In collaboration with Secure State Cyber, the Shipowners Club identifies common cyber risks on board and what actions operators can take to protect their vessels. Namely, a series of FAQs focuses on passenger ships and the cyber risks regarding on board Wi-Fi and passenger devices.
Should passenger vessel owners and operators allow availability of Wi-Fi to all passengers?
As Secure State Cyber and the Shipowners Club suggest, passengers should be offered a guest Wi-Fi network, with client isolation; this stops a user’s device from detecting and sending data to other devices on the same network. They also recommended this network to be kept separate from the Wi-Fi network responsible for controlling the ship’s crucial navigation and communication systems including that for on board administrative tasks.
There should be clearly established controls that prevent devices accessing both the public Wi-Fi and the restricted systems. Further network segregation should also be implemented for the administrative network and the critical ship systems such as the Industrial Control System (ICS). This also extends to include the devices that can connect to critical systems on board
the Shipowners Club says.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
In addition, no passenger or crewmember should be able to use the same device to access both the public Wi-Fi and the restricted systems. Public Wi-Fi is often not secure and uncontrolled, while the ship’s critical systems should never be put at risk by having contact with it, directly or indirectly.
Are there specific signs that passengers should be cautious about when using the vessel’s Wi-Fi?
Passengers should take into consideration the following:
- Networks that are spelt incorrectly, or that do not have a secondary measure to access the service. Members providing free Wi-Fi should make sure that passengers know they need a password to access the service and that they are aware of the correct Service Set IDentifier (SSID) or Wi-Fi network name on which to connect.
- Using a Virtual Private Network (VPN) when using public Wi-Fi. Passengers should be careful and take precautions when using networks that are not controlled, where the network is open, and the users are not separated from each other. Public Wi-Fi should only be used for general browsing.
- Ensuring that web browsers are kept updated. Most systems update automatically, however this is not always the case, especially if browsers are not closed/shut down.
- Accessing websites that are secured with https. Do not ignore certificate errors that may pop-up before accessing a site as these could be an indication that the site is a malicious copy, or someone is capturing and replaying the traffic to the user. Ensure the web address entered is correct and not misspelled. Misspelled addresses can be an indication of a typo squatting attack, where malicious sites copy and have similar names to a legitimate website.
What should passengers do if they think they’ve been hacked?
They should report it to a crewmember who can communicate the issue to the captain for further investigation. Operators should ensure that the necessary resources are available to respond to and investigate any suspected events.
Should mobile phone / USB charge points be made accessible to passengers?
A simple principle to consider is that if a physical connection to a device is available, then the contents of that device can be accessed. However, there are exceptions and it is recommended that operators only provide Dedicated Charging Ports (DCPs) / USB ports to passengers for charging their devices.
DCPs supply power via USB ports without any possibility of data transfer. DCPs will provide up to 1.5 A and 5 V, which is enough for charging mobile phones or tablets. There is also an additional benefit by only offering DCP charging stations to passengers, their privacy can be ensured, and the security of their devices can remain safe.
By offering anything other than DCPs for charging, Members and passengers should assume that data transfer is possible from their devices
the two parties note.
Finally, having a third party assess security and provide feedback is a useful way to ensure the passengers’ and vessel’s security.