Shipowners, operators and managers need to collaborate, train crew and invest in cyber security to protect ships from online threats
Container shipping is at the forefront of cyber-related threats in shipping and therefore needs to be on top of security. Box ship operators need to learn from previous attacks on the sector, discuss methods of improving security and act upon it.
They must invest in securing IT networks onshore and on board ships and train crew and shore staff in better cyber awareness and following procedures to prevent accidental malware infections.
This was some of the advice provided to delegates at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, held in London on 15 June in association with Norton Rose Fulbright.
Templar Executives director Chris Gibson said shipping companies need to be proactive to learn from the way other organisations have responded to cyber attacks. He specifically mentioned the 2017 cyber attack of Maersk Group and its impact on container shipping and terminals.
“There is no such thing as too much collaboration, but it is not something that can be mandated,” said Mr Gibson. It is about building relationships and trust “and the wider those relationships are the better”.
“There is no such thing as too much collaboration, but it is not something that can be mandated”
He also highlighted the importance of cyber security within a shipping company’s supply chain and supporting players, as there are ship-to-ship, ship-to-port, and owner-to-supplier relationships. “It is not just vessels and ports, terminals and third-parties can be hacked,” said Mr Gibson. “Supply chain is important as there are many levels of interaction.”
Owners need to know the vulnerabilities of their IT and operational technology (OT) and the potential attack vectors. Then they need to react to reduce the risks, for example, by segregating OT, such as ECDIS and radar, from potential threats.
Zodiac Maritime has introduced rules on its container ships to prevent malware from entering key OT for vessel navigation. Zodiac’s manager for quality, health, safety and the environment Karl Meher-Homji told Container Shipping & Trade that its seafarers and vendors were not allowed to have USB memory sticks on the bridge.
He said this was imposed to tighten security on ship bridges and had prevented malware from accidently or deliberately being transferred to key navigational equipment. USBs are not even used for updating electronic navigational charts on ECDIS. Capt Meher-Homji said ENC updates were brought on to ship bridges on disks from reputable ENC providers and their local agents.
Delegates at the summit were told about the cyber risks to navigation equipment by penetration test specialists. Naval Dome and Cyber Prism highlighted the ease with which malware can be used to alter information on key navigation devices.
Naval Dome chief executive Itai Sela described how cyber security experts broke into radar and ECDIS. They were able to change the position of a ship, the depth information on ECDIS and meddle with targets on radar to place a ship in jeopardy of grounding.
This was achieved by introducing malware in email and breaking passwords in shipping company headquarters. “We found multiple blind spots and that many systems are unprotected,” he said.
“We found multiple blind spots and that many systems are unprotected”
Naval Dome experts hacked the headquarters of a shipping company and instructed someone there to send an infected ENC update to the ship. Once that was inside ECDIS, the malware started to act, manipulating the depth data and altering the ship’s position on the display.
Naval Dome has developed a USB-based security capsule that defends OT equipment from cyber attack. It provides a multi-layered defence with software that detects and intercepts malware.
“If hackers get into the OT then the ship can be in trouble”
Cyber Prism technical director Keith Chappell conducted a live demonstration of how easy it is to access data in ECDIS using an adapted USB that can capture data, such as passwords, user names and administration accounts. His colleague, development director Dave Manning explained that OT operating systems may remain unchanged on ships for decades, and become unsupported by software companies.
“If hackers get into the OT then the ship can be in trouble,” he said “and remember it could be a 20-year-old machine running on old operating system”. Mr Manning said shipping companies should monitor systems, know the status of software updates and patch levels.
Classification societies are formulating notations and guidance to help container shipping improve onboard cyber security. This will be particularly important as cyber security becomes a requirement under IMO’s ISM Code from January 2021. LR, ABS and DNV GL provided guidance to delegates at Riviera’s summit.
LR cyber security product manager Elisa Cassi said shipping companies should get a third party to monitor their IT network, the OT equipment and people to “stop people sharing data to others or compromising procedures”.
She said an attacker may try to get through the communications system to compromise components of the navigation system. Shipowners “need to identify any compromise before the attacker tries to penetrate” onboard OT devices and “intercept this at the time when an attacker tries to authenticate”.
“Shipowners need to identify any compromise before the attacker tries to penetrate”
Ms Cassi explained that technology can support the early detection of cyber incidents on ships, ports or offices, and early interception and prevention of a cyber attack. She added that shipping companies need to “investigate the vulnerabilities through analytics and machine learning”, understand the behaviour of potential threats and use predictive analysis.
