Blog: Maritime Cyber Security
Can ships be hacked?
Photo: David Adams, MV Dali and the Francis Scott Key Bridge collapse – 240326-A-SE916-6662, A layer has been added showing a character and a speech bubble, CC0 1.0
TL;DR
- Ships can be hacked
- Was the MV Dali hacked? Practically impossible
- Polarised views from uninformed commentators do not help
- Here’s some real detail on ship systems and their security
Introduction
The recent events in Baltimore have brought maritime cybersecurity into the spotlight. Initial outlandish claims asserted that the MV Dali was certainly hacked, whilst others made the equally incorrect claim that there was no possible way that any ship could be hacked.
Both sides demonstrate a lack of knowledge about how ships are architected and the degree to which they are connected.
Ships can be hacked. The impact of this is hugely variable, depending on the type of vessel and the attack that is carried out.
Container ships
A large container ship has one huge main engine for propulsion.
For this main engine to run, it needs support by ancillaries, mainly pumps, which are powered by electricity. This is unlike many smaller engines, where pumps and cooling are run directly from the engine. The electricity that powers the ancillaries comes from generators, which must be running for the main engine to work.
The same is true of the steering. The rudder is moved using hydraulic rams, with the hydraulic system requiring electrical power. Without that power, the rudder cannot be moved.
It is possible for a ship to blackout, where the main power supply is no longer available, resulting in the main engine and steering stopping. This will result in loss of propulsion and loss of steering.
Without propulsion, there will be no prop wash, so the rudder is almost entirely ineffective unless you have both electrical power for the steering and the main engine is running.
To reduce the risk of a vessel blacking out, multiple generators will be running when the vessel is manoeuvring. On most large container ships, there will be four generators. These can run together to provide redundancy.
These generators are controlled by a Power Management System (PMS), which will endeavour to keep the required number of generators running. The PMS is frequently connected to a wider network on the vessel called the Integrated Alarm and Monitoring System (IAMCS, but also IACS or IMCS or even just “automation”). IAMCS is used to control and monitor machinery from various Human Machine Interfaces (HMIs) across the vessel.
The degree to which the PMS can be controlled from the IAMCS is varied, and can range from simple commands through to significant reconfiguration.
On a container ship, the navigation and IAMCS are often fully independent from one another, but sometimes they are a common platform with gateways between the two. When a ship blacks out, an emergency generator should automatically start and power a small number of essential services. This includes the steering and enough ancillary equipment to start one of the larger generators. By regulation, this emergency generator has up to 45 seconds to start and provide power. Steering would be regained at this time, alongside generators starting. Once various pumps have started, the main engine can be used again.
45 seconds without steering or propulsion isn’t an issue if you are in the middle of the ocean. If you are coming alongside, or navigating between narrow bridge piers, it is far more of a problem.
On most container ships, the steering control systems are relatively basic. The helm on the bridge is hardwired to the steering gear with discrete, dedicated cables. It can operate in several different modes, as well as be connected to the autopilot. On every container ship we’ve examined in detail, it has been possible to fully disconnect the autopilot by using a physical switch located on the bridge.
It is always possible to manually control the steering gear from the steering flat. This is really only used in a very limited number of situations involving damage to cabling or the steering gear itself.
For control of the propulsion, container ships still have a ship’s telegraph, with “full ahead” and so on. The control systems around these can be relatively complex. Most engines will have a range of speeds (“critical revs”) where you should not operate them to avoid resonances and severe vibration. In recent years, most ships will have a system to limit maximum power to reduce pollution. It is also possible to take manual control over the main engine, bypassing all but the necessary control systems.
This raises a hugely important concept – there is a human in the loop. There will be someone on the bridge who can easily take manual control over the steering and propulsion at any point in time. They can always look out of the window rather than relying on electronic navigation systems too.
The issue is one of time – taking manual control can be time and labour intensive
Starting a generator and connecting to the main bus is normally as simple as pressing a single button on a screen. How do you do this if the PMS is not operational? The complexity varies by vessel, but it could involve using controls local to the generator to start it, waiting for it to come up to speed, and then closing several circuit breakers. If you need to start a second generator, it is vital that this one is synchronised correctly with the other – a further complication. Manual management of the system will need to be performed as the load drawn by the ship varies. What would take 30 seconds normally can take several minutes and require several members of crew.
