Much is being published abut the potential threats of cyber attacks on shipboard and onshore computer systems. Imaginary or overblown threats are nothing new to marketing. In 1931 beverage company Horlicks used an imaginary condition called ‘Night Starvation’ in a highly successful promotion that ran for decades. Is the threat to ships real or just a Horlicks?
Steve Jones of the Security Association for the Maritime Industry,SAMI, and respected author of several books on maritime security looks at the issue for Maritime Accident Casebook and says…
Cleaning Up your Cyber Hygiene
As the global focal point for maritime security matters, the Security Association for the Maritime Industry constantly monitors the next shipping threats over the horizon. As part of this remit, the Association has turned its attention to the potential cyber threats hidden within the industry.
SAMI recently held a seminar on cyber security, and played host to leading experts, as this most modern of shipping threats came into the spotlight. Given the nature of the threat the true extent of shipping’s cyber vulnerabilities remains uncertain, but the industry is slowly waking to the implications of cyber-attacks. It is increasingly recognising that poorly defended systems pose huge risks, as concerns rise that criminals, pirates and terrorists may target shipping.
Experts believe that hackers will soon discover shipping’s soft underbelly, and when they do, and as bandwidth increases allow – then the results could be terrifying. It seems shipping may have been lucky up to now, but “security through obscurity” is not a solution. Indeed cyber issues are likely to be on the agenda for governments, companies and seafarers alike into the future.
Speaking at the SAMI event Professor Creese of Oxford University claims that a cyber-attack in shipping is a “when-not-if” problem – so we need to get ready. At the moment the number of known shipping cyber cases is actually low, as attacks often remain invisible to the company, but these numbers are likely to grow in number and impact.
Some don’t accept such low numbers and believe this is based on under-reporting – there are concerns that shipping companies avoid reporting problems for fear of alarming investors, regulators or insurers. It is also a concern that all too often shipping companies generally ignore the potential cyber threat.
One major container vessel operator has reportedly spoken on the issue, and stated they consider their vessels to be no more vulnerable than onshore systems and organisations. That may or may not be true, but it is perhaps down playing the reality of operating at sea as opposed to ashore.
Problems on land which are perhaps an inconvenience, can become catastrophic out at sea. So even if the threat levels are the same the consequences are drastically heightened.
Facts about maritime cyber security are hard to find. While the cyber security experts perhaps see the wider threat picture, many within the maritime industry see the problems of data and cyber security internally as a more obvious and top line issue. As crew complements get smaller and ships get bigger, they have increasingly relied on automation and remote monitoring, meaning key components, including navigational systems, can be compromised.
The perennial technology problem onboard ships is been the USB thumb-drive. Since the arrival of USB flash drives in the early Noughties, the potential for a seafarer to unwittingly infect shipboard systems has grown exponentially. Add to that the change to the shipboard architecture, with systems ever more connected any virus entering a vessel has had a growing host to allow the problem to spread.
This form of security system would fit into what was termed by Andrew Fitzmaurice of Templar Executives as an “armadillo” – hard on the outside, soft underneath. The shipboard system is protected to an extent purely by the fact that slow bandwidth (in relative terms) and physical access control means that it can be difficult for a virus to access the system. However, once in, there can be massive problems, and can encounter little or no resistance.
The so-called “insider” threat posed by seafarer themselves has to be considered, however it was noted that this should also be the easiest to remedy – based as it is, not on malicious intent, but more usually ignorance or lack of understanding. So it is that shipping can begin to introduce the systems, protocols and cultural changes which ultimately mean seafarers move from problem to solution. But it will not happen instantly, or without a plan to change.
This does not, of course, address the less certain issue of external threats, that of the dreaded “hacker”. Technology and the connections this brings, has seemingly opened the door to emerging threats and vulnerabilities, as equipment has become accessible to outside entities.
Researchers have discovered significant potential issues in the three key technologies sailors use to navigate: Global Positioning Satellites, marine Automatic Identification System (AIS), and Electronic Chart Display and Information System (ECDIS). While, according to one report, a probing of the online defences of the world’s 20 largest container carriers found that 16 had serious security gaps.
The vulnerabilities take on a wide spread of faces – ranging from an attacker with a cheap GPS jammer exploiting weaknesses, through to tampering with AIS data such as a vessel’s identity, type, position, heading and speed to shore stations and other ships. These are real problems, but it is unclear as to who is willing or able to tackle them.
SAMI warned against any feeling of a false sense of security, stating that as ships grow in complexity we can no longer afford to ignore the problem. Certainly, in the past, a lack of decent connectivity to vessels undermined the most common forms of cyber attack. Working over a high-latency low speed satellite link would likely test the patience of a casual hacker. But with broadband increasingly becoming the norm, that inadvertent ‘barrier to hacker entry’ is set to disappear.
It has been stated that cyber security on board merchant vessels and at major ports is 10 to 20 years behind the curve compared with office-based computer systems, This means they are wide open to an ever-increasing range of threats.
So what can be done? David Patraiko from the Nautical Institute suggested that risks relating to cyber-security ought to be incorporated within the ISM code, and so be laid down within Safety Management Systems. This view that was met with a nod of approval by many delegates, though of course the Code does already contain provision for threats and hazards to key equipment, so perhaps the interpretation needs to change, rather than the wording.
It is increasingly felt that we need to align the traditional notions of managing safety and security with these new and perhaps unfamiliar threats. Professor Creese said it is best to start by thinking defensively and building in resilience from day one. A shipping IT security policy must be explicit and carry tough penalties for infractions. While Creese believes that companies must ensure that staff understand and are aware of the risks/threats.
Ships need to embark on a simple “cyber-hygiene” routine to ensure that many of the more obvious vulnerabilities are dealt with. Thinking about this in plain security terms, locking a door isn’t going to stop the determined criminal but it will prevent opportunist thieves, and may also guard against stupidity of those who may compromise security by accident.
In particular, there are some absolute basics which vessels need to implement onboard as practicable actions that do not incur excessive overheads or complications:
- Setting up strong user access control;
- Setting up strong network access control;
- Performing back-ups;
- Testing disaster recovery plans;
- Making sure any anti-virus software is kept up-to-date.
Currently we do not fully know the extent to which shipping is vulnerable to a hack attack – but there are incredibly compelling warning signs. There are fears that not only are vessels and the supply chain a target, but that they are already compromised.
This means that action has to be taken, and the industry has to do more to both protect itself, but also to ensure that it knows when things are going wrong. For the lawyers and insurers at the conference, it seems that while cover against cyber threats exists, there are still grey areas for shipping – and this is never a good sign.
Shipping security needs certainty, process and a management system – whether protecting real or virtual dangers. When tackling terrorists, pirates, hackers or unwitting insiders, we need to do more to manage the risk of attack and to limit its effects if the worst does happen.