Out of cyber class. Maritime compliance.

Ships classification societies have a key role to play in the International Maritime Organisation’s cyber security requirements.

Based on our experience to date, there are some significant issues coming that maritime insurers need to be aware of before writing cover for any vessel that includes direct cyber or indirect interruption or loss as a result of a cyber incident. Buy back CL380 at your peril!

At  the moment classification societies are short on the skills to accurately assess the cyber risk of a vessel.

We’ve tested the security of >50 vessels. None of them, even one fresh out of the yard last month, would come close to being compliant with MSC.428(98). Yet, multiple classification societies are publicly announcing that they have certified vessels as cyber compliant.

Why the disconnect?

The challenge for classification societies is getting assessors and processes that have the right level of  cyber skills. At the moment there is lack of understanding of ships IT & OT systems.

This is a serious problem as classification societies seem hell bent on pushing vessels through assessments at the moment.

One of the main issues is the reliance on paper reviews rather than having assessors on-site getting their hands dirty. Again this is a reflection of the knowledge gap of not having the technical cyber knowledge to dig deeper.

A simple example that sums it up well is; if the classification society auditor isn’t on-site and doesn’t use a cable tracer, they cannot do a  thorough job.

Insurers are going to be burned in the future, writing a maritime cyber policy and setting premium based on a classification society survey, then subsequently being presented with a claim for cyber-BI or worse as the result of a hack.

One would expect the underwriter to launch a case against the classification society for negligence or malpractice, but case history around incidents such as the spill involving the MV Prestige indicate a significant challenge to establishing liability.

Why the problem?

Classification society surveys have traditionally been about for example lifeboats, fire alarms and other safety systems. Are they present, do they work, are they safe? The challenge is how to fit ‘cyber’ into that way of working. The problem is that’s not how it work.

Whilst rare, cyber incidents on board affecting ship systems are increasing. An incident that prevents a vessel sailing, or jeopardises its safety is increasingly possible. Whilst most of the incidents to date have been untargeted and accidental ransomware-style effects on an ECDIS, a targeted attack by a hacker with knowledge of maritime technology could easily cripple a ship. We should know, we’ve done it, at the request of the operator obviously!

The potential impact of a cyber incident is significant, particularly if targeted.

• We have had control of azipods remotely over the internet
• Control of main engines remotely
• Control of DPS remotely
• Control of ballasting stations
• Controls of integrated bridge and other navigational systems

You name it, if it’s tech on a vessel, we’ve had control of it during a penetration test, usually remotely. It requires more technical skill to take control of a system, but much easier to simply trash it with ransomware, rendering it useless.

Why is vessel cyber so difficult?

Paper ≠ Reality

Paper designs for vessel networks rarely equate with the reality, even fresh out of the yard. Much effort is put in to designing segregated and secured networks on board, yet when implemented many of these segregations are compromised for operational, practical or other reasons. All too often, the maritime technology supplier doesn’t follow the design, or circumvents it for ease of getting a system working.

For example, in one case we found that all devices on board had certificate based network authentication, or NAC. An excellent security design. However, any device that didn’t have a certificate was placed in to a virtual ‘tar pit’ or black hole for unauthorised devices.

The unintended consequence of this was that all unauthorised devices could communicate with each other in the tar pit. Along comes an engine technology provider who doesn’t want to drill expensive deck penetrations for wiring down 9 levels from the bridge to engine room, so they simply got the engine controls to communicate via the tar pit.

Result? Anyone who plugged any device in to any port on the vessel could take control of the main engine!

And that wouldn’t show up on any check-list based classification society survey…

Time

Time erodes cyber security in many ways:

Operations defeat segregation. Ships engineers make changes to systems, sometimes to fix problems, sometimes to make remote administration easier, sometimes just tinkering. All of these can break down the careful network segregation in initial designs.

New vulnerabilities are found over time. Applying updates is not part of the culture in industrial maritime systems – “if it ain’t broke don’t fix it” is a popular mantra. As new vulnerabilities are found, patches are eventually released by the technology vendor. It they aren’t applied, the system remains vulnerable, yet hackers now know about the vulnerability so security gets worse.

Reused passwords are exposed. Password reuse is commonplace, so passwords for accounts are increasingly exposed in unrelated data breaches. It’s not unusual for us to find passwords for critical maritime systems exposed in public resources. Password hygiene has always been weak for operational reasons on bridge systems, yet it need not be and mitigating controls can be designed around this.

Maritime technology vendors are letting the side down

Much is made by the maritime technology industry of IEC 62443 and the latest integrated bridge systems are starting to show signs of cyber-awareness at vendors. However, there is so much more to this:

Dealing with existing vulnerabilities

We find new vulnerabilities in shipping technology most weeks. Typically these will have been present in vessel systems for years and by some fluke have not been exploited to date, perhaps because of the degree of skill required to find them and ‘easier prey’ on land. As other industries improve their security, shipping comes in to the firing line for hackers.

Simply releasing new product that’s written with security in mind isn’t enough. What about vessels running older unsupported versions of your software that are full of security holes? Those ‘holes’ aren’t usually the customers fault – they’re the vendors fault. So does the vendor have an obligation to provide improved software?

Changing organisational culture around ‘cyber’

The next major problem for maritime tech vendors is to learn to accept security reports from researchers in good faith and act upon them. It’s hard to receive perceived criticism from third parties who aren’t your customers, but it’s essential you do if your security is to improve.

Ensure someone at the business is tasked with receiving, triaging and managing security vulnerability reports, but more importantly is empowered to effect change in your organisation.

Installers lacking cyber skills

We’ll often find technology on board that has been created with security in mind, but the ‘cyber’ message hasn’t filtered down to the installers who actually fit and commission the equipment in the yard. All the vendors efforts are undone by an under-resourced installer who is rushing to meet a deadline, so as not to impede its availability for launch or return to service. ‘Get it working’ is not enough any more.

Conclusion

‘Cyber’ is a minefield for shipping. It is also a minefield for insurers.

Classification societies currently have limited cyber risk assessment skills, but they are getting better.

Vessels are already being classified as ‘cyber’ compliant when they really shouldn’t be.

Tread very carefully when writing a shipping cyber policy. Get external advice.