Cyber security for ships and shipping

This is a very relevant subject in these days of increased dependence on internet connected devices on ships and for shipping in general. The subject pops up in different places on the forum. Time it get it’s own thread.

Starting with this article from Marex today:

Appears to be a domain whitelisting service. Not perfect (nothing is) but applicable for static networks when the only legitimate traffic is between the ship and home. Of course the crew may complain since they will no longer be able to surf the web :grinning:

Cheers,

Earl

As was alluded to in that other thread, security is not something you add onto your IT systems. Rather, basic system design is the most important aspect of securing your IT infrastructure. Has something like ITIL been developed specifically for ships? A solid best practices library focusing on strict segregation of mission critical systems must be the place to start.

1 Like

Cyber security is hot topic in the shipping world:
https://www.marinemec.com/news/view,denmarks-cyber-security-strategy-underscores-need-for-early-ism-compliance_56512.htm

This thread reminded me of an unassuming edit I made on Wikipedia:

Since the advent of Software Defined Radio, GPS simulator applications have been made available to the general public. This has made GPS spoofing much more accessible, meaning it can be performed at limited expense and with a modicum of technical knowledge.

I cited this Defcon talk as a reference, and it’s worth your time if you find this issue interesting. The gist of it is that creating a signal with false information is no longer on the cutting edge of military technology, but something pretty much anyone can do. With a bit of rudimentary programming, you could create a position stream based on AIS data from a target ship and beam it aboard with a directional antenna, walking it off its intended track and pretty much taking it where you want.

Given how much trust we put in a gps derived position, I’m afraid that bad thing will happen before effective countermeasures are put in place.

And if you did that, satellite and locally received AIS would show the target vessel in the expected position rather than the actual one. And I’m guessing that if the actual position was reasonably far away from the expected one, nearby chart displays would hold its position as outside the current display limits of the chart; so the guy on the bridge with his binoculars would simply assume that the vessel he was looking at had its AIS transponder broken.

With the increasing dependence or reliance only on GPS, this is a serious problem.
GPS is controlled by one nation and could be turned off, or be returned to a scrambled system at will by that nation. That is why there are more than one SatNav system already available. (And more coming soon)
Or could all such systems be spoofed simultaneously with the same simple and cheap method?

Second question; could not an attempt to divert a ship by this method be detected by either the navigators on board, or by shore based monitors if autonomous??

AFAIK, spoofing a glonass signal shouldn’t be any more difficult than a GPS signal, but the GPS standard is very well understood in the hacker community. I don’t know how many years of research will be needed before they put a glonass simulator out there.

The only way to detect this would be to monitor different sources of heading and positional data, and consider those sources more reliable. It’s that last bit that worries me. If there’s a discrepancy between gyro derived / magnetic heading and your track / satellite heading, which source would you trust? If the sun rises on an unexpected bearing, do you challenge the GPS data or your expectation of where the sun should rise? I’m sure that some sailors would spot the error, but equally sure that a lot of bridge teams would be very vulnerable to this.

Human ability to detect anything like this is limited by their knowledge, training and consent ration span, which has already been proven time and again
So you need to stay on top of the “spoofers” by having multiple sources of SetNav and multiple ways of detecting any interference.

There are already several SatNav systems in operation and more coming according to Wikipedia:

UK should be added to the list of nations that MAY develop their own system:

PS> Directional antenna means you have to be pretty close to your target right??

I was thinking hand held yagi or gyro stabilized parabolic reflector working in line of sight. The problem is not getting the signal on board, since the GPS signal is very weak, but avoiding interfering with everyone else’s GPS signal (a sure way to get detected). I suppose if you want to take a ship for a long walk, you’d want the transmitter onboard to avoid having to keep the attack craft in visual range.

You could theoretically detect interference by SNR anomalies, but I think it would be very difficult to do so reliably in practice without lots of false positives.

DNV-GL approve Cyber Security type approval to Naval Dome:
https://www.hellenicshippingnews.com/dnv-gl-awards-naval-dome-secure-endpoint-cyber-security-type-approval-certification/

Cyber Security is getting a lot of attention lately.
Here is a an invitation to take part in an IHS Markit survey I received by e-mail today:
http://app.ihs.com/e/es?s=1770935282&e=581908&elqTrackId=86b7f4d057894b6bba0e97689b51778f&elq=58495c9ba12341828600f65c69f56cfc&elqaid=78072&elqat=1
Feel free to participate.

How easy is it to hack into the the IT system of shipping companies?
Here is a test done in Hong Kong:

Are you surprised?

Norwegian security authorities and Guard P&I warns about more activity to disrupt both shipping and the oil & gas industries lately:
https://splash247.com/norway-warns-shipping-is-being-targeted-by-hackers/

Maersk took a big hit with NotPetya:

The Untold Story of NotPetya, the Most Devastating Cyberattack in History

Unfortunately it’s a common story. Company IT departments can’t keep up with patching. NotPetya took advantage of supply chain failures, along with known vulnerabilities, causing enormous amounts of damage. The personnel and automation needed to keep up with patching is just beyond most companies resources, and poorly supported by vendors. That’s a key problem that needs to be addressed to prevent these sorts of attacks.

IT departments, much like Engineering are consumers of capital. They are often viewed as 2nd tier departmental functions in the corporate hierarchy. When budgets are cut and pennies pinches they are the first to feel it. I have read accounts of the Mearsk’s cyber attack from several sources and more than one mention some of their servers running on Windows 2000. (Even I stopped using that operating system long, long ago.)

The key is to have security, which is hard enough in itself, and at the same time have a degree flexibility for those using the network. Or in my case, out of the office operating in the field. When I was working in Korea the office sent me a company laptop so I could connect to the company’s VPN. It was a nice computer but I was completely hamstrung as I could not scan or print documents as it would not let me load the necessary printer drivers. When I contacted our IT department for help I was told it was configured that way for a purpose and tough luck. My reply apparently didn’t go over well. The Vice President of IT contacted my boss who in turn told me NOT to do that again and piss them off. In the end they remotely reconfigured the laptop so I could load what I needed to do.

3 Likes

Looking for cost savings in O&M spending on IT security updates and other mitigation’s of vulnerabilities is kind of like not doing upkeep on ships. You might save some money in the short run, but the risk of catastrophic failure goes up over time. Eventually you lose a ship. Hopefully, it won’t break the company when it happens.

Not security but insurance. First online insurance exchange has been established in China:

Will it be secure against hacking and cyber fraud??

1 Like

I’m jumping on the band wagon here…

If you folks could fill out a survey we’re doing on cyber security in the maritime industry.

It won’t take more than a minute or two.

The link is here:
https://thetius.typeform.com/cybersecurity

Thanks!