Blog: Maritime Cyber Security

Back of the Class

Ken Munro 07 Jan 2019

Ships classification societies have a key role to play in the coming ‘cyber’ requirements of the International Maritime Organisation.

Based on our experience to date, there are some significant issues coming that maritime insurers need to be aware of before writing cover for any vessel that includes direct cyber or indirect interruption or loss as a result of a cyber incident. Buy back CL380 at your peril!

Classification societies are very short on the skills to accurately assess the cyber risk of a vessel.

We’ve tested the security of >50 vessels. Not a single one, even one fresh out of the yard last month, would even come close to being compliant with MSC.428(98).

Yet, multiple classes have claimed to have certified vessels as cyber compliant.

This is caused by a lack of suitable cyber skills, lack of understanding of ships IT & OT systems and a rush for classes to capitalise on consulting revenues for systems they don’t really understand.

Far too many classes rely on paper reviews rather than getting their hands dirty. Far too many classes don’t have the technical cyber knowledge to dig deeper.

Put simply, if the class auditor doesn’t have a cable tracer, they aren’t doing a thorough job. I’ll bet most don’t even know what a tracer is, let alone how to use it.

It isn’t so much ‘out of class’ – it’s ‘back of the class’

Insurers are going to be burned in the future, writing a maritime cyber policy and setting premium based on a classification society survey, then subsequently being presented with a claim for cyber-BI or worse as the result of a hack.

One would expect the underwriter to launch a case against the class for negligence or malpractice, but case history around incidents such as the spill involving the MV Prestige indicate a significant challenge to establishing liability.

Why the problem?

Classification society surveys have traditionally been about for example lifeboats, fire alarms and other safety systems. Are they present, do they work, are they safe? That’s not how cyber works!

Whilst rare, cyber incidents on board affecting ship systems are increasing. An incident that prevents a vessel sailing, or jeopardises its safety is increasingly possible. Whilst most of the incidents to date have been untargeted and accidental ransomware-style effects on an ECDIS, a targeted attack by a hacker with knowledge of maritime technology could easily cripple a ship. We should know, we’ve done it, at the request of the operator obviously!

The potential impact of a cyber incident is significant, particularly if targeted.

  • We have had control of azipods remotely over the internet
  • Control of main engines remotely
  • Control of DPS remotely
  • Control of ballasting stations
  • Controls of integrated bridge and other navigational systems

You name it, if it’s tech on a vessel, we’ve had control of it during a penetration test, usually remotely. It requires more technical skill to take control of a system, but much easier to simply trash it with ransomware, rendering it useless.

Why is vessel cyber so difficult?

Paper ≠ Reality

Paper designs for vessel networks rarely equate with the reality, even fresh out of the yard. Much effort is put in to designing segregated and secured networks on board, yet when implemented many of these segregations are compromised for operational, practical or other reasons. All too often, the maritime technology supplier doesn’t follow the design, or circumvents it for ease of getting a system working.

For example, in one case we found that all devices on board had certificate based network authentication, or NAC. An excellent security design. However, any device that didn’t have a certificate was placed in to a virtual ‘tar pit’ or black hole for unauthorised devices. The unintended consequence of this was that all unauthorised devices could communicate with each other in the tar pit. Along comes an engine technology provider who doesn’t want to drill expensive deck penetrations for wiring down 9 levels from the bridge to engine room, so they simply got the engine controls to communicate via the tar pit.

Result? Anyone who plugged any device in to any port on the vessel could take control of the main engine!

And that wouldn’t show up on any check-list based class survey…

Time

Time erodes cyber security in many ways:

Operations defeat segregation. Ships engineers make changes to systems, sometimes to fix problems, sometimes to make remote administration easier, sometimes just tinkering. All of these can break down the careful network segregation in initial designs.

New vulnerabilities are found over time. Applying updates is not part of the culture in industrial maritime systems – “if it ain’t broke don’t fix it” is a popular mantra. As new vulnerabilities are found, patches are eventually released by the technology vendor. It they aren’t applied, the system remains vulnerable, yet hackers now know about the vulnerability so security gets worse.

Reused passwords are exposed. Password reuse is commonplace, so passwords for accounts are increasingly exposed in unrelated data breaches. It’s not unusual for us to find passwords for critical maritime systems exposed in public resources. Password hygiene has always been weak for operational reasons on bridge systems, yet it need not be and mitigating controls can be designed around this.

Maritime technology vendors are letting the side down

Much is made by the maritime technology industry of IEC 62443 and the latest integrated bridge systems are starting to show signs of cyber-awareness at vendors. However, there is so much more to this:

Dealing with existing vulnerabilities

We find new vulnerabilities in shipping technology most weeks. Typically these will have been present in vessel systems for years and by some fluke have not been exploited to date, perhaps because of the degree of skill required to find them and ‘easier prey’ on land. As other industries improve their security, shipping comes in to the firing line for hackers.

Simply releasing new product that’s written with security in mind isn’t enough. What about vessels running older unsupported versions of your software that are full of security holes? Those ‘holes’ aren’t usually the customers fault – they’re the vendors fault. So does the vendor have an obligation to provide improved software?

Changing organisational culture around ‘cyber’

The next major problem for maritime tech vendors is to learn to accept security reports from researchers in good faith and act upon them. It’s hard to receive perceived criticism from third parties who aren’t your customers, but it’s essential you do if your security is to improve.

Ensure someone at the business is tasked with receiving, triaging and managing security vulnerability reports, but more importantly is empowered to effect change in your organisation.

Installers lacking cyber skills

We’ll often find technology on board that has been created with security in mind, but the ‘cyber’ message hasn’t filtered down to the installers who actually fit and commission the equipment in the yard. All the vendors efforts are undone by an under-resourced installer who is rushing to meet a deadline, so as not to impede its availability for launch or return to service. ‘Get it working’ is not enough any more.

Conclusion

‘Cyber’ is a minefield for shipping. It is also a minefield for insurers.

Classification societies will slowly become more skilled at assessing vessel cyber risk, but today their skills are very limited.

Vessels are already being classified as ‘cyber’ compliant when they blatantly should not be.

Tread very carefully when writing a shipping cyber policy. Get external advice.