Commercial vessels are the victims of cyber-security incidents more often than commonly thought, according to findings published in a new industry report.
The third edition of the Guidelines on Cyber Security onboard Ships– published by a conglomerate of 21 international shipping associations and industry groups – contains some salutary examples of what happens when proper procedures aren’t followed.
It describes many cases, including a still mysterious virus infecting onboard ECDIS systems.
It gives the example of a new-build dry bulk ship that was delayed from sailing for several days because its ECDIS was infected by the virus.
The ship was designed for paperless navigation and therefore not carrying any paper charts.
The ECDIS failure appeared to be a technical disruption and wasn’t recognized as a cyber issue by the ship's master and officers.
A specialist technician eventually discovered that both of the ship’s ECDIS networks were infected with a virus.
The virus was quarantined and the ECDIS computers were restored.
The source and means of infection in this case are still unknown.
But this isn't the only malware-related incident that affected a ship, according to the aforementioned document.
Ships were also impacted by ransomware, sometimes directly, while in other incidents the ransomware hit backend systems and servers used by ships already sailing across the sea.
For example, a shipowner reported not one, but two ransomware infections, both occurring due to partners, and not necessarily because of the ship's crew.
It was reported that the company's business networks had become infected with ransomware from an email attachment.
The source of the ransomware was from two unwitting ship agents, in separate ports, and on separate occasions.
Ships were also affected but the damage was limited to the business networks, while navigation and ship operations were unaffected. In one case, the owner paid the ransom.
But this wasn't the only incident.
In another, the entry point for the ransomware wasn't because of its interaction with shipping ports, but because they failed to set up proper passwords.
A ransomware infection on the main application server of the ship caused complete disruption of the IT infrastructure.
The ransomware encrypted every critical file on the server and as a result, sensitive data was lost, and applications needed for ship's administrative operations were unusable.
The incident was reoccurring even after complete restoration of the application server.
The root cause of the infection was poor password policy that allowed attackers to brute force remote management services successfully.
The company's IT department deactivated the undocumented user and enforced a strong password policy on the ship's systems to remediate the incident.
However, remotely-accessed accounts and systems weren't the only sources of infections on ships.
The report also puts a great deal of attention on USB thumb drives, usually used to update systems or transfer new documents into air-gapped networks.
In some cases, ships feature proper security controls, but in most, ship systems are often left exposed online where they are indexed by search engines such as Shodan or Censys.
Many of these ship-designed IT systems either use default credentials or feature backdoor accounts, putting the ship, cargo, and passengers in harm's way due to sheer negligence.
The shipping industry got its cyber-security wakeup call last year when Maersk was infected with the NotPetya ransomware.
The incident incurred costs of more than $300m, and during the recovery process, the company's IT staff had to reinstall over 4,000 servers and 45,000 PCs before being able to safely resume operations.