An engineer boards a superyacht to carry out a standard software upgrade on the vessel’s heating, ventilation, and air conditioning (HVAC) system. He plugs in his laptop and begins the installation. Little does he know that during this routine task the HVAC system has been accidentally rebooted. The dampers in the engine room close, shutting off the air supply and eventually depleting the entire area of oxygen.
This is not fiction but a real-life account that reveals how vulnerable a ships’ operating technology is to both accidental and malicious cyber attacks. All it can take is one crew member or offshore worker to plug into the ship and vital navigation or operating systems could be shut down. Luckily, in this case the engine room was unmanned and the ship was docked, but the situation could have ended up with a much more tragic ending.
The information and operating technology (IT and OT) now on board ships makes them even more vulnerable than traditional shore-based industries, according to Gwynne Lewis, head of data, digital, and software at Lloyd’s Register Marine & Offshore. He said there had been a shift in the nature of attacks, moving beyond the digital and into the physical realm.
So, while we should all still be wary of things such as classic phishing emails attempting to gain personal financial data, attacks today are becoming much more complex. “They are designed to inflict damage on property and operations by seeking to take control of industrial control systems,” Lewis warned. For example, hackers who have gained access to a ship’s network could easily inflict real damage and cause collisions or fires by gaining control of operating technology or navigational systems.
While shipping has embraced digital technology to drive efficiency and reliability, Lewis said it has done so “without considering the impact on connectivity and security”. What systems are connected to what? Are they sending data back to shore? Are they storing data on the cloud? Who can access the data being stored? If suppliers have access to your operating technology, what cyber security protocols do they have in place?
When it comes to answering and resolving these questions, Lewis said the marine industry is “way behind the curve. It has been like building a house without building the foundations. Now work must be done to build the foundations up, or risk damage to assets, potential loss of life, and loss of reputation.”
Complacency, Lewis stressed, is not an option, as the recent WannaCry malware attacks have proven. “It is not a matter of if a cyber-attack will occur, it’s a matter of when, and how severe it is.”
The US Coast Guard (USCG) published policy guidance in 2015 that will begin dealing with oversights on cyber risk and protection and push the industry from awareness and recommendations to actual regulations.
But the industry shouldn’t rest on its laurels. Ship managers should be aware of weak points on their ships and familiarise themselves with the access points, from USB ports to LAN routers, and find ways to limit or control their use – particularly ones on key systems such as ECDIS.
Training staff to stop and think about what they are plugging their devices into or what they are clicking on in emails is key. So is understanding which suppliers are accessing data and communicating with components they have supplied. Working with companies that have robust cyber security is a must. If in doubt, question what staff training and preventive procedures they have in place.
Modelling firm Risk Management Solutions (RMS) believes ships must have a maritime cyber-security plan and train their crews to better understand and handle vulnerable areas, such as integrated bridge systems, in order to prevent cyber-physical attacks. Most at threat from cyber-physical attacks in an integrated bridge system are AIS, ECDIS, and GPS, according to RMS.
However, it is important to have a holistic view of your ship’s cyber weak points. Lewis pointed to many companies, such as Qinetiq, that carry out ‘friendly attacks’ to test the robustness of ship systems. Once you know where vulnerabilities lie, you can begin to protect them.
A weak link
GPS is a particularly weak point when it comes to cyber-physical threats. Prof David Last, past president of the Royal Institute of Navigation, ran a series of trials to examine the effect of GPS jamming on shipping. In one trial, a jammer was operated from a lighthouse and aimed at ships.
Last said ships sailing through beams lost all GPS capability. Rather than shutting down, it would give false positions. “We even had ships [apparently] travelling over land,” he said.
A ship exposed to low-level jamming will “quite quietly and with no warning” start to move in position and travel away from its plotted path, Last explained. The experiments revealed that jamming GPS signals would make the ships behave erratically, with one speeding up to mark 8. “If that isn’t a good cyber-attack then I don’t know what is!”
The concern is also that GPS receivers are probably connected to dozens of other management and control systems that dependent on them. These range from the obvious navigation systems, to speed, course, and chart display data that might drive the autopilot and the ship’s clocks. One vessel Last examined used GPS to stabilise its satellite communications and the stabilisation of the helicopter landing deck.
This weakness has not just been manipulated for academic purposes. In April 2016, South Korea said that about 280 vessels had to return to port after experiencing problems with their navigation systems, and claimed North Korea was behind the disruption.
Last said it would not be hard to believe pirates or insurgents could acquire off-the-shelf jamming devices in order to disrupt a ship and make it vulnerable to attack.
In a bid to prevent such attacks, Last is campaigning for ships to revert to a modified version of an older hyperbolic radio navigation system based on Loran-C. This allowed a receiver to determine its position by listening to low-frequency radio signals transmitted by fixed land-based radio beacons. However, it has not gained much traction with governments and will not be a viable solution for most shipowners, at least in the short term.
Not only do crew and shipowners need to protect against the growing cyber-physical threat, but it has recently been revealed that most existing cyber or hull insurance policies will not cover a navigation system being jammed or physical damage to the ship caused by a hacking attack.
RMS’s updated CAMS cyber model revealed that the greatest concerns for insurers are cyber-physical attacks that trigger fires or explosions, leading to large losses or systemic claims across multiple insured parties. Companies such as RMS lack the years of data needed to create credible scenarios to provide proper exposure estimates. However, the CSO Alliance, an online community of company security officers, is to launch a project later this year to help shipowners and insurers tackle this problem.
Working with a major European aeronautics and cyber industrial partner, it will launch an online portal for the ship industry to confidentially report cyber incidents.
The confidentiality aspect is critical, said Chris Henny, project manager for the cyber incident reporting system, as shipping companies don’t want their reputations ruined. Equally, crew will often not want to report an incident out of embarrassment or fear of reprimand.“We need to provide a portal that is unique, global, and not tied to a particular government.” It also removes some of the time consuming administrative elements of reporting incidents, where ships may currently have to report to multiple governments or organisations.
While the data will be anonymised, it will be shared among the users, with a messaging tool to update fellow seafarers on potential threats, and even a live map to warn where there have been cyber-crime hot-spots. The data will also help to build up better models for companies such as RMS and, it is hoped, improve insurance to protect against cyber-physical attacks.
Mark Sutcliffe from CSO Alliance explained that without such important data, the shipping industry was blind and governments were no longer able to cope with the pace and scale of the cyber threat. “As individuals we must step up to plate and understand cyber weaknesses,” he said. “It is a war. With increased awareness and improved incident reporting, we may be able to fight back.”
Follow on twitter: @tanya_blake