Although the emergency generator should start in 45 seconds, it is possible for it to fail. As with the main generators, this could need someone to attend the emergency generator room, start the engine, and connect it to the bus. This can easily turn 45 seconds in minutes.
The IAMCS allows an engineer to use a computer to control complex machinery all around the vessel from a computer screen. After a blackout, most of the ancillary systems should automatically come back online, allowing the main engine to be restarted. But what happens if this doesn’t work? Once again, someone may need to manually start pumps and move valves. This all takes time.
All of these failure modes are known. Each vessel will have Standard Operating Procedures to recover from these situations. Drills will be carried out periodically to ensure that everyone knows what to do.
How often do these events actually happen? Some ships could go years without blacking out, others can be troublesome and blackout every few weeks. The crew should take action to prevent blackouts reaching the point where they could impact safety.
The trigger for a blackout could be any number of things, ranging from bad fuel to the ship rolling and causing a loss of oil pressure. For this post, the trigger is not the important aspect – it is how it is handled.
- Container ships can and do blackout, losing all electrical power.
- They will lose all propulsion and steering when blacked out.
- Steering should be available in 45 seconds.
- Propulsion should be available shortly after
Hacking ships?
As of yet, we haven’t considered a hacker trying to impact the vessel. Let’s look at each of the systems in turn.
Most container ships’ autopilots are relatively simple, but it is increasingly common to find that navigation systems have a network connection to allow updates. A hacker could impact the autopilot, causing the vessel to turn. In this situation, it would be possible to disconnect the autopilot and manually control the steering. The autopilot would not be in use when manoeuvring – someone will be on the helm.
Propulsion control is very rarely connected to a network. It is therefore highly unlikely that a hacker could take control of propulsion. If they could, it would be possible to manually override this, although it could take some time.
The PMS and IAMCS are frequently network connected. A hacker could impact the PMS, causing the vessel to blackout. Although it would be possible to recover from this situation, this may be challenging, particularly if the attacker has significantly altered how the system operates.
If significant parts of the IAMCS are impacted – such as “bricking” all the HMIs – then restarting systems on the vessel becomes more complex, so it takes longer still to recover.
We have yet to see an emergency generator with a network connection. It is very unlikely that a hacker could impact the emergency generator remotely.
Discovering how each system is connected to the network and how they are secured is challenging without access to documentation or access to the vessel. Whilst you can work out high level arrangements, specific details are hard to come by. Even sister ships within the same class can vary hugely.
You may have heard of the Swiss cheese model used with risk, particularly in aviation safety . A series of layered, but imperfect, defences are represented by slices of Swiss cheese with holes in them. Most of the time, the holes are not aligned with each other, preventing an incident from occurring. But sometimes the holes align, leading to a failure.
The real world
I am firmly of the opinion that it is incredibly unlikely that someone could take full remote control of a container ship. Even if they had remote control, it is likely that this would be noticed and could be overridden by the crew.
However, I think it is entirely viable that an attacker could impact the PMS or IAMCS, leading to the vessel blacking out and the associated loss of steering and propulsion. It may be possible for an attacker to trigger repeated black outs which cannot be easily or quickly recovered from. It may also be possible to significantly increase crew workload by attacking other systems at the same time, such as stopping the IAMCS working. This would increase the chance that the attack is poorly handled by the crew, leading to significant impact. An attacker could certainly get into the position where they help align the holes in the cheese.
The outcome of prolonged blackout is largely unpredictable, but if triggered at the right time could result in a collision.
Cruise ships and DP vessels
There are other types of vessel that have more complex systems onboard. The two most notable are large cruise ships and dynamic positioning vessels.
Any large cruise ship built since 2010 must comply with a regulation called “Safe Return to Port” or SRtP. These mandate that a vessel should remain safe, even in the event of significant fire or flooding. From the perspective of vessel design, this has resulted in significantly more redundancy in engine room and bridge systems. However, most classification societies only require that the systems are restored within an hour and can require manual action by the crew. SRtP’s main concern is recovery from, not prevention of blackout.
There is no requirement to publicly report a blackout on a cruise vessel unless there is direct safety impact.
Cruise ships can and do blackout , and this often results in serious incidents:
2013 – Carnival Triumph (pre-SRtP) – an engine room fire resulted in a blackout with loss of steering and propulsion. In addition, the emergency generator also suffered mechanical failures, leaving the vessel on battery power several times. This event lasted for several days.
