Hackers geared for new attacks on shipping, says class society expert
By James Brewer
Maritime interests must step up their defences against the threat of serious cyber attacks, an expert associated with classification society Bureau Veritas has urged.
Yohan Le Gonidec, head of the shipowner support department at Tecnitas, a subsidiary of Bureau Veritas, said that the number of known cases was low – a check of the internet turned up only five – but there were serious concerns.
Mr Le Gonidec was addressing practical issues in the wake of the publication of BIMCO guidelines on cyber security, which he said would help decrease vulnerability in the maritime world through assessment and mitigation of risk. Speaking at the 2016 conference of IUMI, he sounded the dangers: “Ships and shipping companies are highly vulnerable today and will be more and more vulnerable if cyber-security risks are not properly addressed.”
Significant holes had been found, said Mr Le Gonidec, in the three key technologies seafarers use to navigate – GPS, Marine Automatic Identification System (AIS), and Electronic Chart Display and Information System (Ecdis).
Hacking AIS data is possible, he asserted. Installed in an estimated 400,000 vessels, AIS is currently the best system for collision avoidance, maritime security, aiding navigation and accident investigations. Somali pirates had used AIS data as “a shopping list.”
Mr Le Gonidec referred to the tilting of an oil rig in 2014 to the point where it had been forced to shut down. In another case, onshore systems were hacked to facilitate the transport of drugs. Elsewhere, a yacht had been forced to change course because of a hacked GPS signal.
He feared that some shipowners had shown little concern about cyber-security, but awareness had increased during recent years. Some businesses might have been reluctant to report.
Cyber risk was specific to the company, the ship, the operation or the trade. Shipboard systems offered vulnerabilities – Mr Le Gonidec calculated there were around 30 on a typical ship.
The BIMCO guidelines set out measures to raise awareness of the safety, security and commercial risks for shipping companies; protect shipboard operational technology and information technology infrastructure and connected equipment; manage users, ensuring appropriate access to necessary information; protect data used on ships, according to its level of sensitivity; authorise administrator privileges for users, including during maintenance and support on board or via remote link; and protect data communicated between ship and shore.
Specific vulnerabilities should be identified, said the Tecnitas executive, and these included the human factors, and the policies and procedures governing the use of the system.
High risk and very high risk consequences could be that commercial operations of the ship were disrupted, cargo lost, the ship lost through grounding for instance, and passengers die.
Main efforts are to identify which weakness could lead to such catastrophic scenarios. A lower level of protection could be accepted for more limited risk.
The whole question should be discussed by top management, insisted Mr Le Gonidec, adding an interesting acronym: the risk is evaluated considering the impact on Confidentiality, Integrity and Availability (CIA).
Improving cyber-security meant performing risk assessment studies at design level (shipbuilder), and for existing vessels (shipowner) which could be through the use of assessment software.
Class societies were building their solutions to increase the safety of ships such as specific second party audit for the account of the builder or shipowner. They were moving to define rules to obtain a cyber-security additional notation, which currently is on a voluntary basis. The Idea is to perform checks and approval for all the system, including the whole chain of suppliers.
Aron Sørensen, chief marine technical officer at BIMCO, cited the 2016 cyber security survey carried out by IHS Markit in association with BIMCO. Of 300 respondents, 65 had been victim of a cyber attack. Malware was used in 77% of the attacks, and phishing in 57%. In 48% of cases, there was loss of corporate data; in 21%, financial loss; in 67%, IT system functionality was hit; and in 4% shipboard systems.
Professional hackers had been hired to go on board ships to test defences, and found cases where there were no passwords on the computer or to the network; anti-virus systems needed updating.
BIMCO was close to finalising an e-learning programme, with a survey out asking members what they wanted to see. A panel established in 2015 by the International Association of Classification Societies would be helpful. It was important that ships were built with cyber secure networks and components, and used contemporary software. “The entire industry needs to work together,” declared Mr Sørensen.
The discussion at IUMI’s legal and liability committee workshop turned to the question of the future possibility of unmanned ships, and the absence of personnel on board in the event of a casualty, obligations under search and rescue, and humanitarian responsibilities. One comment was that aviation is highly automated but has pilots on board.
One of the panel members, Robert Veal, a barrister and a research fellow at Southampton University who had earlier given a presentation on the extent to which autonomous ships would conformed to current regulation, said that the analogy with aviation was a good one. “In studies at Southampton, we drew on this a lot. In the short term, even if there is great confidence in the technology, at least at the outset you will always have people on board to intervene if something does go wrong. This is very much a work in progress.” There could be equal capacity on board for conventional operation.
The international obligation to render assistance is limited to the capabilities of the relevant vessel, said Mr Veal. “It is the specification of the autonomous ship that is going to dictate its obligations in search and rescue.” It would be in the interest of those promoting unmanned ships to see if they can contribute to search and rescue operations, but “it is in no way going to hinder [the development of] unmanned ships.”
A member of the audience asked the panel: “Do you think there could be a malware event affecting a number of ships?” Mr Le Gonidec replied: “It could happen, but I do not think it would be simultaneous.”
Mr Sørensen said that the shipping industry could be attacked on a broader scale, but criminals could go for systems ashore, for instance erasing certificates of seafarers rather than the capabilities of ships themselves. If they ‘took out’ the GPS for example, there were always back-up systems that would allow the ship to navigate.
Frédéric Denèfle, the IUMI committee chairman, asked whether shipowners were prepared to spend money to prepare their people to face cyber attacks. Mr Sørensen replied that some of the defensive measures did cost a lot, but much could be achieved by people “purely acting sensibly.” Mr Sørensen added: “I think we should aim for the future and put these efforts into newbuildings, and that would be a small amount of money.”
Mr Denèfle said that unmanned vessels represented both an opportunity and potential straightforward safety and security challenge for shipping activities…“but developing a legal framework is not impossible.”
Highlighting the globally perceived threats, at the beginning of November 2016, the UK Government announced a new £1.9bn five-year National Cyber Security Strategy, This aims to ensure that the UK remains “at the vanguard of the digital revolution” while protecting the national interest and the UK economy. The government will work with regulators, insurers and investors to compel businesses to manage cyber risk.