After years spent highlighting the maritime sector’s cyber vulnerabilities, Pen Test Partners senior partner and ethical hacker Ken Munro has put together his list of practical, tactical steps you can take to improve cyber security on board your vessel.
1. Make sure your satcom system isn’t on the public internet
Most – but not all – satellite internet and communications providers offer a private IP address space as a measure to prevent hackers from accessing your satcom system.
There are various methods of determining whether your vessel’s satcom terminals are public or private.
- The quickest way is to type the IP address into an internet browser on a computer connected via a public connection. If the IP address space for your satcom system is private, you should not be able to access the terminal’s web interface from the public internet.
- Alternatively, you could speak to your internet and communications provider to check the policy.
- Finally, you could perform a port scan on the system to check for open ports that could make your system vulnerable to attack.
2. Change the manufacturer’s default passwords on your satcom system
Astonishingly, this is, “by far the most common problem,” according to Mr Munro.
Most often, when the satellite terminal is installed, the installer does not change the default administrator passwords, leaving that to the operator.
Default passwords are often obvious and easy to crack.
The solution here is two-fold: create complex passwords, and only share them with those who need to know.
3. Update the software on your satcom system
Software updates are crucial to cyber security, but they are often overlooked.
In the well-publicised NotPetya cyber attack on Maersk Lines in 2017, the company lost an estimated US$300M because it had failed to update and patch its cyber security software.
Part of onboard procedure should be to ensure software is updated every time the manufacturer publishes an update.
To do this manually, check the terminal vendor’s software update pages regularly as security fixes are often hidden in the changelog and not easy to find. To cut down on the time and effort of manual checks, you could also consider using a patch update alerting service.
Updates usually include fixes for security flaws, so the more out-of-date the software is, the more vulnerable it is to attack.
4. Separate your onboard bridge, engineroom, crew, wifi and business networks
If a device on your vessel is compromised by a virus or hackers, segregated networks can help to ensure critical systems are kept safe.
One key vulnerability comes from crew members’ personal computing devices. Unless the systems are segregated, personal devices can offer a route into a vessel’s navigation systems.
It would be wise to double-check to make absolutely certain that your onboard systems are segregated.
5. Secure USB ports on all ships systems
Another device that can introduce threats to your critical ship systems is a USB stick or flash drive.
As they migrate between computers, it is very easy for USB drives to pick up malware. And phones, too, can carry malware.
With cases of ECDIS and other systems being compromised by hackers and ransomware, USB ports on your critical systems consoles should be secured.
To prevent accidental introduction of malware to vessel systems, lock down USB access. If critical systems can only be updated by USB, keep dedicated USB keys in a secure location that are used for nothing other this purpose. While this practice is not ideal, it is better than open USB access.
6. Check all onboard wifi network passwords
Strong encryption, strong wifi passwords and strong wifi router admin passwords are a must.
Crew wifi must not connect to anything other than the internet for personal use.
Any ship systems that use wifi (e.g. tablets for comms and navigation) MUST have raised security levels, including strong authentication measures.
7. Do not rely entirely on technology for safe navigation
Officers of the watch must check navigational data coming from onboard technology against real-world conditions.
GPS can be spoofed, ECDIS positions can be manipulated and even synthetic radar can create false reports when hacked.
Whether it’s navigation, collision avoidance or loading, the human eye must be employed to ensure the situation outside the bridge reflects what the technology reports.
8. Teach your crew about cyber security
Resources such as Be Cyber Aware At Sea – developed by a consortium of shipowners and maritime organisations – are great for raising awareness and helping your crew avoid inadvertently opening the vessel to cyber vulnerabilities.
Regularly training crew in best practices is key to keeping a vessel from being compromised.
9. Ask for proof from your technology suppliers that they are cyber secure
Ask your onboard technology suppliers for evidence of security accreditations such as ISO27001 or compliance with the NIST cyber security frameworks.
A third-party audit of your supplier is another step you can take to check they are in compliance.
Technology and services suppliers are more likely to take security measures if the market demands it.
10. Get a vessel security audit
Some of the worst vessel vulnerabilities are the easiest to find and fix.
Bear in mind that maritime security issues are often systemic: they don’t affect just one ship in your fleet, the same issue can affect them all.
“Developing a security policy, following IMO, ISO and/or NIST frameworks is important but it can take a long time for companies to implement, particularly where process and mindset changes are required,” Mr Munro said.
“However, these tactical tips can be put into practise straightaway. And [in cyber security] every second counts.”
Many of the cyber risk issues highlighted here will be discussed at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, which will be held in association with Norton Rose Fulbright in London on 15 June.