Shipping sector must move on from default cyber settings

The major challenge that shipowners face is the fast growing cyber world and the complexities of security requirements. Credit: Getty Images
The major challenge that shipowners face is the fast growing cyber world and the complexities of security requirements. Credit: Getty Images

Shipowners and shipping firms have been urged to take the threat of cyber attacks seriously after an ethical hacking firm highlighted how easy it is to access onboard networks.

It has only fuelled the fears of the market on the ease of access that hackers may well have to vessels.

The firm, Pen Test Partners, tried three different ways to intercept and modify serial data on ship networks – the data that controls steering, engine control, and more.

Adam Brown, manager of security solutions at software specialists Synopsys, said the issue is faced by not only shipowners but also the providers of the systems that are highly vulnerable to being hacked.

“All too often what we are seeing is that these systems are being installed onboard vessels with the default credentials still valid,” Brown told IHS Markit.

“Ships, just like cars, medical devices, and business systems, all run on software and the software producers make common mistakes,” he added.

“Those mistakes can lead to critical security and safety failings. Some industries are more aware of this than others. However, it seems that the maritime industry may be behind.”

Brown warned that an adversary who wanted to cause a disaster could use this kind of attack to ground or wreck a ship. Large ships have a very long reaction time. They also know that autopilots steer the vessel most of the time, and that the officer on watch will not necessarily ‘watch’ all the time.

“Last year, a Dutch ship Ruyter was grounded due to a watchman not paying attention,” warned Brown. “With the navigation system in complete control most of the time, and little attention paid, there is a great opportunity for an adversary to steer the ship into trouble, even remotely.

“The attacks demonstrated are not new and would be prevented with proper security policies and processes aboard. Devices manufacturers and ship IT infrastructure architects can also be held to account to apply better security practices to prevent security bugs and flaws. There is no one product or activity to prevent this, only a deliberate software security initiative would address all of these things properly.”

“When you have a generic password, its does not take a hacker long to access the system using the admin password. As an admin, you have access to significant levels of control,” Brown added.

The marine sector is behind the curve compared with other transportation industries, such as automotive, which has focused heavily on the safety of vehicles as they become more autonomous.

“In terms of the marine market, ships are a great big machine and increasingly their core functions, such as its navigation and engine, are being controlled by technology.”

However, Brown cautioned that increasing evidence points to the vessels and their owners/operators not taking any more than the basic precautions to protect what is a multi-million-dollar asset. Those steps should start at the drawing board.

“The architects of these vessels are, on many occasions, compromising their security with design of the operating systems and the manufactures are also contributing to that if they are fitting the systems in the vessel with the default access codes.”

Brown said there were controls that could be quickly and effectively installed to prevent hackers from seizing a vessel.

“There are numerous potential parties that would find the idea of being able to access and control a vessel attractive,” explained Brown. “Given the value of the vessels and cargo it may even be a nation state, but I am sure that if piracy gags could take control of a vessel remotely they would be quick to do so.”

As such Brown said the issue cannot be left to the IT department.

“This is a board level issue,” he added. “They have to look at the potential threats and recognise they are different for those of the past, but the response methods are still the same.

“Boards need to take the issue seriously. If I had any advice it would be to understand where you are at present when its comes to the security of your on-board systems. Once that has been established then you need to identify where you want to be.

“You then need to draw up a plan of action to get to where you want to be. It may take a while, but you have to be improving your security and it may well start with some simple steps, such as checking the settings of your systems and, if they are default settings, simply changing them.”

Insurers and shipping experts fear that hackers, potentially backed by nation states, may well look to cause huge disruption by accessing systems and planting viruses and trojan wear on vessels.

Giles Hunnisett, master mariner and consultant at marine consultants Waves Group, said, “Effectively when you look at vessel systems you are driving your vessel on a Microsoft computer.

“Access can come via e-mail or internet connection and it is inherently risky. Once in the system it is networked to access areas such as radar and the engine management, so you can see why it is a concern.

“My issue is you may well have a manufacture whose system is on 20,000 vessels and those are being updated by a small number of companies. If a bug or trojan could be introduced in 1,000 vessels, they could be unable to leave or enter port. They may well be left adrift in the world’s major shipping lanes. It is a scenario that many people are surprised has not yet happened.”

“As a master mariner I can deal with a number of onboard emergencies and challenges, but I am not qualified to fight a virus in the system,” he added.

His views were backed by Monica Tigleanu, partner, cyber content, and new technology at insurance broker JLT Specialty.

“Our clients see this as increasingly important to their technology systems,” she explained. “Some of our bigger clients are willing to invest in cyber security but some of our smaller ones do not believe they have a risk.

“Clients are looking for a degree of certainty from their insurers. The biggest concern is geopolitical risk, where there is a state sponsored creation of a virus. The potential consequences of the introduction of such a virus into the marine market are pretty big.”