Updated 11 Oct 2019
When communications were only about voice transmissions and Morse code sound signals, the only danger to a ship’s operation and safety was from a misinterpretation of instructions or a wrong decoding by the radio operator. The improvement of communications due to modern electronic systems has been hailed as a revolution in shipping but, while that may be true to some extent, it has also brought new hazards that can have even more drastic consequences than was previously the case.
Cyber attacks can come in a variety of forms from targeted ransomware to less dangerous malware and viruses. Shipping is no more at risk from cyber attack than any other industry or service but the biggest fear is that if a ship’s navigation or other essential systems were affected, there could be a high safety or pollution risk.
The issue of cyber attacks is not something that has just happened as most operators have experience dating back to the 1990s of virus attacks on PCs supplied for stowage and loading purposes and as word processors for preparing various documents. Mostly these were caused by crew members loading pirated computer games on the machines and the consequences were either a need to reload all official software or in the worst cases arrange for a replacement machine. Since the PCs were stand-alone devices, the problem was limited although, in some cases, quite costly to put right. Today a cyber attack is likely to be more problematical and have a more malicious intent.
Shipping has been quite silent in publicising attacks at least until the summer of 2017 when AP Møller Maersk was the victim of a cyber attack. After recovering from the computer issues triggered by the NotPetya cyber attack, Maersk revealed that the problems would cost the company as much as US$300M in lost revenue but has since revised the figure upward and has admitted that every PC in the organisation was changed.
More recently, another leading liner operator revealed that, taking into account all malicious activity including random phishing e-mails and more targeted hacking events, the number of attacks it undergoes on a daily basis exceeds 1,200 individual events.
There is no shortage of advice in the shipping industry on tackling cyber security: the IMO, BIMCO, class societies, P&I clubs and others have all produced documents dealing with the issue. The IMO has issued MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management, which provide high-level recommendations on cyber risk management and include functional elements that support effective cyber risk management. The MSC at its 98th session in June 2017, also adopted Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems.
The BIMCO Guidelines are the results of input from no less than 16 organisations from shipping companies to communications providers. In the classification society sphere, most leading societies have published their own guidance and some have also devised class notations for vessels where best practices are employed. For those interested in reading the advice, copies of the various documents can usually be accessed from the issuing party’s website. They are free of charge in many cases, including from BIMCO, ABS and LR.
One of the downsides of class notations is that if they rely on management practices, the notation may not necessarily be continuous in cases where ships change hands. Some notations do look into the connectivity between systems on board and, as long as these are not changed, these notations may have more value.
Basic protection against cyber attack
In addition to all of the advice issued by shipping bodies there is a much wider choice of general advice available from other industries and governments around the globe. All of these documents can be studied to gain an understanding of the issues involved, but in many cases much of the advice requires an in-depth knowledge of IT and is sometimes on a level that is too technical for non-experts in the field to understand. The advice suggests systems that can be put in place to guard against cyber attack and areas that need to be identified for further examination.
Security measures include protecting systems with passwords and limiting access to essential systems to approved personnel only but these arrangements require dedication if they are to continue to remain effective. Passwords are often revealed unintentionally and even shared against company policy if work circumstances are eased by doing so – especially at sea, where time pressures and illness make ad hoc arrangements necessary.
Then there is the issue of staff leaving organisations and passwords not being changed immediately, allowing that person continued access. Issues such as that are worsened when password access to elements of a network is also granted to customers and clients. Segregated networks can assist to some degree, but not when media is moved between workstations on different segregated nodes.
Although many consider that the cloud offers security against data loss due to computer failure or theft, this is only true to a certain extent. Cloud storage is often duplicated on different servers to ensure accessibility and survivability of data in case of system failure. What it cannot protect against is the survival of the company providing the service. In the event of a bankruptcy it is likely that equipment will be seized and disposed of in order to raise funds to settle debts. In such circumstances, essential and irreplaceable data could easily be lost. It is possible for the owner of the data to establish their own personal cloud which would overcome this problem but it is the convenience of not having to purchase equipment, maintain facilities and employ IT staff that makes cloud services attractive.
One of the least recognised sources of cyber attack is in seemingly innocuous items such as printers. Until recently, a printer was an unsophisticated piece of equipment that did not have the capability to be compromised. However, modern versions have firmware that can be updated automatically if the equipment is connected to an internet-enabled network. Quite often the factory default setting is for the device to communicate with the manufacturer immediately it is installed and at regular times thereafter. There have been known cases of the firmware-updating communications having been maliciously altered to cause problems for the network the device is connected to. Using a less-sophisticated device or switching off the updating software may be a sensible precaution.