The ships of today are equipped with autonomous technologies and are connected with their onshore facilities, making shipping operations more efficient on the one hand, but the vessels more vulnerable on the other, as they have to deal with several cyber risks.
What makes a vessel vulnerable to cyberattacks?
#1 Outdated operating systems
It is stated that older versions of operating systems are a ship’s vulnerability. Older versions, combined with lack of security patches, can reduce the security of ship systems.
In general, oldest ships are the most vulnerable ones by having the oldest and least updated systems, which operate in a plaintext format or using old protocols for management or operation.
#2 IT, OT
Operational technologies (OT) and information technology (IT) are not always assessed for security when designing and constructing a new vessel, while they are not always updated with new firmware and software updates.
It has been reported that damage to these systems can result in physical damage to the ship as well as data leakage, endangering all life on board. Insider threats, whether intentional or not, are considered one of the biggest cyber threats to business.
- Human Error - High click rates for phishing campaigns, negligence (leaving technology open and accessible), loss of technology, such as a laptop or a phone;
- Malicious Insider - Criminal insiders leaking sensitive data, infecting computer systems with malware, abuse of internal privileges and disgruntled employees;
- Social Engineering - The manipulation of seafarers to gain sensitive information. This can contribute to spear phishing, senior management spoofing, smishing and vishing
#3 Outdated antivirus software
It is challenging to keep the antivirus software up to date due to the limited, ephemeral nature of network connectivity aboard a vessel. That’s why, it is important to update the antivirus software whenever possible.
It is important that the antivirus software must look for the newest viruses, and be regularly updated.
#4 Inadequate security measures on desktops, servers, and appliances
A common phenomenon is default passwords and hardcoded engineering, which enable attacks against the affected systems. Usually, desktop systems are not locked down with policies and security controls, which affects the ship’s security posture and detection of attacks.
Passwords are an easy target and can be easily cracked, if the user accounts are shared or re-used, something that mostly happens during crew change.
#5 Third party access
Another vulnerability is third party access. This means that except the shipping company, the seafarers that make use of the ship’s systems, contractors and service providers may also have access.
Each company onboard its smart vessels is advised to implement security controls that will enforce two-party consent prior to a third party is able to access the ships’ systems.
What can you do to boost your cybersecurity onboard?
In light of the dangers explaining above, it is recommended that the crew onboard a vessel are fully trained and aware of the challenges of network systems.
Mr. Andreas Chrysostomou, Chief Strategy Officer, Tototheo, when asked about what he would choose to move the shipping industry forward to a smarter future, he commented that
One size does not fit all, and the shipping industry is, if not fragmented, very diversified between itself. So, my answer is “education” and “spread the word”. Go around and explain to people what has come, what is coming and when they should start worrying. This will be a game-changer.
The Shipowners’ Club has recommended that to mitigate the danger of plugging equipment into lower security and higher security systems, crewmembers are encouraged to:
- Prohibit any uncontrolled devices from accessing the most critical systems:Any equipment or systems allowed to access these or the networks that include these important systems, should be fully controlled and established policies and controls should be in place that identify everything that is allowed, and more specifically what is not allowed;
- Ensure devices have a current and updated antivirus software installed:Before equipment is plugged into the systems to patch an air gapped system or to transfer a file, file integrity checks and antivirus scans should be automatically performed;
- Ensure that the ability to install third party software or applications is completely controlled and restricted only to system administrators.