cloud services are also vulnerable to unauthorised use if passports and other access measures are compromised. Any company strategy being developed with regard to cyber security should consider the consequences of making use of cloud services.
Although many consider that the cloud offers security against data loss due to computer failure or theft, this is only true to a certain extent. Cloud storage is often duplicated on different servers to ensure accessibility and survivability of data in case of system failure. What it cannot protect against is the survival of the company providing the service. In the event of a bankruptcy it is likely that equipment will be seized and disposed of in order to raise funds to settle debts.
In such circumstances, essential and irreplaceable data could easily be lost. It is possible for the owner of the data to establish their own personal cloud which would overcome this problem but it is the convenience of not having to purchase equipment, maintain facilities and employ IT staff that makes cloud services attractive.
Protecting shore and ship
Cyber security strategies need to take into account two very different types of target and reasons for attack – deliberate or unintentional. Financial gain is at the root of most cyber crime so it might be assumed that companies considered wealthy will be targeted as highest priority, but as many will be prepared to testify there is no lower limit and criminals will chase tens or hundreds of dollars just as readily as thousands or tens of thousands.
There has been so much publicity around computer frauds and things such as false invoices and unusual bank transactions that logically astute business people should not be fooled by such practices but that is no guarantee that they will not. Bill of lading fraud has existed for centuries and still occurs regularly and while the ways in which paper frauds are perpetrated are well understood the potential for new ways of defrauding with digital documents is massive and not well understood at all. This sort of fraud has big implications for shipowners because the value of cargoes usually far outweighs the value of ships.
To the old frauds can be added new methods such as ransom attacks in which a piece of malware takes control of computer systems and the attacker only promises to restore control on payment of a ransom. Financial fraud has an obvious driving factor but cyber attacks on computer networks can merely be malicious perpetrated by hackers who gain some perverse pleasure from their delinquent activity.
A malicious attack on a ship operator can be very debilitating and prevent cargo bookings, production of cargo documents, payments of ships dues and supply invoices that could lead to an arrest of the ship and so much more. Attacks on shore networks need to be addressed because of the financial loss and disruption to services but attacks to systems and networks on ships are a clear danger to life and property.
When it comes to protecting commercial information and even commercial assets, the onus is clearly upon the shipowner to establish needs and put appropriate measures in place. However, when it is security of ports, nations and safety of navigation that is threatened something more – or perhaps less – is needed. The concept of e-navigation and the inevitable increase of electronics and software/firmware in systems and instruments pose risks that need to be addressed now before they have the potential to become the cause of a disaster.
As previously mentioned, early computer use on ships was limited to the stowage and loading computer and word processors. Neither of these systems was connected to each other or to any other ship systems. However, since then shipping has seen the advent of integrated navigation systems and mandatory carriage of ECDIS, and with VDR data from all of the main systems are fed into one place with the possibility of contamination growing all the time. There is no requirement under any aspect of SOLAS or STCW for crew to have training in IT with regard to anti-virus security or system recovery except under GMDSS where it is an option for ensuring system availability. It is certainly not part of the ship security officer role under ISPS or of the safety officer under ISM even if the ISM Code does require essential systems to be available at all times.
Often the operating system of navigation equipment is proprietary and even if a seafarer has been given training in one system, there is no guarantee that his expertise would be useful in the case of a different maker’s equipment. System makers have naturally promoted the benefits of their equipment but have been less forthcoming on the potential for systems to be infected by viruses. An ECDIS for example could be updated with electronic notice to mariner data using a memory stick that may last have been used to download something entirely different from an internet site or another personal device that has been infected by a virus or bot.
If a virus or malware can so easily be introduced into a ship’s navigation systems with the result that alarms are not sounded when appropriate or if in a worst case scenario, control of the ship is hijacked by someone on shore it is no use relying on the ship operator having put in place appropriate safeguards. More to the point, ships which are unaffected by a cyber-attack may be put at risk by another that is.
Communication systems – a source of vulnerability
Communication systems are another area where recent changes bring risks that perhaps were not though of at the initial stages of rollout. For the last decade, two things have been promoted as the future – crew communications and equipment monitoring. Crew communications obviously have a welfare element but the traffic in and out is not intended to be monitored by officers and if the virus protection or firewalls that may be in place are not regularly updated then a system can easily be compromised.
Equipment monitoring should not present a threat in itself but since it uses the communications system to send data, there is always a possibility that a compromised communication system could under some circumstances transmit corrupt data that could be interpreted as there being a problem that requires attention when no such situation actually exists. Where equipment monitoring also extends into the possibility to make remote adjustments to settings then the possibility for more threatening situations arises.
The last FAL meeting made mandatory the future submission of electronic information to port and other authorities. A virus in a ship’s network could thus be transmitted to the port’s IT system and render that useless. Not something that ever happened with the paper form submitted by the ship’s agent.