Cyber Vigilance at Sea: The New Norm

The risk of cyber attacks on vessels at sea continues to be significant, and it’s not going away any time soon. Each year, it seems, there are more and more reports of hacks that have resulted in loss of critical data, financial loss or problems with IT systems or shipborne systems functionality.

Shipowners have been reluctant to share information on actual or attempted breaches for fear of being identified. However, there’s no shortage of examples of cyber attacks on vessels.

Last August, a French naval contractor was hacked, resulting in the leak of more than 22,000 documents detailing the design of a submarine under construction for the Union Navy. In October, Hewlett Packard Enterprise Services informed the Navy that an employee’s company laptop was hacked, resulting in the opening of more than 134,000 personal records of sailors. In 2014, an investigation into the collision between the multi-purpose cargo ship Rickmers Dubai and an unmanned crane barge revealed that the USB thumb drive had been used to store a movie, an abuse which risked corrupting valuable data.

Hackers attacking a ship’s operating system may be attempting to obtain several types of information. Some seek to obtain the cargo manifest and container numbers so they can locate valuable pieces of cargo. Others are after vessel IP addresses so they can breach corporate security. And, while less likely, it’s also possible that some seek to spoof the ship.

Awareness is Growing 
The good news is there’s growing awareness about the risk of maritime cyber attacks. Several resources are now available to help mariners learn about common vulnerabilities to onboard computer-base networks and industrial control systems, including both operational and informational technologies. One good example is BeCyberAwareAtSea.com, a global maritime and offshore industry initiative that encourages the sharing of research data, best practice cyber guidelines and educational articles to help stakeholders understand the challenges that the digital era brings to shipping and offshore operations. The USMRC has also launched an e-learning course, which meets IMO interim draft guidelines on maritime cyber risk management.

Cyber awareness is also being driven by military and government contracts, which demand that attention be focused on marine loss control among operators and shipyards. In many cases, shipyards that bid on government contracts are required to demonstrate that they have a secure platform.

Get on Board 
Addressing cyber security should be a priority for senior management rather than a concern that’s delegated to the vessel security officer or the head of the IT department. Given that most cyber attacks have not been aimed on the vessel, per se, but are more an effort to breach corporate security, vigilance at the corporate level makes good sense.

The nature of data transmission on a vessel, which often happens automatically, is such that the interconnected nature of information may lead to the system being compromised. Vessels typically share a connection with corporate security, so it’s essentially a means to access corporate servers. 

Senior management must also demonstrate a commitment to employees who live at sea so that the human element of cyber risk is appropriately addressed. For example, millennials going out to sea are accustomed to having access to email and online entertainment. It’s essential that these needs be provided for so that the crew is not jeopardizing security by using the ship’s operating systems for personal needs, thereby threatening the security of the corporate firewall.

Senior management needs to let the crew know that they’re important, trusted stakeholders and that their own livelihood is affected by their safety, particularly as it relates to the risk of attempted hacks.

Practical Guidelines
There are standard practices that can be implemented to reduce cyber risk. Each crew member should be instructed on proper cyber security procedures at sign-on when joining the vessel and periodically while onboard. It’s especially important to review cyber security procedures when shipboard operations are subjected to outside impacts, shoreside tech reps or during a shipyard period.

It’s critical that the vessel have a response plan that can be implemented and has been tested. Regular back-up of critical systems are an important part of any response plan. The IMO provides high-level recommendations for maritime cyber risk management while BIMCO recommends cyber security be tied in with a vessel security plan, which is a framework under the safety management systems that already exists.

The stipulations in the ISPS and ISM Codes enable a fast rollout of a framework for handling the management of information system security (ISS) on board ships. The principal advantage of this solution is that it is not necessary to create a new system; existing tools used in the maritime world can simply be adapted. The Maritime Safety Committee, under MSC 96/4/5, suggests specific steps that ships can follow to achieve ISS protection.

The Biggest Weakness: The Human Element 
For all the talk about improving firewalls and ensuring that shipping and corporate platforms are secure, the biggest risk to cyber security is actually the human element. The IMB has reported that more than 80 percent of offshore cyber, information technology and operational technology security breaches were the direct result of human error. This reality needs to be conveyed and emphasized to all who work in the industry.

Tough Decisions
These are challenging times for the shipping industry. Budgets are tight and there’s pressure to delay maintenance, reduce manning and decrease training. Unfortunately, the threat of a cyber attack is not seen as a traditional maritime hazard, and is therefore an area that’s easily overlooked. Ultimately, it goes back to treating employees right, making sure they have the resources to do their jobs as efficiently as possible, making sure they have the knowledge they need, and making them feel vested as vital stakeholders in the effort to successfully defend against cyber attacks.