image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1image1

Common cyber-security vulnerabilities in ships

FEATURED ARTICLE

The most important things to consider when choosing your CCTV solution for maritime application

Whether constructing a cargo ship, tanker, ferry or cruise ship, the first and foremost priority of any shipyard should always be safety.

Despite growing awareness, ships remain at risk from cyber-attacks. Here’s a run-through of some of the most common vulnerabilities.

 

"We expect the cyber-attack will impact results
negatively by USD 200–300m.”

Søren Skou, CEO of A.P. Moller-Maersk in a statement
after the company was hit by malware “NotPetya” in 2017.

 

The SMM Maritime Industry Report 2021 found that 84 percent of shipowners and ship operators consider cyber security important or very important.

Their concern is not without merit; global supply chains have become favored targets for cyber criminals, as evidenced by attacks on numerous shipping companies in recent times. A marine cyber risk consultancy reports of “one new incident per day on average” (2021).  

While it's encouraging to see the shipping industry gaining awareness on the issue, it appears there’s plenty of work ahead. Digitalization is transforming every part of the value chain, which—for all the good it promises—comes with challenges. According to one ethical hacker, it’s not unusual for vessels to be “wide open to cyber attack”.

So, what are the common weak spots?

In their excellent publication “The Guidelines on Cyber Security Onboard Ships” (sic) BIMCO lists some of the systems where you’re the most likely to have vulnerabilities.

Let’s look at what they are, and how you evaluate them.

 

"Often it’s easier (…) to hack the companies that operate in ports and airports
than it is to access an actual aircraft or vessel."


Source: CNBC.com


Vulnerable systems on board

Cargo- and loading management systems

Today, docking isn’t just done by rope. Loading, management, or control of cargo usually involves connecting the ship’s digital systems to ports, marine terminals and stevedors.

When connected to shore, your ship is more vulnerable to cyber incidents.

Per a CNBC article: "Often it’s easier (…) to hack the companies that operate in ports and airports than it is to access an actual aircraft or vessel."

A cargo ship is unloading at the dock, with two yellow cranes. Digital loading systems are vulnerable to cyber attacks while interfacing with shore systems.

Bridge systems

An internal image of a modern ship bridge with plenty of digital navigation equipment, such as monitors, thrusters and controllers. The captain's chair sits centrally in the image.

Digital, network navigation systems have revolutionized the ship’s bridge. But without robust defenses, they can be entryways for malicious actors.

Even if your bridge system is kept isolated from other networks, it can still be vulnerable. Software updates via removable media can pose a cyber-security threat, as they could give malware a way into your network.

Should the bridge system fall prey to a cyber attack, such as service denial or data manipulation, it can affect all systems associated with navigation. It's worth noting that outdated bridge operating systems—i.e. without malicious influence—can also debilitate the ship.

Propulsion- and machinery management

There are many benefits to controlling and monitoring machinery, propulsion and steering via digital systems. Just remember to account for cyber threats.

Vulnerability here will vary with the level of interaction with other systems, such as remote condition-based monitoring and/or navigation and communications equipment.
close-up-of-propeller-on-container-ship-2022-05-26-04-18-04-utc

 

Access control systems

It’s common to use digital systems for access control, to ensure the physical security and safety of the ship and its cargo. Such systems, which include surveillance equipment, and shipboard security alarms, can be vulnerable to cyber incidents.

Three Hatteland Seahawk surveillance cameras, for maritime use, are being set up by a technician.

Passenger-servicing and -management systems

A smiling woman helps passenger get on board a bus. She uses a tablet for passenger servicing and management.

Passenger servicing and -management involve, to a larger and larger extent, digital devices like tablets, handheld scanners and so forth. Vulnerabilities in endpoints like these can jeopardize passenger data and/or connected systems.

Passenger-facing public networks

BIMCO recommends that networks connected to the internet, installed for the benefit of passengers, should be considered uncontrolled.

Vulnerability can be minimized by keeping such networks isolated from any safety critical system on board.

