Cruise sector heightens defences against cyber threat

Carnival cyber-security chief Gary Eppinger. Credit: Carnival Corp
Carnival cyber-security chief Gary Eppinger. Credit: Carnival Corp

The focus on cruise cyber-security threats has never been greater. As part of a broader maritime initiative, guidelines for best practices were released by industry groups in early January and two IMO committees will address the topic in April-May.

“We are in the midst of a transformational change,” said Gary Eppinger, who was hired by Carnival Corp in 2013 as the group’s first-ever chief information security officer (CISO). “We have made tremendous improvements in our security posture,” he told IHS IHS Markit.

Cruise cyber-security threats fall into two basic categories: those to the security of passengers’ personal information such as credit card numbers, and those to operational security, such as a hacker taking control of shipboard systems.

Security of personal information can be enhanced through greater diligence with third-party vendors, including the thousands of shore-excursion partners worldwide. “Vendors have to meet and maintain security requirements to be part of the family,” said Eppinger. “Also, we do not provide vendors with information beyond what they need to know for a particular transaction.”

Training is also key. Cruise employees who deal with customer data must be trained to “do it in the most secure way and, more importantly, [to] know how to escalate [something that doesn’t look right] to the right people”, said Eppinger.

The more ominous cyber-security threat to cruising involves remote hijacking of a shipboard system. Asked whether this concern is realistic, Eppinger responded, “It’s one of those things where I’ll never say never. There is a risk. Is it a great risk? That’s to be determined. But if it were ever to happen, it would have a major impact to the reputation of our industry, so we take it seriously.”

He did point out that cruise ships are not designed to be controlled by remote. “We do a lot of remote monitoring, but a cruise ship is controlled by the folks on the ship, so that takes a lot of the risk out.”

In the worst-case scenario, the cruise response plan does include cutting off external datalinks to regain manual control of the vessel. “That is absolutely built into our scenarios,” confirmed Eppinger. “Systems can be taken offline. Ships can be sailed the old-fashioned way.”

Bud Darr, executive vice-president of the Cruise Lines International Association (CLIA), also cited the potential to sever external connections. “It is very important to be prepared to do that,” Darr told IHS IHS Markit.

“This is one area where training becomes very important. If there is a potential threat, it’s important that your crew members be trained, not only in what actions to take to successfully operate the ship without the use of the system involved, but also to identify in the first place that a cyber vulnerability is being exploited.”

Darr cited two issues that could create vulnerabilities to operational systems: overlapping of information streams used by passengers such as shipboard Wi-Fi with information streams used for operational systems; and interactions between third-party equipment suppliers’ information streams and those of shipboard operational systems. For Eppinger, the solution to both threats is to segregate the information streams, which is Carnival Corp’s practice.

Asked how the cruise group approaches hardware investments to address cyber security, he explained, “It takes two-to-three years to build a cruise ship and technology is changing at such a great pace that [by the time a ship is delivered] a great deal will be outdated. So you must be prepared to retouch [the shipboard IT system] before it goes into service.”

For cruise owners with many existing vessels, “you also have to retrofit and update the hardware and components of the network to ensure you have the controls that are needed”, said Eppinger.

Even after every system is updated, however, the cyber-security process is not over. “By the time we get to what we think is the proper level of security, we’ll learn about 10 more new things that expose us to risks,” said Eppinger. “This is a journey where we never get to the finish line.

“At the same time, our industry is changing dramatically. We’re developing new ships that are more integrated than ever before and our customers are now demanding more than they’ve ever demanded in the past. There is a revolution [in shipboard IT] going on.”