2019 – Viking Sky (post-SRtP) – one generator was out of service for maintenance, and during heavy weather, all three of the running generators shut down, resulting in prolonged blackout. The ship came perilously close to land, and a large number of passengers were evacuated by helicopter.
There are also dynamic positioning (DP) vessels, where the position of a vessel is automatically maintained using thrusters. This includes offshore support vessels – such as anchor handling tugs and subsea support – and even complete drilling platforms. Moving off station carries risk to life and the environment.
There are several classes of DP vessel, but these all require additional redundancy to reduce the chance of the vessel being unable to hold position. For the most part, the system should handle most failures automatically and remain safe. DP regulations mainly concern the prevention of blackout – a contrast to SRtP where recovery from blackout is the goal.
There are failures in DP vessels. An organisation, IMCA, handles reporting and analysis of these failures. There is much greater transparency in reporting blackouts in the DP industry as a result.
Some cruise ships comply with the lowest level of dynamic positioning for tender operations. There is very little additional redundancy as a result.
Many modern cruise and DP vessels are diesel-electric. Large generators generate electricity, which is then used to drive propulsion motors. Although the machinery and control systems on these vessels have significantly more redundancy than a container ship, this comes with increased levels of automation and increased complexity in control systems.
Under ideal conditions, the control of all propulsion and steering will use a simple interface – often just a joystick – that commands the many thrusters and other pieces of machinery in a coordinated way. There will also be manual control of each piece of equipment – but this can get complex very quickly. There can be the main propulsion and rudders (often independent), bow and stern thrusters, and a retractable pod, all on the same vessel.
The most common network architecture in DP vessels is a dual or triple redundant Ethernet network. This connects the operator stations and high-level components together. Below this is a process network (often CAN) and discrete control signals. The PMS can also be connected to the Ethernet networks. Access to the Ethernet network could allow an attacker to exploit any vulnerabilities in connected equipment. “Bricking” every operator station or flooding the network with traffic would likely cause serious impact.
Manual control and isolation of the various components on a DP vessel would be significantly more challenging than on a containership. Whilst there will be manual controls for the main propulsion and various thrusters, holding position in even mild seas could be challenging.
On some of these systems, there is practically no network segmentation from any two components in the system. A compromised IAMCS console in a HVAC room can connect to other IAMCS components, which have access to PLCs and other control systems across the vessel. Wiping the configuration of a PLC could cause connected machinery to become inoperable.
Vessels that comply with SRtP require a safety centre – a space that allows the management of emergency situations. From the safety centre, you must be able to control powered ventilation, watertight doors, CCTV, fire detection and fighting, and some machinery. On many modern cruise ships, all this information is managed using a Safety Monitoring and Control System (SMCS). This “glues” together all these different systems, allowing them to be effectively handled. Control over the SMCS is highly likely to result in serious impact to vessel operations, particularly if the dynamic positioning system is not properly segmented from it. There will always be local controls in the safety centre.
We commonly find that all of these complex control systems – DP, IMCS, SMCS – have some form of connection to the outside world for diagnostics and support. Mostly these are well designed dedicated gateways installed by the vendor for remote support. Sometimes, they are connected directly to the core network on the vessel, leaving the systems exposed to significant risk.
For DP vessels, a Failure Mode and Effects Analysis (FMEA) has to be carried out. This is a complex analysis that determines if the vessel has enough redundancy in the event of failure. They must also undergo periodic trials to ensure that the actual vessel behaves as the FMEA expects.
The FMEA examines common-mode failures, where systems fail for the same reason, and hidden failures, where a backup system fails without being noticed. But, as of 2024, the FMEA does not consider the impact that an active attacker could have on systems. But even with that in mind, we wouldn’t really expect an attacker to do anything that would be considered a “failure” – they’d likely be using the system as any normal member of crew would.
Conclusions
Modern ships are increasingly complex and connected. Without a good understanding of how their machinery and control systems are architected, it is difficult to understand how much risk they are exposed to, or how to secure them properly.
A significant proportion of large modern vessels have critical systems that are network connected. In many cases, people are not aware of these connections and do not understand how they are secured. Finding and understanding these connections can be challenging.
Seafarers do not receive any formal or mandatory training on the security of these systems. Frequently, there are no pathways for crew to report concerns around the security of third party systems connected to critical systems.
Regulations and standards do not factor in active attackers, largely focusing on conventional threats such as mechanical and electrical failure and human factors.
