What Do You Do if a Hacker Takes Control of Your Ship?
NTNU is training mariners on how to respond to a cyberattack in progress
[By Eli Anne Tvergrov]
You’re on the bridge, with the ship’s course shown on the digital display. But why is the ship continuing to turn west?
Everything looks normal on the computer screens in the dark wheelhouse — but outside, the land is dangerously close. What’s going on?
Down in the engine room, workers report via radio that everything is normal, but they wonder why the bridge has changed course. The engines are revving and the ship is picking up speed. The engine room hasn’t done this. What now?
Cybersecurity is a hot topic for the entire maritime industry, as well as in academia. A joint team recently conducted a completely new cyber security course at NTNU in Ålesund.
Probably the first of its kind
NTNU in Ålesund’s programme for the maritime industry has just offered a new course entitled “Maritime digital security” (in Norwegian).
Over two months, course participants have looked at digital threats. They have assessed the risk of existing digital threats and realistically practiced a cyber attack on a ship under way. The key focus is on risk management of cyber attacks and building resilience.
“Where information technology and people meet, there is room for digital vulnerability. Security breaches can come in through the ship’s systems and through the port system and through the people who operate or supervise them,” Marie Haugli-Sandvik and Erlend Erstad said.
Both are PhD candidates at the Department of Ocean Operations and Civil Engineering at NTNU. They are studying how the maritime industry can be better equipped to handle cyber attacks.
The two PhD candidates have developed and now run the maritime digital security course, which appears to be the first of its kind in Norway.
The course has been included as part of the doctoral theses they are about to complete.
The Norwegian Maritime Directorate and the Norwegian Coastal Administration have a strategic goal that seafarers and personnel be offered essential digital security skills. The starting point is international requirements from the IMO (International Maritime Organization).
The international industry associations and shipping organizations therefore focus on this topic. Within the basic requirements for shipping, there will soon be even stricter minimum requirements for cyber security. Stricter requirements for training, practice and training will all come next year.
Developed with the industry
“We developed this course in close collaboration with the industry,” Erstad said. “We have listened to what they want, looked objectively at their needs, and then tested the best solution we can come up with.”
“It’s always better to have a broad perspective and different approaches with new projects and methods. Established businesses can also benefit from a fresh look. NTNU is a good place to try out new ideas. As researchers, we can help meet the industry’s urgent needs while at the same time discussing solutions with them for the future,” Haugli-Sandvik said.
Not enough training in cyber security
Haugli-Sandvik conducted a survey this winter among 293 deck officers from 11 major offshore shipowners in Norway.
- Eighty-three per cent said that they had taken part in some form of cyber security training.
- Fifteen per cent answered that they had never received training.
- Two per cent didn’t know if they had had training.
“Eighty-two percent of the deck officers said that they had received the training as e-learning and/or that they had participated in digital safety campaigns sent by their employer,” she said.
Employers to a large extent were responsible for this training, in the form of courses. This demonstrates that the industry wants to take responsibility, Haugli-Sandvik believes. But there are many standardized and general IT security courses.
“But most of the training wasn’t directly operationally oriented and/or adapted to the maritime industry,” Haugli-Sandvik said.
This is illustrated by the fact that 66% of the deck officers surveyed said that they were uncertain or disagreed that they had enough training to handle a cyber incident on board.
Challenges identified by the Norwegian National Security Authority'sRisk Report 2022
The Norwegian Maritime Directorate and the Norwegian Coastal Administration have focused on a number of challenges identified in the Report on strategy for maritime digital security 2020.
In its 2022 Risk Report, the Norwegian National Security Authority (NSM) points to a threefold increase in the number of serious incidents and cyber operations from 2019 to 2021. The corresponding report for 2023 addresses the issue that there are many vulnerabilities in unclear supply chains, and that with more unpredictability the industry needs to be better prepared.
The maritime industry has worked with digitalization in both traditional information technology systems (IT systems) and in operational technology in systems for automation, propulsion, management and other control systems. The greater the use of remote connection, integration and digitization in operational technologies, the more vulnerable the operation can be.
At the same time, the lifetime of larger ships is generally between 25 and 35 years, and digital upgrades in the entire international fleet usually happen gradually and over time. There is great variation in computer equipment on board both for administrative functions and control systems.
The situation is much the same as for ports, where more and more operations are being automated. When it comes to port traffic alone, incidents have been uncovered that have result from cyber attacks IT and administrative systems. These lead to business interruptions, information theft and manipulation linked to smuggling.
Digital IT events can have consequences for ship operations. They can affect administrative systems for ship manifests, passenger lists, digital certificates and sailing licenses and the like. This can delay or impede operations.
Companies that are exposed to these problems can experience significant financial consequences and damage to their reputation.
The Norwegian National Security Authority (NSM) points out that activity in the cyber world can be so advanced that we don’t actually notice it, and covert activity can remain hidden for a long time. How should crew on board react to discover hidden threats?
How can the crew on board make the right assessments in advance or make concrete decisions in the brief window of time a few minutes before a ship runs aground?
