Cyber security on ships has become a necessary fact of life in the computer age especially since connectivity to the internet has become the norm. There are still stand alone computer systems to be found on ships, but these are becoming increasingly scarce and even some systems that were not planned to be linked to the outside world are vulnerable if they are upgraded or designed by way of USB sticks or the like.
Even when computers were installed on ships as a replacement for typewriters so that crew lists and other documents could be produced and printed for customs purposes, it was not unusual for someone to attempt to install pirated software on them causing malfunctions.
Today shipping is ever more reliant on digital solutions for a wide range of routine tasks from receiving messages, updating ECDIS and other systems, stability calculations, equipment monitoring, training and administration. All designed to save time and costs and improve efficiency, these developments to a large extent rely on increased connectivity often via internet between servers, IT systems and OT systems, which renders them vulnerable to cyberattacks.
The potential for navigation and safety to be jeopardised by attacks whether malicious, criminal in intent or an inadvertent interference with a vital system prompted the IMO in 2017 to recommend ship operators to address the issue in their safety management systems. That recommendation came into effect at the start of 2021. The IMO resolution MSC.428(98) and the high level guidelines devised to aid operators, although often quoted as being requirements, will only have legal status if adopted by flag states as a mandatory requirement.
Nevertheless, pro-active operators had already put preventative measures in place and only a few blasé operators will ignore the recommendation entirely or pay lip service to it with a meaningless insertion into their SMS around ‘mitigating cyber threat to an acceptable level, considering costs and benefits of actions taken’.
Those following the IMO guidelines will ‘ensure ‘effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk management into all levels and departments of an organisation and ensure a holistic and flexible cyber risk governance regime, which is in continuous operation and constantly evaluated through effective feedback mechanisms.’ The IMO guidelines take a high level approach, but more practical measures have been disseminated by the likes of BIMCO in association with several shipping organisations, classification societies, P&I clubs, consultants, communications service providers and more.
The BIMCO publication ‘The Guidelines on Cyber Security On Ships’ provides a very good basis for any ship operator addressing the issue and is far more comprehensive than this guide is intended to be. It can be downloaded free of charge from the BIMCO website. The guide is mostly aimed at threats onboard ships because although an attack can also occur in shore offices, the loss of navigation or propulsion systems on ships is a far greater safety threat.
The BIMCO guide suggests cyber incidents can arise as the result of:
- a cyber security incident, which affects the availability and integrity of OT, for example corruption of chart data held in an Electronic Chart Display and Information System (ECDIS)
- an unintended system failure occurring during software maintenance and patching, for example through the use of an infected USB drive to complete the maintenance
- loss of or manipulation of external sensor data, critical for the operation of a ship. This includes but is not limited to Global Navigation Satellite Systems (GNSS), of which the Global Positioning System (GPS) is the most frequently used.
- failure of a system due to software crashes and/or “bugs”
- crew interaction with phishing attempts, which is the most common attack vector by threat actors, which could lead to the loss of sensitive data and the introduction of malware to shipboard systems.
Later the guide says it is important to protect critical systems and data with multiple layers of protection measures, which consider the role of personnel, procedures and technology to both increase the probability that a cyber incident is detected and to make the best use of resources required to protect confidentiality, integrity, and availability of data in IT and OT systems.
Connected OT systems on board should require more than one technical and/or procedural protection measure. Perimeter defences such as firewalls are important for preventing unwelcome entry into the systems, but this may not be sufficient to cope with insider threats.
Company SMS policies and procedures should help ensure that cyber security is considered within the overall approach to safety and security risk management. The complexity and potential persistence of cyber threats means that a “defence in depth” approach should be considered. Equipment and data protected by layers of protection measures are more resilient to cyber incidents.
Strategies to manage cyber security on ships
Effective segregation of systems, based on necessary access and trust levels, is one of the most successful strategies for the prevention of cyber incidents. Effectively segregated networks can significantly impede an attacker’s access to a ship’s systems and is one of the most effective techniques for preventing the spread of malware.
Onboard networks should be partitioned by firewalls to create safe zones. Firewall configurations should be reviewed regularly to detect unauthorised changes. The fewer communications links and devices in a zone, the more secure the systems and data are in that zone. Confidential and safety critical systems should be in the most protected zone.
Wireless access to networks on the ship should be limited to appropriate authorised devices and secured using a strong encryption key, which is changed regularly.
