Blog: Maritime Cyber Security

Tactical Advice for Maritime Cyber Security – Top 10

Ken Munro 12 Mar 2018

So, you’ve got 5 minutes over a coffee, what should you do about your fleet security?

There’s plenty written already about ship systems security strategy. However, I’m often asked questions like ‘where do we start with maritime security?’ and ‘what should I do today to stop our ships being hacked?’

Yes, you should absolutely develop a security policy, following IMO, ISO and/or NIST frameworks etc, but it can take a LONG TIME to implement. Cultural and process change is often needed, which takes a while.

In the meantime, your ships, loads  and terminals are being hacked.

So, what should you do TODAY?

Start with your satcoms, as that’s what most exposes your vessels to attackers.

#1 Make sure your satcom system isn’t on the public internet

Most airtime providers offer a private IP address space, so hackers can’t reach your satcom system as easily over the internet.

It’s easy to find out if your vessel terminals are public or not: put the IP address in a browser and see if you can route to the terminal web interface from the public internet. Or you could port scan it. Speak to your airtime provider and check.

#2 Check that your satcom system has its passwords changed from the manufacturer default

By far the most common problem: the satellite terminal installer hasn’t changed the admin passwords from the default admin/admin or similar. Ensure the passwords are complex and only known by those who need to know.

#3 Update the software on the satcom system

Make sure it’s at the latest version and ensure it is updated every time the manufacturer publishes an update. Updates usually include fixes for security flaws, so the more out of date the software is, the more vulnerable it is.

Check the terminal vendors software update pages regularly – security fixes are often hidden in the changelog and not easy to find. This takes time and effort, so to spare the legwork consider using a patch update alerting service.

#4 Check that your bridge, engine room, crew, Wi-Fi and business networks on board are logically separated

If a device on your vessel is compromised, segregated networks will ensure critical systems are kept safe from the hacker. Do crew members personal laptops on the ship network have access to the navigation systems? Have you actually checked to make explicitly sure?

#5 Secure USB ports on all ships systems

It’s very easy to accidentally get malware on USB keys. We’ve already seen cases of ECDIS and other systems compromised by ransomware. How often do you see a phone charging from a USB port on a bridge console? Phones can be full of malware too.

To prevent accidental introduction of malware to vessel systems, lock down USB access. If critical systems can only be updated by USB, keep dedicated USB keys in a secure location that are used for nothing other this purpose. This isn’t ideal, but is better than open USB access!

#6 Check all on-board Wi-Fi networks

Strong encryption, strong Wi-Fi passwords and good Wi-Fi router admin passwords are a must. Crew Wi-Fi for personal use must not connect to anything other than the internet and/or on-board systems (e.g. media streaming) for personal use.

Any ship systems that use Wi-Fi (e.g. tablets for comms and navigation) MUST have raised security levels, including stronger authentication.

#7 Don’t rely on technology

Officers of the watch must be reminded not to rely too heavily on technology and get fixated on screens. GPS can be spoofed, ECDIS position can be manipulated and even synthetic radar can be hacked to misreport.

Whether it’s navigation, collision avoidance or loading, the Mark 1 eyeball must be employed to ensure the situation outside the bridge reflects what the technology reports.

#8 Teach your crew about cyber security

Resources such as Be Cyber Aware At Sea are great for raising awareness and helping your crew avoid inadvertently opening the vessel to compromise.

#9 Make your technology suppliers prove to you that they are secure

If you don’t ask for security, you don’t get it! Your technology and services suppliers won’t spend any time on security if they don’t think the market wants it.

A 3rd party audit of your supplier would be a good start, though in the short term you should ask them for evidence of security accreditations such as ISO27001 or compliance with the NIST cyber security frameworks.

#10 get a simple vessel security audit carried out

Some of the worst vessel vulnerabilities are the easiest to find and fix. Bear in mind that maritime security issues are often systemic: they don’t affect just one ship in your fleet, the same issue can affect them all.