Is Cyber security in Shipping good enough?

No. (But there are softer targets.)


1 Like

What is almost never discussed is social engineering.

Give someone like Kevin Mitnick a VHF radio and I don’t think it would take him long to ground a ship.

Hell he doesn’t even need to visit a port. I mailed a friend in ny a little raspberry Pi SDR vhf radio to collect ais signals and upload them online. It was receive only but there is no shortage of russians on selling vhf transmit modules and signal amplifiers on ebay.

Our lot were cyber-attacked a few months ago, caused enormous logistical problems for the company and the customers and this is just a piddly 4 ship outfit.
They had to transfer thoughts and instructions via small, hand held, tubular implements on to pieces of paper that normally lived in the printers.
This was extremely challenging for the Millennials.

1 Like

IT controls and security in shipping/drilling companies is woeful.
The IMO didnt even consider there were PC’s on vessels until after ECDIS and they made a complete balls up of that.

Not only ship and shipping are vulnerable to cyber attack:

That was a senario to sell something, they are saying if you plug a memory stick into a DP system you will get away with it, yes you will.

The issue is only either put a new stick in that is blank to retrieve logs or if you are adding something the stick needs to come from the DP company.
The more stuff on board that is PC controlled the worse the problem is getting.

Naval Dome simulated an OEM service technician unwittingly using a USB stick with malicious software containing three zero-day exploits.

Well, if you use USB sticks for data transfer (not recommended) and don’t maintain both a strict chain of custody and on-side validation of hash/checksum using a trusted and protected device, then you’re pretty much in the position of someone who practices unprotected sex with a streetwalker.



That’s what happens when you let the little head do all the thinking.

I may have mentioned this before but I was involved building ships in Korea. Just prior to delivery of one of them the shoreside tech came to check the installation and uploading the software to the ships VDR. The companion software was also going to be loaded onto the ship’s servers. Fortunately our IT guy was there and discovered malware in the system. It came from the shoreside tech’s infected laptop. Who knows what other ships he attended recently. It took several hours to clear it from the ship’s servers, VDR and the tech’s laptop.

Hi Earl
so how else to get data off a DP system without using a usb stick.
( we alway took a new one out of a packet)

After some bulletins on malware in DP/Nav systems, we had to put lock plugs in all USB ports on every PC in the system (generally Kongsberg would disable all but one port on each PC anyway). I kept the plug key in locked in my office and a permit had to be filled out to use it. Perhaps a new-out-of-the-package stick every time would have been a better surefire way, but we used just used dedicated sticks and had to plug them into a malware scanner first. Of course the scanner is only as good as its last update.

There are three classes of attacks: one is the use of a modified USB stick, as described here:

In this case the target thinks they are just writing to the stick but clandestine firmware on the stick actually inserts malicious code using an exploit that breaks the system’s protections. The exploits are usually pretty easy because control systems are typically running several revisions behind the latest so you don’t even have to cook up a “zero day,” just look for an exploit that works for the old rev but was documented and fixed in a later one (which the target hasn’t gotten around to installing.) You can buy these things on the dark web, complete with user’s manuals.

The second case is like the first: the target thinks that there is passive data on the stick to be loaded in the machine (e.g., a chart) and the stick actually runs an exploit and loads malicious executable.

The third is injecting malicious software through the software update process. This is probably what the Naval Dome demonstration simulated.

For the first two cases the precautions shipengr described, plus blind buys, use a fresh one, and don’t leave it unattended is about as good as you can do. For the third case (software updates) the system vendor should have instituted a trusted distribution system, which typically involves cryptography of one kind or another and possibly special hardware.



1 Like

We already had the rule by the time i arrived on board that only new sticks out the packet out of the BM ( semisub)safe were used.
If we needed something from the DP supplier we asked for their stick shipped to us.
You can harden windows and one function is to lockout the usb via registry modifications.
Always amazed me ( I have an IT background as well) the DP companies pretty much leave the consoles logged in as adminstrator, just asking for trouble…
Perhaps the IMO/Class/Flag will have some rules once they find out there are PC’s on ships?
But if they were that smart they wouldnt allow ethernet controlled thrusters…

Not just thumb drives:


1 Like

wow thats sneaky

Just think of everything thats critical onboard yet has very little to no oversight by the IMO/Flag and Class
So perhaps DNV is stepping in but that just means more cost to certify something.
IMO and Flag need to step up

Looks like Panama Maritime Authorities and NKClass is also aware of the importance of cyber security:

I didn’t hear much mention of patching. Vulnerable software is one of the vectors that malicious actors use to move around a network once they’ve gotten the entry point established. System owners need a good scheme for software updates that is protected from supply chain attacks. That’s only part of the protection though. Configuration management is another big part of protecting a network.

System owners also need the ability to detect and respond to malicious cyber activity when it occurs. Even a well protected network is going to get broken into from time to time.

You dont need patching on industrial networks if you keep them away from the internet. AIR GAP.

Problem is today is people just plug stuff in to get access to the web as most vessels now have distributed internet via the satcom/vsat etc.
All the industrial gear on your vessel comes from people interested in getting it working, none of them interested in security or even have any staff with that skill.
The vessel operator has plugged it all together, they are the integrator, not the vendors, not class, flag or the IMO.