Even cruise ships can be hacked—and what is being done about it
Shipping organizations and companies worked together to come up with cybersecurity guidelines to protect your cruise and your cargo.
As you head to your fifth meal of the day in the cruise ship dining room, you may not pause to think about the computer systems that make your cruise smooth and comfortable.
But cruise companies—and shipping companies—are thinking about them, as well as attackers who may want to get in—for espionage, for personal information mining, or for destruction.
Now, the shipping industry has launched new cybersecurity guidelines to prevent disasters on the seas.
“As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are increasingly being networked together – and more frequently connected to the worldwide web,” the guidelines say. “This brings the greater risk of unauthorised access or malicious attacks to ships’ systems and networks.”
What is the threat?
The new Guidelines on Cyber Security onboard Ships lays out some of the cyber threats facing ships and shipping companies, including terrorists trying to disrupt critical national infrastructure, criminals looking to sell or ransom stolen data, activists wanting to disrupt operations, and opportunists simply looking for a challenge.
“In addition, there is always the potential for individuals inside a company or onboard a ship to compromise cyber systems and data unknowingly,” the guideline document says.
There have been reports of vulnerabilities in “black boxes” for ships, allowing employees to possibly alter data after an incident to cover their tracks.
The guidelines say attackers may use techniques like social engineering, phishing and malware, even ‘subverting the supply chain’—“attacking a company or ship by compromising equipment or software being delivered to the company or ship.”
Ship hacking has already caused problems on the seas, according to Reuters.
“Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again,” Reuters reported in 2014.
“Somali pirates help choose their targets by viewing navigational data online, prompting ships to either turn off their navigational devices, or fake the data so it looks like they’re somewhere else,” Reuters said, “And hackers infiltrated computers connected to the Belgian port of Antwerp, located specific containers, made off with their smuggled drugs and deleted the records.”
Mapping the risk
The guidelines say companies need to assess the risk and then take steps to reduce it. One example: when there is no control over who has access to onboard systems.
“This could, for example, happen during dry-docking or when taking over a new or existing ship,” the guidelines say. “It is impossible to know if malicious software has been left in the onboard systems.”
Other vulnerable times could be when technicians from other companies connect via remote access to do maintenance, read data or troubleshoot, and when service providers and/or port authorities connect directly to a ship’s system with removable media, like a thumb drive, according to the guidelines.
The document then lays out techniques and strategies for protecting a ship’s computer systems, not just in the example mentioned, but in all aspects of operating a ship.
Some cybersecurity experts say the guidelines are in line with current standards for cybersecurity.
“It is nice to see that the new Guidelines on Cyber Security onboard Ships document incorporates the National Institute of Standards and Technology Cybersecurity Framework,” said Patrick Coyle with Chemical Facility Security News.
The Cybersecurity Framework brings together a wide variety of US and internationally established standards, said Coyle, and lays out technical standards that should be incorporated into a cybersecurity plan.
Flaw in the plan?
Cybersecurity experts say there is a problem with the guidelines that could leave some ships unprotected—the fact that they are only guidelines, not requirements.
“These types of guidelines are a great start, and they’re certainly the right thing to do, but they are not mandatory or enforceable,” said Patrick C. Miller with Archer Security Group.
“While it is a good first step, there is little incentive to follow the guidelines established,” said Bob Beachy, also with Archer Security Group.
In addition, the guidelines do not lay out a way for ship owners to share information about cyber incidents, said Coyle.
Experts say not sharing information on cyber attacks can leave other companies vulnerable and lead to more attacks.
The document says the goal is to help shipping companies learn about the risks and how to deal with them.
“The Guidelines are designed to develop understanding and awareness of key aspects of cyber security,” the document says. “The Guidelines are not intended to provide a basis for auditing or vetting the individual approach to cyber security taken by companies and ships.”
But some cybersecurity experts say auditing and vetting may be what the industry needs to be secure.
“The industry will tout this as an example of their good faith efforts to move industry security practices forward, but progress and existing maturity will not be quantifiable until the industry is required to undergo some form of external audit or evaluation that incentivizes companies to achieve an established baseline for security,” said Beachy.
Senior management should make decisions about cybersecurity, not just the ship’s security officer or the IT department head, according to the guidelines.
“Initiatives to heighten cyber security may at the same time affect standard business procedures and operations, rendering them more time consuming or costly,” the document says. “It is therefore a senior management level strategic responsibility to evaluate and decide on risk versus reward trade-offs.”
Those same initiatives may also change how the company interacts with customers, suppliers and authorities, the document says.
“It is a senior management level decision whether and how to drive changes in these relationships,” it says.
At what price?
Cybersecurity costs money, experts say, and some companies might decide to forego security in favor of profit.
“Quality adherence to the guidelines will require significant investment in tools and personnel, and at present, it sounds like a company could choose to ignore any number of the practices outlined based on the costs and effort associated,” said Beachy.
But ignoring the guidelines could cost more money in the long run, some experts say.
“It is often difficult to communicate the need for such investment until something really scary has happened, but the good news is the industry has taken the first step in declaring the importance of such guidelines for safety, environmental, and commercial purposes,” he added.
Doing their homework
BIMCO is one of the organizations that helped develop the guidelines.
It describes itself as the world’s largest international shipping association, with 2,200 members in about 130 countries.
The association said on its website that it made a decision in 2013 “to engage in the issue of cyber security for ships — with the goal of being able to best inform and give guidance to its members.”
BIMCO’s president said in November that the organization is leading in guidance and info analysis, according to a press release on the site.
“It would be very unlikely to see a widespread cyber attack on shipping because ships across the world use so many different IT systems,” said BIMCO president Philippe Louis-Dreyfus in the press release. “Also, because all parties involved—such as shipowners, classifications societies, equipment-makers, and so on—will do their homework.”
New laws on the horizon?
Some experts say these types of guidelines are often developed as a defensive measure when industries are worried about the potential for government-imposed regulation.
“This gives the industry a way to showcase their attention to cybersecurity through a consistent recommended approach for sector participants and hopefully slow down or avert regulation,” Miller said.
“When cybersecurity conditions for an industry are bad enough that voluntary guidelines are needed, it is often a signal that regulation is on the horizon,” he said.
“We’ve seen a common path for other sectors where guidelines are created in a good-faith effort, a cybersecurity incident happens to someone who didn’t follow the guidelines or maybe the guidelines weren’t sufficient to prevent the incident, then regulators have a knee-jerk reaction and the guidelines become the seed for regulation,” he explained.
Cybersecurity at sea may indeed come under increasing focus in 2016, reported Hellenic Shipping News Worldwide at the end of the year. It said the U.S. House of Representatives passed the “Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015,” on December 16.
“The start of 2016 may thus be an opportune time to take stock and plan new efforts in maritime-sector cybersecurity in light of these recent developments,” the article said.