A female passenger is taking to someone through hear handsfree set, on her phone. She is using the ship's Internet connection.

Administrative- and crew welfare systems

Onboard computer networks play a key role in administration of the ship and in maintaining the welfare of the crew.

When such networks are connected to the Internet (for crew access to the Internet and email), they should be considered uncontrolled and be kept isolated from any safety critical system on board.

A crew member is using the ship's Internet access for crew related tasks. He is wearing a white helmet and a yellow vest.

Communication systems

The picture is showing communications equipment on board a yacht. Such communications links are vulnerable to cyber attacks.

Internet connectivity via satellite or other wireless communication makes the ship more vulnerable. BIMCO recommends that the service providers’ cyber defense mechanisms be “carefully considered but should not be solely relied upon to secure every shipboard system and data”. 

Those (shipboard) systems include “communication links to public authorities for transmission of required ship and cargo reporting information” as well as “shipboard capabilities to collect data from and interrogate devices and data loggers affixed to containers for onward transmission to designated recipients ashore”

BIMCO recommends strictly complying with applicable authentication and access control management requirements by local authorities.

How to find vulnerabilities

 

The reality is that an aeroplane or vessel,
like any digital system, can be hacked
.

 David Emm, principal security researcher
at Kaspersky, to CNBC.

 

All the systems mentioned above are made up of various components that may have vulnerabilities and weaknesses. Thus, vulnerability assessments play an important role in your cyber-security efforts.

Per BIMCO’s guidelines, each system can be evaluated via probing questions. See the box below for examples.

Questions that can uncover vulnerabilities in a system

  • Is the system stand-alone or is it connected to other systems?
  • Is the system connected externally, either directly or via other systems?
  • Does the system have effective, built-in risk mitigation measures such as encryption?
  • Does the system require regular software updates?
  • Does operating the system involve connecting removable devices, for example to obtain diagnostic information?
  • Is the system easy to physically access?
Source: BIMCO

 

Where to go from here

Cyber crime is no doubt a serious threat, but remember: You're not powerless against it. Simply knowing where you might be vulnerable is a great start. In this article, we've addressed some of the most common weak points in a ship: 

 

  • Cargo- and loading management systems

  • Bridge systems

  • Propulsion- and machinery management

  • Access control systems

  • Passenger-servicing and -management systems

  • Passenger-facing public networks

  • Administrative- and crew welfare systems

  • Communication systems

 

If you're ready to learn more about cyber-security at sea, the complete BIMCO guidelines are helpful. DNV's Recommended Practice is also informative. And here’s our own piece on how to secure your industrial network.

Keep in mind these are general guidelines. Always consult with cyber-security professionals for matters specific to your company. 

Thanks for reading, and stay secure!

 

💡 Did you know?

The Moxa EDS4000 series of managed switches was the world’s first networking device to obtain the Industrial Cybersecurity certification IEC 62443-4-2. Read more about them here: 

5 pieces of IT hardware for the cyber-secure vessel

 

Recommended reading:

TEMPEST certified display solutions protects classified information
An introduction to computer networks on board ships
What is a smart ship?

 

Posted by: Hatteland Technology

Find me on:

You May Also Like

Putting the eye in IT: Get to know our..

CCTV is fundamental to tunnel safety. And there’s more to it than you might picture.

Read More

5 pieces of IT hardware for the..

A big part of cyber security is eliminating weak links. In this article, we explore a selection of hardware..

Read More

Get in touch with us today

Please complete the form below. Submissions will be responded to within two business days.

NEWSLETTER

Get the latest insights from Hatteland Technology

ABOUT HATTELAND TECHNOLOGY

Hatteland Technology is a provider of advanced technology solutions within industrial computing, security & surveillance and industrial networking ranging from standard off-the-shelf products to customized solutions and services. With in-depth industry knowledge of the segments we operate in, we offer specialized, tailored solutions in the design, engineering and manufacture of precision technology, built for tough conditions.