Despite growing awareness, ships remain at risk from cyber-attacks. Here’s a run-through of some of the most common vulnerabilities.
"We expect the cyber-attack will impact results
negatively by USD 200–300m.”
Søren Skou, CEO of A.P. Moller-Maersk in a statement
after the company was hit by malware “NotPetya” in 2017.
The SMM Maritime Industry Report 2021 found that 84 percent of shipowners and ship operators consider cyber security important or very important.
Their concern is not without merit; global supply chains have become favored targets for cyber criminals, as evidenced by attacks on numerous shipping companies in recent times. A marine cyber risk consultancy reports of “one new incident per day on average” (2021).
While it's encouraging to see the shipping industry gaining awareness on the issue, it appears there’s plenty of work ahead. Digitalization is transforming every part of the value chain, which—for all the good it promises—comes with challenges. According to one ethical hacker, it’s not unusual for vessels to be “wide open to cyber attack”.
So, what are the common weak spots?
In their excellent publication “The Guidelines on Cyber Security Onboard Ships” (sic) BIMCO lists some of the systems where you’re the most likely to have vulnerabilities.
Let’s look at what they are, and how you evaluate them.
"Often it’s easier (…) to hack the companies that operate in ports and airports
than it is to access an actual aircraft or vessel."
Source: CNBC.com
Vulnerable systems on board
Cargo- and loading management systemsToday, docking isn’t just done by rope. Loading, management, or control of cargo usually involves connecting the ship’s digital systems to ports, marine terminals and stevedors. When connected to shore, your ship is more vulnerable to cyber incidents. Per a CNBC article: "Often it’s easier (…) to hack the companies that operate in ports and airports than it is to access an actual aircraft or vessel." |
![]() |
Bridge systems![]() Digital, network navigation systems have revolutionized the ship’s bridge. But without robust defenses, they can be entryways for malicious actors. Even if your bridge system is kept isolated from other networks, it can still be vulnerable. Software updates via removable media can pose a cyber-security threat, as they could give malware a way into your network. Should the bridge system fall prey to a cyber attack, such as service denial or data manipulation, it can affect all systems associated with navigation. It's worth noting that outdated bridge operating systems—i.e. without malicious influence—can also debilitate the ship. |
Propulsion- and machinery managementThere are many benefits to controlling and monitoring machinery, propulsion and steering via digital systems. Just remember to account for cyber threats. Vulnerability here will vary with the level of interaction with other systems, such as remote condition-based monitoring and/or navigation and communications equipment. |
![]()
|
Access control systemsIt’s common to use digital systems for access control, to ensure the physical security and safety of the ship and its cargo. Such systems, which include surveillance equipment, and shipboard security alarms, can be vulnerable to cyber incidents. |
![]() |
Passenger-servicing and -management systemsPassenger servicing and -management involve, to a larger and larger extent, digital devices like tablets, handheld scanners and so forth. Vulnerabilities in endpoints like these can jeopardize passenger data and/or connected systems. |
Passenger-facing public networksBIMCO recommends that networks connected to the internet, installed for the benefit of passengers, should be considered uncontrolled. Vulnerability can be minimized by keeping such networks isolated from any safety critical system on board. |
![]() |
Administrative- and crew welfare systemsOnboard computer networks play a key role in administration of the ship and in maintaining the welfare of the crew. When such networks are connected to the Internet (for crew access to the Internet and email), they should be considered uncontrolled and be kept isolated from any safety critical system on board. |
![]() |
Communication systemsInternet connectivity via satellite or other wireless communication makes the ship more vulnerable. BIMCO recommends that the service providers’ cyber defense mechanisms be “carefully considered but should not be solely relied upon to secure every shipboard system and data”. Those (shipboard) systems include “communication links to public authorities for transmission of required ship and cargo reporting information” as well as “shipboard capabilities to collect data from and interrogate devices and data loggers affixed to containers for onward transmission to designated recipients ashore”. BIMCO recommends strictly complying with applicable authentication and access control management requirements by local authorities. |
How to find vulnerabilities
“The reality is that an aeroplane or vessel,
like any digital system, can be hacked.”
David Emm, principal security researcher
at Kaspersky, to CNBC.
All the systems mentioned above are made up of various components that may have vulnerabilities and weaknesses. Thus, vulnerability assessments play an important role in your cyber-security efforts.
Per BIMCO’s guidelines, each system can be evaluated via probing questions. See the box below for examples.
Questions that can uncover vulnerabilities in a system
|
Where to go from here
Cyber crime is no doubt a serious threat, but remember: You're not powerless against it. Simply knowing where you might be vulnerable is a great start. In this article, we've addressed some of the most common weak points in a ship:
-
Cargo- and loading management systems
-
Bridge systems
-
Propulsion- and machinery management
-
Access control systems
-
Passenger-servicing and -management systems
-
Passenger-facing public networks
-
Administrative- and crew welfare systems
-
Communication systems
If you're ready to learn more about cyber-security at sea, the complete BIMCO guidelines are helpful. DNV's Recommended Practice is also informative. And here’s our own piece on how to secure your industrial network.
Keep in mind these are general guidelines. Always consult with cyber-security professionals for matters specific to your company.
Thanks for reading, and stay secure!
💡 Did you know? The Moxa EDS4000 series of managed switches was the world’s first networking device to obtain the Industrial Cybersecurity certification IEC 62443-4-2. Read more about them here: |
Recommended reading:
Q&A: Talking Moxa with Mr. Gøran Labrå
TEMPEST certified display solutions protects classified information
An introduction to computer networks on board ships
What is a smart ship?