As the industry moves into a smart-shipping era, the risk of cyber threats is at an all-time high. Digitalized ships, increasing interconnectedness, the extended use of electronic data exchange and electronic navigation increases the likelihood of cyber attacks.
The Cyprus Shipping Chamber has issued cyber security guidance in the form of a case study interview with a member-company that is a shipowner, technical-operations manager and crew manager. The chamber adds additional things to consider to the company’s response to key questions.
The guidance covers a wide range of issues, with this excerpt focusing on satellite communications issues:
Why is your company implementing cyber security in its fleet?
Currently, the company is undergoing a transition from the current Fleet Broadband communication services to a higher broadband capable VSAT system. This “open to the internet” situation will drive the company towards more vigilance and the need for a cyber security program to be put in place.
The rapid development in maritime broadband satellite coverage combined with the introduction of highly sophisticated equipment, such as computer controlled engine systems, has changed the structural risks to maritime vessels. Ships are no longer protected by an air-gap from external systems. Today, an estimated 30,000 vessels globally have equipment providing them with constant internet access, which is an increase from only 6,000 in 2008.
Even if networks on board are separated between systems for ship operation, crew welfare and remote access to suppliers, separations can over time be compromised by ad hoc interventions by the crew or suppliers, for instance in connection to maintenance.
Cyber security refers to the security of information networks and control systems and the equipment and systems that communicate, store and act on data. Cyber security encompasses systems, ships and offshore assets, but includes third parties – subcontractors, technicians, suppliers – and external components such as sensors and analytic systems that interface with networks and data systems. This includes human interaction of crews and other company personnel, customers and potential threat players. In such a dynamic system, cyber security is an evolving set of capabilities inside the company, developing and adapting as technology and threats evolve.
How does VSAT broadband change your view of ship cyber security?
The VSAT broadband ability allows ships to have direct connection to the Internet, therefore exposing them to its dangers. As a result of this, and because of the increasing cyber-attack incidents around the world, this is motivating this company to be more vigilant on this matter.
It needs to be noted that Fleet Broadband (FBB) and VSAT have in-common cyber security vulnerabilities as each is connected to the internet. FBB is likely a risk as the systems protecting the network are commonly older firewalls that are left with the default configuration and have never been updated. Compounding the risk is the prevalent infrequently updated antivirus and out of date operating systems on computers.
Cyber threats will most likely come from within the ships network from a vendor or the crews use of personal computers from virus emails, phishing, improper content downloads, to name just few threats. The ships network needs to be mapped and all critical systems need to be assessed for vulnerabilities. Penetration tests are a good check on the existence of vulnerabilities so that corrective actions can be prioritized.
When malware is introduced into a computer or ship system connected to the network, a common action of the malware is to establish a covert command communication outward. The result is possible system encryption, exfiltration of data, and a number of other serious exploits. These types of communications are potentially not identified by antivirus or ISP scanning as a threat.
What are you doing to keep antivirus software, computer patches and systems updated onboard?
A system, in order to be as less vulnerable as possible, needs to be as up-to-date as possible. For the time being not all our vessels have internet access, therefore we update our computers by sending CDs with updates, links with updates to next port agents, as well as during attendance by the communication team members. Once a VSAT broadband solution has been installed on board, the updates will be pushed to the vessels from the communication department via the internet.
It is important that antivirus updates and software patches across the fleet be performed frequently, routinely and tracked. Dependence on port agents and other unscheduled visits by the communication team creates the risk that some ships will be updated more frequently and some not at all. At the very least a schedule and tracking method needs to be in place to ensure that updates are completed.
Assigning a person to be responsible for the updates and reporting completion to the shore cyber security person in charge is a recommended minimum standard. In this current scenario it is likely that the Captain is given the updates and is the person relied upon to make the updates. It is not a good policy to place this added responsibility on the Captain, and unfortunately this is exactly what is happening in many fleets.
A process to put in place the most current PC operating system software on all computers on board is a critical need. Using outdated, possibly unlicensed, unsupported software is a known high cyber security risk that can be corrected with management policy and controls as part of the company quality system.
It is recommended that a shipboard PC replacement policy be put in place where old and outdated hardware is replaced, based on the expected life of the hardware.
Are you looking to use the satellite communication / ISP provider as your cyber security provider? If partially to what extent?
Our satellite communications providers will take part in enforcing our cyber security policy by blocking specified senders/domains, providing email filters, filtering websites, etc.
Ensure that the alert communication procedure and reporting is as direct as possible and in accordance with your response expectations.
ISP filtering is an automated process, and its effectiveness is susceptible to exploits newer than the latest update. It is reliable but not infallible especially when the exploit originates on board.
Be especially careful with an ISP providing cyber security and to what scope it provides support. Commonly an ISP will use a third party cloud based cyber security provider contracted to them. Notification of routine and serious alerts will likely be separated from you by several degrees where the third party provider notifies the ISP who notifies you. Your questions and requested actions can be delayed. Additional charges for the third party provider services are likely. Additional service support should be clarified in advance.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.