Training Heads off Maritime Cyber ThreatsOctober 18, 2017 9:36 am
The potential impact that cyber risks are having on shipping is becoming a major concern for the industry. At the recent London International Shipping Week #LISW17, there were numerous discussions on the topic. Most speakers held the same view; this is an increasing problem and needs to be addressed now.
In the past, there have been criticisms and concerns that the shipping industry has a blind spot when it comes to cyber security issues; an attempt to ignore it and hope it will go away. That has not worked, and now it seems the wake-up calls are coming thick and fast.
In recent months, there have been high profile attacks on major shipping companies, and these have captured the headlines. However, away from the headlines, hackers have also been able to attack vulnerable ships through the “back door”.
While the “NotPetya” ransomware attack was being played out in the media and offices in companies ashore were struggling to cope, a cyber security researcher was busily sneaking into the systems of vessels. According to reports, the “ethical hacker” managed to gain access to a range of vessels via their satellite systems.
The researcher found that access was possible as some vessels had left usernames and passwords as default credentials. On gaining access after identifying systems online, he managed to connect with administrator privileges to the ship, and was able to view call logs, upload firmware and modify system settings.
SILLY CYBER MISTAKES
Maritime cyber security experts called this a hack “born of stupidity”, and it is perhaps a stark illustration of how simple ignorance or a lack of oversight and planning can impact safety and security.
While shipping wrestles with the challenges of cyber security, it is extremely troubling to think that equipment can be installed without a seeming lack of procedure or rules to ensure that default factory settings are changed. You wouldn’t leave your mobile phone with a default password, so why your ship?
Examples such as leaving username credentials as “Admin” or passwords as “12345”, would surely count as gross negligence in the event of an accident? There can be no justification for such a dereliction of duty, and it is staggering that this could happen.
Doing something so foolish implies some lack of knowledge, but that surely cannot be the case as cyber issues have come to the fore? Unfortunately, it shows how difficult it is to keep ships secure. Ship management structures are often not geared to manage passwords well. With a transient workforce, and with a lack of “ownership” of technical equipment, then it can be all too easy to fail…to leave the passwords as defaults, to take the easy route. In the long run, that is an extremely dangerous approach. It seems clear that more guidance, awareness and common sense is needed when we think of cyber security at sea.
NEW CYBER GUIDANCE
As is often the case, it is being stated that human failures are the number one cause of shipboard problems, in this case cyber security failures. However, in an age where ships are becoming more complex, is technology partly to blame? Are system manufacturers, designers and naval architects perhaps setting seafarers up for a fall?
There are certainly some who believe that the complexity with ships has reached a point where the old shipboard roles and responsibilities do not really work. Think of the password issue – who is in charge of the new equipment? Is it the Electrotech? Is it the navigator? In a crewing system that has done away with Pursers and Radio Officers, it seems there is a huge that needs to be plugged.
Thankfully, guidance on maritime cyber issues has been forthcoming: BIMCO has been amongst those leading the charge. As they have released a new set of guidelines with other trade bodies, such as CLIA, ICS, Intertanko and Intercargo, they boldly state that, “ignorance is no longer an option”.
The second edition of The Guidelines on Cyber Security Onboard Ships includes information on insurance, and how to effectively segregate networks, as well as new practical advice on the ship to shore interface, and cyber security during port calls. It can be accessed here, http://www.ics-shipping.org/docs/default-source/resources/safety-security-and-operations/guidelines-on-cyber-security-onboard-ships.pdf?sfvrsn=16
WHAT ABOUT ANSWERS?
There is a number of answers coming to the fore. One, and perhaps the most important, is to ensure that staff are able to deal with threats. So, training is essential in ensuring seafarers know the basics and can apply cyber hygiene and common sense.
Such routines go a long way to ensuring that the more obvious vulnerabilities are managed. There are some absolute basics which vessels need to implement as practicable actions that do not incur excessive overheads or complications:
- Setting up strong user access control;
- Setting up strong network access control;
- Performing back-ups;
- Testing disaster recovery plans;
- Making sure any anti-virus software is kept up-to-date.
Across many of the #LISW17 events, speakers warned against the temptation to fall into a false sense of security, stating that the industry can no longer afford to ignore the problem, as there is a real and present cyber threat.
One of the major concerns was of how the shipping industry can be made both aware of the dangers, while also being compelled to act swiftly. It was felt that the significant legal, insurance and liability issues which may emerge relating to maritime cyber security may be sufficient to force a response.
The marine insurance market is still wrestling with the maritime cyber issue, managing the ways to support the industry, but to the backdrop of cyber exclusions and complications. An insurer will only be liable for losses “proximately caused by the peril”, so there are concerns as to where the buck will stop. An important issue is therefore whether an insurer will be liable in circumstances where not all of the proximate causes of a loss relate to perils that an insurer is underwriting.
There seems to be some irony that a binary threat to shipping may not result in a clear-cut case or pay out. The shipping industry has been wrestling for a couple of years now with cyber security, and to the backdrop of compelling warning signs it is time to do more to manage the risk of attack and to address weaknesses. There can be no short cuts, and training will be the key to locking the cyber door.