Tighter cyber security on satellite communications hardware and connected networks and training crew to identify malicious emails will prevent system compromises
Satellite communications can be the entry point for malicious cyber threats that shipping companies need to close. As ships become further automated and onboard systems more connected to the internet, owners, operators and managers must ensure they have adequate protection and the ability to recover rapidly from a cyber attack.
Owners also need to incorporate cyber security into their safety management systems by 1 January 2021 to remain compliant with IMO’s amendments to the International Safety Management (ISM) Code.
In addition, there are requirements from the US Coast Guard for vessel owners and operators to ensure they have risk-assessed their networks and computers against cyber threats. Organisations such as BIMCO and classification societies have published guidance on how to protect ships from cyber attacks and comply with the revised ISM Code.
According to DNV GL head of section Georg Smefjell, owners need to identify vulnerable systems on their ships, then improve their protection ensuring they have methods of detecting and responding to security breaches and measures to restore systems.
Some of the most vulnerable systems on a vessel are its satellite communications equipment, IT networks and systems controlling crew welfare services, operational data flow and passenger-facing public networks.
DNV GL cyber security team leader Svante Einarsson says owners should conduct “risk assessments looking at the likelihood and consequences of system compromises”. By generating a risk matrix, they can “calculate measures to mitigate risk or reduce risk levels with protection barriers”.
Although it is difficult to predict a cyber attack, ship operators need to “test how easy it is to compromise systems, remembering more connectivity means systems are easier to compromise” says Mr Einarsson. The consequences of a successful attack can then be reviewed, looking at “availability of systems, integrity and confidentiality.”
Penetration testing will help owners to identify vulnerabilities. Segregating crew welfare networks from the operational communications and IT on ships mitigates the risk to onboard systems.
Procedures and emergency response need to be kept up-to-date in safety management systems and specific cyber security plans drawn up, says Mr Einarsson.
VSAT hardware can be vulnerable if software is not updated and passwords regularly changed. Recent penetration testing demonstrated the ease of breaching modems and antenna controls.
Ethical hackers discovered some modems only support insecure protocols for their management and application or were vulnerable to reflected cross-site scripting on the web interface. This meant hackers could add their own code to the modem, send links and execute codes, create fake passwords and capture cookies.
Some modems only support insecure protocols such as hyper test transfer protocol (HTTP) and Telnet. These clear-text protocols allow a hacker to identify credentials or other sensitive information.
Vendors have responded to these issues by using secure protocols with encryption for web traffic to prevent any attacks or hackers snooping on sessions. Satellite communications terminals are critical onboard equipment that must be kept updated and secure using the latest software and firewalls.
Onboard cyber security should remain tight and staff trained in maintaining integrity and swiftly responding to any compromises.
BIMCO recommends operators change administration passwords away from the default as hackers can find these on the dark web and access the terminal administration interface.
Protecting this interface will prevent hackers from accessing critical networks on the ship, tamper with the software and introduce security flaws. Administration passwords should be regularly changed with no written reminders left beside terminals.
IT staff should use virtual private networks (VPN) to access terminals, with private IP (internet protocol) addresses, ensure the latest software version is installed on terminals and updated regularly to fix security flaws, logging updates.
Firewalls must be enabled on VSAT systems as the first line of defence against cyber threats. If the vessel’s connections to mobile networks is separated from the satellite terminal, a standalone firewall can protect the business network.
Once satellite communications hardware is cyber secure and firewalls in place, another line of defence is the crew. Train seafarers to identify malicious or phishing email.
In February, Dryad Global and Red Sky Alliance published a report identifying new phishing emails attempting to entice shipping company employees to accidently start Trojan malware. There was an increase in malicious emails attempting to deliver this malware, including ransomware and cryptocurrency miners.
There is also an increased threat of malicious emails and unsolicited messages because the coronavirus pandemic forces staff to work remotely on less secure networks. GTMaritime operations director Jamie Jones warns shipping companies to expect more scammers and phishing attempts.
“Shipping companies are reconfiguring their shore-based operations in response to the spread of coronavirus, but employees can expect to receive unsolicited messages geared to exploit their personal anxieties about the epidemic,” Mr Jones says.
Scammers created websites selling bogus products, using fake emails, texts and social media posts to seek out personal information or financial reward. Under cover of promoting awareness, offering prevention tips or providing fake information about cases local to the recipient, fraudsters can request donations or deliver malicious email attachments to spread malware or steal log-in credentials.
“IT professionals must monitor and contend with emerging risks across multiple territories,” says Mr Jones. “Companies should ensure their IT infrastructure is robust.”
Crew and shore-based employees should disregard unsolicited emails claiming to be from official health agencies with new information about Covid-19, ignore online offers for vaccinations, treatments or cures and be extremely wary of attachments. They should not click on links from unknown sources or reveal personal or sensitive operational details in emails.