Cyber Security at Sea

We live in a digital world that is evolving at breakneck speed. Unfortunately, rapid change can bring problems, issues and chaos, and the maritime world is not exempt from the potential downsides of technology's evolution.

Modern ships have become ever more complex and automated over the past four decades. In the 1970s, most of the equipment was analog and very little was integrated into a system; ships still used radio telegraphs to communicate to land based stations. This has all changed, and we now work with totally digital, integrated and system-based equipment. Most vessels now have some type of internet access, and as ships become ever more sophisticated and better connected to the outside world, cyber security is fast becoming one of the maritime sector's biggest challenges.

Some factors impacting the maritime threat landscape include the recent development and usage of cloud storage and applications, stealth or shadow IT (home-grown solutions without corporate approval) and continued issues with usage of personal devices. Added to that are improper or absent training with human or system error.

Much of what transpired off Somalia and the Gulf of Aden in years past occurred when pirates used hackers to gain access to shipping company’s data bases and vessel tracking systems to identify vessels with valuable cargoes. This has made operators and crews nervous, and many ships that transit the Gulf region are turning their Automatic Identification System (AIS) navigation tracking system off so that pirates cannot identify, locate and track them. This also creates a danger to navigation, as prudent mariners look for AIS data to handle vessel traffic.

Additionally, engineering experiments have demonstrated that it is possible to change a vessel’s course by interfering with its GPS signal – causing a trackline-following autopilot to inaccurately interpret the ship’s position and alter its course as it attempts to come back on the “assigned track.”

In a development outside of the maritime world that has potential to affect operations at sea, hackers have found ways to corrupt electronic industrial control systems (programmable logic controllers, or PLCs). The well-known Stuxnet virus specifically targeted PLCs, which are used for the automation of electromechanical processes. Stuxnet comprised Iranian PLCs on centrifuges in nuclear material processing plants, causing the fast-spinning centrifuges to malfunction and tear themselves apart. The maritime industry has increasingly deployed programmable logic controllers in equipment in the engine room and elsewhere that could potentially be vulnerable to hacking and control, based on flaws in certain major brand PLCs.

There are scores of comparable incidents in the maritime world, some verified, some unverified, including several reported by major media – such as hackers shutting down a floating oil rig by tilting it, and another rig so riddled with computer malware that it took 19 days to make it seaworthy again.

At a recent conference on safer seas, the Captain of the Port of Antwerp, Belgium discussed hackers infiltrating the port's wireless network to locate specific containers loaded with smuggled drugs – then made off with the containers and deleted the records in an attempt to cover up the theft.

Unfortunately, this is only the tip of the iceberg, and it will continue. Recent studies by the European Union Agency for Network and Information (ENISA) and the Brookings Institute indicate that there is limited awareness of cyber security issues in the maritime sector, and no large scale initiatives underway for improvements. One exception is the United States Coast Guard (USCG), which recently published a Cyber Strategy to guide its efforts in the cyber domain. It specifically identified three distinct strategy priorities: defending cyberspace, enabling operations and protecting infrastructure. All of these priorities should be embraced by maritime operators as they attempt to come up to speed to secure their vessels and interests. Out at sea does not mean out of reach of the cyber world – it is only because so few know much about the industry that more attacks haven't already occurred.

As our world becomes smaller and more interconnected, the maritime community must adapt to the rapid changes in cyber technology to survive. We need sector-wide training and the ability to use simulation and technology to improve our maritime information systems and networks. It is not safe to continue to do business as usual.

AUTHOR'S BIOGRAPHY:

Captain Emil Muccin is the Assistant Department Head, Maritime Business Division of the Marine Transportation Department and is also an Associate Professor of Nautical Science at the United States Merchant Marine Academy. He was previously the Marine Transportation Department STCW Coordinator. Additionally he is the Faculty Advisor to the Cyber Defense and Propeller Clubs. Emil graduated from the USMMA with a BS in Nautical Science and from Pace University with an MBA in Information Systems. He sailed for many years as the master of paddle wheelers on the Hudson River.

ADDITIONAL INFORMATION:

The views expressed in this article are the author’s own and not those of the U.S. Merchant Marine Academy, the Maritime Administration, the Department of Transportation or the United States government.