Every ship on the water is prone to a cyber-attack, but some vessel types may be more vulnerable than others, industry officials say.
In general, less modern ships are more at risk of cyber-threats due to the need to pair old technology with new digital capabilities, creating possible attack vectors, CSO Alliance director Mark Sutcliffe says.
"For example, a wireless connection that has poor or no encryption can be exploited," he says.
The alliance is working on developing statistics on ship type vulnerability, beginning with 39 workshops it has run worldwide.
For example, a wireless connection that has poor or no encryption can be exploited
"This will grow as we start to market the Maritime Cyber Alliance," Sutcliffe says.
"Who knows? In the future, tankers could become targets depending on geopolitical developments in the Middle East. The next tanker war could be digital."
The alliance is a partnership between Sutcliffe's organisation and aeronautics giant Airbus to create a platform where shipowners can anonymously report cyber-attacks.
That data will then be given to maritime insurers to help develop risk and cost analysis for covering such incidents.
Measures at ports
Boxships are quite vulnerable when their corresponding ports are attacked, so the CSO Alliance has partnered with cyber security services provider Chenega International to create an alliance of port facility security officers, Sutcliffe says.
"So, we have [the] CSO Alliance and their crews at sea interacting with ports, and both the chief information security officers of ships and ports and the supply chain in the Maritime Cyber Alliance," he explains.
Long-range identification and tracking of ships, required by the IMO since 2006, is also very prone to attack, he adds.
Ship engine controls are less at risk due to manual overrides but ship and cargo tracking systems are very vulnerable.
"Ships can be made to disappear off radar maliciously to cause collisions," he says.
Engine room and navigation vulnerable
The engine room and navigation systems may be most attack-prone due to the high level of automation and equipment accessibility, says Markus Schmitz, managing director of Cypriot IT services firm SOFTImpact.
He adds that information and communications technology departments within the maritime industry often do not feel responsible for these systems as they are considered to be more operational than informational.
"As a consequence, they are often not maintained with the same well-defined and proven processes as in the office but, instead, updates and maintenance are left to the vendor or other service partners, often with insufficient central control," Schmitz says.
Furthermore, he adds that a lack of cyber-threat awareness and training puts shipping companies at great risk.
"This issue is harder to resolve, particularly under the current employment regime used by many shipping companies," Schmitz says.
He insists that some types of ships may appear more appealing than others to digital hacking by threat actors — for various reasons.
Physical access to passengers
"Passenger vehicles appear vulnerable to opportunistic attacks by 'script kiddies', simply due to physical access of passengers onboard," he says. "Oil and chemical tankers may be more open to attack due to the potential environmental impact such an attack may have."
He adds that boxships may interest hackers looking to steal high-value goods, while bulkers may seem the least worthwhile given they usually carry raw commodities such as coal and wheat.
"We have to understand that several past incidents, like the Maersk NotPetya attack, should be more interpreted as accidents than as targeted attacks, and such non-targeted attacks may hit anyone in the industry," he says.
Cyber recommendations
The International Association of Classification Societies (IACS) has published nine of 12 recommendations on cyber safety aimed at producing cyber-resilient vessels.
The guidelines are designed to foster a higher understanding of the interplay between ships' systems and provide protection beyond software errors.
They also address the need for appropriate response and recovery in the event of failed protection as well as a means of cyber-threat detection.
"IACS believes that cyber safety is now much a part of its remit to deliver safe shipping as the more traditional focus on hull and machinery," says the agency's permanent secretariat, which is led by secretary general Robert Ashdown.
"This is a long-term initiative and reflects the need for guidance for newbuild vessels to complement the operational guidance provided by Bimco and others."
The department says all IACS members will be required to participate in forming and carrying out effective cyber security measures through ongoing input and practice.
"IACS is also committed to engaging on cyber matters with industry partners via the IACS Cyber Systems Joint Working Group and the IMO, and other regulators as required," says the IACS.
