Maritime & ICS Testing

Maritime cyber security

As ships get bigger, with more automation, fewer crew members, and more connectivity, the attack surface of a modern commercial vessel is becoming as complex and diverse as that of a connected car or commercial aeroplane.

What does a ship look like to an attacker?

Maritime software and associated ICS hardware solves many management, functional, and operational issues. But with each iteration of a new piece of technology comes the challenge of securing it, segregating it appropriately, and integrating it where needs be.

From comms through to physical security, this is what an attacker sees when they look at a ship:

Ship’s systems explained

Nearly all big container ships run UMS (unmanned machinery space), meaning the engine room likely has no one in it from 17:00-08:00, except for a couple of walk arounds- monitoring and alerting systems are crucial.

It isn’t possible to operate a large ship without control systems for any length of time. You can manually control main engines and steering gear but it is difficult, and easy to get wrong.

Tens of vendors are involved in connected systems on ships, from Dell providing desktop PCs, to Inmarsat gear for Internet, chart systems, MMI, control systems, radar systems etc.

Internet connections are still slow and not hugely reliable, making software updates and remote servicing hard.

The most complex electronics (comms, control, and computer equipment) tend to be maintained and fixed in port by third-parties.

Load plans and other data is often transferred from shore to ship by USB or (believe it or not) floppy disk. Where messaging systems are used (EDIFACT) they have been shown to be susceptible to attack and manipulation, potentially enabling grand scale theft and fraud.

Endpoint security is often not present or not up-to-date, so there is a big risk of malware infection. Infected USB drives or pirated DVDs carried-on by crew are a classic example.

Maritime security isn’t easy

…but it is essential. We understand the risks, the working environment, and the commercial pressures.

On every maritime testing engagement we’re mindful of the unique challenges faced. We understand that time in port is not time well spent, so our consultants are sea-friendly and security cleared.