Cyber Security – Is your IT Network secure?
“I wouldn’t say the house is on fire yet, but every item of wood and paper is doused in petrol”
A rash of recent media articles and reports has drawn the industry’s attention to the potential risk from cyber-attacks from malicious hacking or terrorist networks. The figures, for the oil gas industry at least, look ominous.
Insurance broker Willis recently estimated that cyber-attacks against oil and gas infrastructure will cost energy companies close to $1.9 billion by 2018, something it compared to ‘sitting on an uninsured time bomb’. The UK government reckons cyber-attacks already cost UK oil and gas companies around $672 million a year.
There is much less certainty when it comes to shipping, for a number of reasons. Chief among these is that the vulnerability of certain systems and their uses and abuses by those in the industry have blurred the lines between the hacking threat and inherently poor design.
The Global Positioning System (GPS) has long been known to be vulnerable to jamming or spoofing with small, cheaply-bought devices. The Automatic Identification System (AIS) is equally open to monitoring and potential interference, a situation muddied further by some owners’ practice of turning it on and off when they think security or market advantage warrants it.
What concerns the many cybersecurity consultants operating in maritime is the vulnerability of computers and systems inside bridge, engine room and cargo handling equipment.
This January, a UK cyber security research firm, NCC Group found flaws in one vendor’s ECDIS software that might allow an attacker to access and modify files, including charts, something it said that if exploited in a real scenario ‘could cause serious environmental and financial damage and even loss of life’.
That remains to be seen, but what is certain is that as shipboard networks become more complex and the internet of things connects more devices, so the risk increases that hacking could be used against a nation, a fleet or a single vessel with serious consequences.
The more critical issue, according to Yangosat Sales Director, Ewan Robinson, is that all but the leading edge of shipping companies are adopting the traditional industry approach: head in the sand, fingers in the ears. “In my view knowledge is power,” he says. “If you know about things you can counteract them. The problem is that many owners are adopting a negative position on what is a major risk.”
At present, he says, the biggest threat is likely to come from individuals or collectives who do hack for bragging rights among their peers but that could change. “If organised crime realises that they could control a vessel, then they could use it for extortion or remote piracy.” On a recent newbuilding project, he says the master was presented with a new laptop to manage chart updates that would feed into the ECDIS. The laptop, which had administrator rights, had no password protection.
“Try doing that in a normal office job and see how far you’d get. It was wide open to virus or Trojan [malware] attack. And this was a company that has some serious databases. There are companies that stand out in their IT strategy and implementation but many more treat the issue as if it doesn’t exist,” he says.
And Robinson is no mere Cassandra. At the recent DigitalShip Cyprus conference he used his own laptop to (legally) hack a ship’s Stability and Loading computer in real time, using free tools downloaded from the internet.
That certainly got the room’s attention. The harder challenge is getting that of the CEO. Shipping’s notorious love of secrecy extends to company data and internal operations, to the point where some owners won’t give accurate noon reports to charterers who are paying the bill.
“To a large extent it’s behavioural. The CEOs of some very large organisations think the IT department is a waste of time. But these guys end up with the responsibility of protecting the vessels. Many owners will simply use the cheapest option possible and the result is untrained or non-existent IT control on vessels, which allows for any manner of breaches,” he says.
Ironically, the solutions are relatively straightforward, at least from a mariner’s point of view. A combination of better practices around hardware, software and user behaviour would be a start.
The example above demonstrates the systemic lack of understanding of the need for basic IT security onboard. Robinson has talked to IT departments that are restricted in buying the hardware they need to protect systems, or in visiting vessels to configure them correctly. Complaining masters often win the day when they find a new IT policy prevents them from downloading and installing whatever content or software they want.
“I really sympathise with the IT support guys. I have been in their shoes and I understand the problems of trying to bring about culture change in a shipping company,” he adds.
There is a need, he says, for “a fundamental change in the way all shipowners treat IT and communications, possibly even enforced by Port State Control or under P&I Club pressure. I wouldn’t say the house is on fire yet, but every item of wood and paper is doused in petrol. I suspect, though, that within next two years we will have a major extortion incident. The trouble is, we may never get to hear about it.”
For his part, Robinson thinks the risk to ECDIS systems has been somewhat over-egged and protection is relatively straightforward given that many ships have two units, one of which is standalone and updated via USB rather than network connection.
“That does not mean it could not be compromised, just not in the way that you would see in a Hollywood movie,” he laughs, before adding that “any system is potentially breakable. The trick is to ensure that any data coming from the vessel to a shore provider, whether for AIS or container tracking, is secure, encrypted and verifiable.”
That means that the systems of onshore providers must be as secure as that of the shipping company or the vessel, an issue for systems such as AIS, which were developed for the dual purposes of safety and security.
Being able to spoof AIS data to and from a vessel implies other effects could be created, he suggests. Hackers could create virtual buoys that might then be read in ENCs, Radar and ECDIS. Spoofing that data could easily cause course alteration or confusion among bridge teams, which could be further exploited by spoofing another faked vessel into the mix.
Given how many seafarers already feel about using ECDIS and the reliability of the hardware, software and chart data, these can hardly be comforting words. Throw in disruption to GPS – something that has been done many times in the cause of demonstrating its weaknesses – and there is plenty to worry about.
For most companies though, the problems are rather more prosaic and Robinson says the irony is that the initial intention of saving money often ends up costing more to remedy.
As more and more vessels move into the IP universe, the bigger the problem poor security presents. Trojans that were once merely annoying, would now be able to connect through to control servers, allowing the infected units to become part of the botnet, even before the hacker realises the significance of what they were able to control.
“A not untypical example I have dealt with was where the 1900 Virus and 1,200 Trojans infected every computer on a single vessel. All the PCs had to be rebuilt from scratch, retaining all the existing data, which cost the shipping company six days’ off-hire and a $6,000 invoice,” he says. Some investment in prevention suddenly seems like money well spent.