Contributed by SecureWorld
Taking a cruise in 2019?
If so, try not to think about significant cybersecurity risks and failures detailed in the shipping industry’s new report, “The Guidelines on Cyber Security Onboard Ships.”
Instead, be thankful that the 56-page industry report outlines a cyber risk management strategy, giving the industry guidelines on improving cybersecurity.
If the guidelines are adopted, it will help protect you while you go back to the buffet line. Again.
Shipping cybersecurity incidents
Ships and their systems are increasingly connected to the internet and are becoming more technologically advanced.
However, the idea that these advancements increase the risk of a cyber attack on ships is a relatively new thought, as the following example from the report points out. (Note: ECDIS is the electronic navigation system used in many seafaring craft.)
A new-build dry bulk ship was delayed from sailing for several days because its ECDIS was infected by a virus. The ship was designed for paperless navigation and was not carrying paper charts. The failure of the ECDIS appeared to be a technical disruption and was not recognized as a cyber issue by the ship’s master and officers. A producer technician was required to visit the ship and, after spending a significant time in troubleshooting, discovered that both ECDIS networks were infected with a virus. The virus was quarantined and the ECDIS computers were restored. The source and means of infection, in this case, are unknown. The delay in sailing and costs in repairs totaled in the hundreds of thousands of dollars (US).
Ships are turning into floating computer networks
If you’ve taken a cruise lately, you’ve probably noticed: Wi-Fi actually works most of the time and the price of it is coming down on cruises. You can now stay connected in the middle of the ocean.
This means a better shot for hackers, too, to connect with the ship.
The new shipping cybersecurity report lists an incredible number of connected systems that must be made protected with onboard cybersecurity:
- Communications systems, from satellite connections to Wi-Fi networks to public address and alarm systems
- Bridge systems, like GPS and other positioning and charting systems, and the Global Maritime Distress and Safety System
- Propulsion and machinery power control systems, like the engine governor and integrated ship controls
- Access control systems, like the closed circuit cameras, shipboard security alarms, and bridge navigation alarms
- Passenger information systems, like financial and billing systems and electronic health records for those who visit the doctor
- Passenger-facing networks, like public Wi-Fi and guest entertainment systems
- Core infrastructure systems, like routers, switches, firewalls, intrusion prevention systems, and security event logging
- Administrative systems, like crew tracking and personnel systems and crew-facing Wi-Fi or networks
Third-party security a challenge for the shipping industry
One thing the report also details is that ships pull into ports around the world and receive customs forms and cargo documents from some places that have incredible cybersecurity and others that may have no clue about it. And this creates problems.
“A shipowner reported that the company’s business networks were infected with ransomware, apparently from an email attachment. The source of the ransomware was from two unwitting ship agents, in separate ports, and on separate occasions. Ships were also affected but the damage was limited to the business networks… individual efforts to fortify one’s own business can be valiant and well-intended but could also be insufficient. Principals in the supply chain should work together to mitigate cyber risk.”
Hopefully, the cruise industry (which co-authored the report) will adopt the report’s guidelines.
That will decrease the odds of a hacker joining your cruise without ever boarding the ship.
The article was originally posted here and is published with SecureWorld’s permission.
The opinions expressed within this article are the personal opinions of the author. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.