Knowing what to do, both to prevent this from happening, and to practice what to do if it does, is critical for the industry.
Is the ship capsizing? Captain Odd Sveinung Hareide makes contact with the engine room. Photo: Eli Anne Tvergrov, NTNU.
Deck officers and cyber security
Haugli-Sandvik’s doctoral dissertation looks at how deck officers experience cyber risk at sea.
“My project is part of the work in one of NTNU’s 12 centres for research-driven innovation. This centre, SFI MOVE (Marine Operations in Virtual Environments), works with how future maritime operations may look through the use of digital twins, machine learning and control centres on land,” she said. “I’m studying how targeted guidelines, training and risk communication can be developed for maritime cyber security. I am also investigating what tools we should develop to handle new cyber risks we may experience at sea.”
Erstad, on the other hand, is looking at cyber resilience at sea.
“I’m looking at the best way that navigators can be resistant to, prepare themselves for, and overcome, cyber attacks against the integrated navigation systems on board the ship,” he said.
Erstad says the researchers have benefitted from working with researchers at the Cyber SHIP lab at the University of Plymouth in England, which also works with maritime cyber security.
To practice realistic actions and situations in a safe environment, NTNU has opened a Cyber Range especially developed for the maritime sector. The Cyber Range enables practitioners and researchers to uncover vulnerabilities in maritime navigation and control systems for ships.
PhD candidate Erlend Erstad and Einar Johan Lukkassen from NTNU evaluate the response from the bridge. Marie Haugli-Sandvik and the other participants and observers, prepare for the exercise to continue. Photo: Eli Anne Tvergrov, NTNU
The larger course exercise relied on ship simulators at NTNU in Ålesund. These simulators are also unique in their design when it comes to realism. The participants took their seats in ship simulators, designed like a bridge on a larger ship underway in the North Sea.
“We make the simulator scenario close to what actually happens on a ship, as well as to what happens in the communication between the ship and the land. But even though the scenario uses full-scale maritime bridge simulators, the focus was mostly on getting a good discussion going,” Erstad said.
The exercise also included participants from DNV, marine underwriters the Norwegian Hull Club, NORMA Cyber, Solstad, public institutions such as the Norwegian Coastal Administration and the Inland Norway University of Applied Science, as well as from the University of Plymouth. They were invited in as observers and as resource persons in the simulation.
“We learn the most from the dialogue between the actors in the rehearsal and in the review afterwards, not least because you can then see what was practiced and the event itself from another point of view,” says Erstad.
Strengthening the weak link
Professor Kevin Jones heads the Maritime Cyber Threats Research Group and Cyber SHIP lab at the University of Plymouth. He points out that a cyber attack can pose huge problems for the global economy and trade.
“When the large container ship ‘Ever Given’ ran aground in the Suez Canal, the cause was the weather and wind. Although this was not a cyber attack, the incident illustrates the consequences that can affect a vulnerable global system,” Jones said.
Ninety per cent of world trade is predicted to be linked to maritime transport, through maritime supply chains. It’s entirely believable that a similar incident could occur due to digital vulnerabilities, as a result of unauthorized access to computers and control systems.
“The weak link is the human being, and we have to strengthen this link. Humans are the resource on board that can handle such a situation,” Jones said.
Adapt skills development
The exercises and the specific course with the participants, helpers and observers have strengthened the two PhD candidates’ view that it is important to adapt skills development to the precise circumstances at hand.
The course offers a clear practical approach to risk management in a digital perspective. This is also included as part of NTNU’s master’s programme in operational maritime management.
“It is important that businesses in the maritime sector familiarize themselves with their values, the digital threats and vulnerabilities they have. Managers need to know their employees will be able to handle the digital threats, and understand the needs they have for skills in working with digital security,” Jones said.
The next course in Maritime Digital Security is planned for autumn this year. The offer will then be tailored to an even greater extent for managers, middle managers, operational (sailing) and administrative personnel in the maritime sector, but will also be very useful for other industries.
Reference: Erstad, E., Hopcraft, R., Vineetha Harish, A. et al. A human-centred design approach for the development and conducting of maritime cyber resilience training. WMU J Marit Affairs (2023).
Cyber safety at sea
The maritime industry must raise awareness of what's at risk by not preventing cyber attacks. Here is some general advice:
Checklist at individual level on board:
- Install security updates as soon as they come and automatically as much as possible.
- Do not assign administrator rights to end users.
- Do not allow the use of weak passwords. Introduce, where possible, that users document their identity through multi-stage security and approval procedures (multi-factor authentication).
- Phase out older ICT products.
- Do not allow anything other than software that has been approved by the company or unit supplier.
Checklist at system level on board and ashore:
- Introduce a system for authentication and authorization for users of necessary information.
- Introduce protection of all data at the appropriate level, based on the sensitivity of the information.
- Introduce controlled access for IT users on board and ashore, so that each individual only has access and rights to the information for which they are authorized.
- Introduce controlled communication between ship and shore, with safety in focus.
- Introduce a response plan for cyber incidents based on thorough risk assessments.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.