Awareness and training with regard to cyber security on ships is essential to address the human element. In developing a training programme or devising new safety procedures, BIMCO suggests that the following should be taken into account.
- risks related to emails and how to behave in a safe manner. Examples are phishing attacks where the user clicks on a link to a malicious site or opens a malicious attachment
- risks related to internet usage, including social media, chat forums and cloud-based file storage where data movement is less controlled and monitored
- risks related to geolocation data for personnel and ship that is publicly available
- risks related to the use of own devices. These devices may be missing security patches and controls, such as anti-virus, and may transfer the risk to the environment, to which they are connected
- risks related to installing and maintaining software on company hardware using infected hardware (removable media) or software (infected package)
- risks related to poor software and data security practices, where no anti-virus checks, or authenticity verifications are performed
- safeguarding user information, passwords and digital certificates
- cyber risks in relation to the physical presence of non-company personnel, eg, where third party technicians are left to work on equipment without supervision
- detecting suspicious activity or devices and how to report a possible cyber incident. Examples of this are strange connections that are not normally seen or someone plugging in an unknown device on the ship network
- awareness of the consequences or impact of cyber incidents to the safety and operations of the ship
- understanding how to implement preventative maintenance routines such as anti-virus and antimalware, patching, backups, and incident-response planning and testing
- procedures for protection against risks from service providers’ removable media before connecting to the ship’s systems.
In addition, personnel need to be made aware that the presence of anti-malware software does not remove the requirement for robust security procedures, for example controlling the use of all removable media.
Cyber security of the radio and satellite connection should be considered in collaboration with the service provider. In this connection, the specification of the satellite link should be considered when establishing the requirements for onboard network protection.
Protection against eavesdropping is typically done by means of Virtual Private Network (VPN) connection or encrypted protocols. While protection against hacking, piercing and other types of attack can be achieved by other means such as a security arrangement with the service provider, connection through a secure server ashore for example owned by the company, or an onboard firewall.
One important aspect of cyber security on ships is to make the satellite terminal invisible. This can be achieved by deactivating functions such as “remote administration page” and “port forward”. Deactivation can typically be done in the terminal’s settings menu.
When establishing a connection for a ship’s navigation and control systems to shore-based service providers, consideration should be given on how to prevent illegitimate connections gaining access to the onboard systems.
The access interconnect is the distribution partner’s responsibility. The final routing of user traffic from the internet access point to its ultimate destination onboard (“last mile”) is the responsibility of the shipowner. User traffic is routed through the communication equipment for onward transmission onboard. At the access point for this traffic, it is necessary to provide data security, firewalling and a dedicated “last-mile” connection.
When using a VPN, the data traffic should be encrypted to an acceptable international standard. Furthermore, a firewall in front of the servers and computers connected to the networks (ashore or on board) should be deployed. The distribution partner should advise on the routing and type of connection most suited for specific traffic. Onshore filtering (inspection/blocking) of traffic is also a matter between a shipowner and the distribution partner. Both onshore filtering of traffic and firewalls/security inspection/blocking gateways on the ship are needed and supplement each other to achieve a sufficient level of protection.
Although a VPN is intended to increase security, in some cases multiple VPNs are being operated by different suppliers and manufacturers to connect with equipment, this may take control of access away from the Ship Manager and increase the Attack Surface of the ship.
Manufacturers of satellite communication terminals and other communication equipment may provide management interfaces with security control software that are accessible over the network. This is primarily provided in the form of web-based user interfaces. Protection of such interfaces should be considered when assessing the security of a ship’s installation. Examples of protection of administrative interfaces include limiting networks that can access such interfaces whether they are web-based or command line or entirely disabling unnecessary interfaces that are only used during initial configuration. As for other systems, the passwords should be managed appropriately and default passwords, which are often well-known to criminals, should be changed from the outset.
Cyber attackers do not stand still and are constantly finding new ways to exploit weaknesses in systems and networks. Consequently, managing the cyber security on ships system is essential. Security patches should be included in the periodic maintenance cycle and it is recommended to pay special attention to equipment utilised to do virtual network segregation (VLAN) and firewalling.
These updates or patches should be applied correctly and in a timely manner to ensure that any vulnerabilities in a system are addressed before they are exploited and available to hackers. It can be complicated and expensive to patch some OT systems, because all software and hardware firmware needs to be aligned and thorough tests must be conducted post installation to validate the integrity. In other cases, security patches may not be applicable without upgrading system hardware partly or completely.