LR conducts surveys of cyber security of onboard systems and can determine whether a ship is safe to navigate. Ms Cassi said LR is also working with other class societies to define cyber secure ship notations through the International Association of Classification Societies.
ABS advanced solutions business development manager Pantelis Skinitis said shipowners need to change passwords on OT as some have not been changed since they were originally commissioned on the ship. He also advised owners to verify vendors and service engineers and ensure their USB sticks are clean of malware.
ABS has created cyber safety guidance for ship OT, particularly for ships coming into US ports and terminals. In its development, ABS identified the risks, vulnerabilities and threats to OT. “Managing connection points and human resource deals with the biggest threat to OT systems on board,” said Mr Skinitis.
DNV GL has developed class notations covering cyber security on newbuildings. It has also produced an online video instructing shipping companies to become more aware of cyber threats. During the summit, DNV GL maritime cyber security service manager Patrick Rossi said ship operators should set up multiple barriers to prevent hackers.
These should include firewalls, updated antivirus, patch management, threat intelligence, intrusion detection, emergency recovery and awareness testing. OT should be segregated from open networks, only official ENC provider USBs and update disks should be used and cleaned of malware before being inserted into ECDIS, and these systems should be segregated from the internet.
Cyber regulations and guidance for shipping
Regulations define data security requirements
Regulations surrounding security of data and ship systems have tightened to improve vessel operator responses to cyber threats. Norton Rose Fulbright partner Philip Roche highlighted that vessel owners and managers needed to ensure they include cyber security into IMO’s ISM Code by 1 January 2021.
From that point, port state control will play a limited role in enforcing cyber security. “I can see them doing a check that there is a policy in place,” he said. Inspectors will rely on classification societies' notations and certificates to understand regulatory compliance.
Mr Roche said the industry could also see something akin to an international oil pollution prevention certificate which ships would carry around to prove they are compliant.
Norton Rose Fulbright partner head of operations and cyber security, Steven Hadwin, explained that regulators are already more active in cyber security, whether it is the EU general data protection regulation (GDPR) or the EU directive on the security of networks and information systems (NIS) directive.
“Data protection and cyber security needs to be taken seriously from a legal point of view,” said Mr Hadwin. Courts will focus on the importance of personal data and cyber security. Data could then “become a considerable liability for an organisation” he said.
If this data loss affected a European entity, then GDPR could be in play. Under GDPR if an organisation loses data, “it will need to speak to a regulator within 72 hours,” said Mr Hadwin. “It could impose a fine of up to 4% of that organisation’s global annual turnover.”
PwC UK cyber security director Niko Kalfigkopoulos explained the legislation and reasoning behind the NIS Directive, which went into full effect in May this year. These “regulations have teeth” he said because of the potential size of fines and damage to company reputation from being a victim of a cyber attack. This is one of the reasons why boardroom executives should be aware and understand what is required for compliance.
Ship network bridges exposed to cyber threats
Shipowners need to be aware that operational technology (OT) can still be hacked even if they appear to be on a separate network to a ship’s IT. Pen Test Partners was able to hack OT on a simulated container ship by taking control of the bridges between IT and the operational network. This meant ethical hackers could take control of the ship’s navigation, steering and propulsion systems.
Pen Test Partners senior partner and ethical hacker Ken Munro said at the Information Systems Security Association conference in London in July that bridge equipment, such as ECDIS, radar, voyage data recorder and serial-IP convertors could be hacked.
These have Windows operating systems, which means it is “trivial to exploit and take control of the serial COM ports after taking control from the IP network” said Mr Munro. It is easy to control the IP convertors because they usually have default passwords.
Hackers then have complete control of the serial data it is sending to the ships' OT and can tamper with the data without alerting the crew. Serial traffic can be routed through a laptop and the GPS data feed to ECDIS can be changed.
“If the ECDIS is in a track control mode, whereby it directs the autopilot, then the hacker can fool it and cause the ship to change direction,” said Mr Munro.
To mitigate these types of attacks, ship IP and serial networks should be segregated, said Mr Munro. IT and OT personnel should work closer together, preventing security holes from creeping in. Passwords for serial devices must be changed from the default and communications should be encrypted. “Serial device software must be kept up-to-date and patched against security flaws,” said Mr Munro.