As part of July’s annual conference, this year’s Stanley Gray Lecture included a Q&A session with cyber security expert Nigel Hearne, whose work includes investigating the electronic vulnerability of cruise liners, bulk carriers and drilling rigs. Marine Professional brings you some of the highlights.
With increasing automation of ships what new risks are you starting to see aboard vessels?
Automation tends to use a cloud, so it’s inevitable the industry is moving more towards clouds to get data in and off vessels, especially with semi-autonomous shipping. Cloud providers are very good at managing security, but only if it’s configured correctly.
My team has been able to demonstrate to companies how we can compromise their entire global fleet and HQ. The onboard malicious insider is a high-risk threat. Electronic devices that are public facing need stringent, well managed auditing and penetration testing to make sure they’re secure. On cruise liners we’ve been able to get into ships’ internet connections in public areas: if you get the right cabin on a vessel you can compromise all sorts of things from being onboard.
What are the main reasons for hacking a ship?
That’s a good question, because the motivation isn’t always entirely clear.
Organised criminals may want to extort a cruise line by attacking the ballast of one of its ships so that it rocks from side to side in the middle of the sea. The criminals will be thinking ‘how quickly will the cruise line take to pay us $10m to stop and will they bother coming after us afterwards?’.
When it comes to nation state activity, it’s important to realise that the next world war won’t be about guns, it will be about cyber attacks.
A nation state might, therefore, want to hack a ship and, again, compromise its ballast system so it rolls over in the entrance of a harbour, blocking a shipping channel or port for a considerable amount of time.
It would be an effective way to compromise another nation state. There have been incidents recently where a nation state may have may been responsible for making ships from other nation states run aground or crash into things.
How good is physical security aboard ships?
Sometimes it’s good, and sometimes it’s really bad. I’ve been able to walk onto ships in port unchallenged and been able to access comms rooms by simply opening a door with no need for a security card. We’ve also been on vessels where we’ve found trunking with fibre in our cabins, which we’ve been able to plug into to access the ship’s electronic systems. Once you get access to a system it’s relatively easy to guess the passwords.
Do you recommend crew monitoring of electronic systems?
Some vessels that use a lot of cloud interaction now have people onboard to monitor certain systems. They’re starting to look at taking log file information off the vessel in a strategic way or centrally correlating log files on the vessel and using that as a point of monitoring off of the vessel itself. The centralised logging onboard a vessel and then monitoring that remotely is probably the easiest thing to do in the short-term.
Do your findings expose the dangers of ships becoming increasingly automated?
The more you connect to the Internet, the more risk you will have, but it’s a lot easier to design a brand new vessel and make it quite secure than it is to try and make an old vessel secure because of its legacy issues.
How do you train crew about the importance of cyber security?
It’s just about reinforcing the basics – passwords, passwords, passwords!
It’s important to teach them about physical security around USB and device controls, ensure they’re aware of the dangers of phishing attacks and the risks of social media, that they know exactly who they’re allowing to have access to the ship’s systems, and to never open files they’re not sure about.
Click here to see the full Q&A answer session – along with Nigel Hearne’s fascinating in-depth presentation on his cyber security work with Pen Test Partners.
Dennis O’Neill is a freelance journalist specialising in maritime.