Shipboard Operational Technology: At Risk from Human Error and Cyber Attacks

As you stand on the bridge of a modern container ship, freighter, cruise ship, etc. what do you see?

You see a variety of digital and analog systems including touchscreens, keyboards, mice/trackballs and even laptops. As a cybersecurity professional, I see a variety of opportunities for a cyber attacker to inject malware to take over systems or at least knock them out of service and imperil the vessel and cargo. Even an unprotected USB port on the bridge could actually be an opening for an attack.

The new digitized bridges and engine rooms have revolutionized the operation of the ship; however, they need to be actively protected by the ship’s operator, captain, chief engineer and crew.

INFORMATION TECHNOLOGY VS. OPERATIONAL TECHNOLOGY

Let us look at the two primary categories of digital systems aboard a ship. Information technology, aka “IT,” deals primarily with data and the flow of digital information. IT is traditionally used to describe the use of computers for information processing and management (think “email”).

IT systems support the ship’s operations. Shipboard IT systems are doing the same things as you would find in any shore-based business. For instance, some categories of shipboard IT may include the following:

• Administration
• Business reporting
• Crew lists
• Customer relationship management
• Desktop and laptop computers
• Electronic manuals and certificates
• Email systems
• Enterprise resource planning (ERP)
• Ethernet/IT network
• Financial accounting
• Human resource management
• Load planning and scheduling
• Passenger ticketing and payments
• Planned maintenance
• Spare parts management and procurement
• Vessel and terminal scheduling and planning
• Work permits

The second category of digital shipboard digital technology is Operational Technology, often referred to as “OT.”

The way to think of OT – it includes hardware and software technology that monitors industrial equipment, assets, processes and events, and can control these industrial processes and equipment. 

A simple way to think about IT vs OT is IT is your email system and OT is a thermostat. IT moves and manipulates data, while OT monitors and controls industrial processes.

Shipboard OT systems may include the following:

• Alarm monitor and control system
• Anchor and mooring winch control system
• Bow thruster control system
• Cargo control and handling
• Data loggers
• Dynamic positioning
• Electronic chart display and information system (ECDIS)
• Engine control
• Global navigation satellite system (GNSS) or SATNAV
• Hull/Ballast system
• Loading and stability computer
• On-board measurement and control
• Propulsion control
• Reefer container monitoring system
• Remote support for engines
• Ship safety system
• Steering control
• Water ingress detection system

 A key characteristic of OT systems is that human safety is a paramount requirement followed by protection of the processes. Fault tolerance is essential and even momentary downtime is not acceptable.

In comparison, if email is down for an hour, human life or property is not impacted; however, loss of an OT system could result in death or injury, environmental spill or impact, and/or damage to property and the ship. Imagine what could happen if steering control were lost? What about fire protection systems being knocked offline? Both could be catastrophic under certain circumstances.

According to Naval Dome (https://navaldome.com), cyber-attacks on the maritime industry’s OT systems have increased by 900% from 2017 to 2020. They also reported that 2020 would end up with more than 500 major cybersecurity breaches. Substantially more go unreported.

Naval Dome’s head of North America operations also stated in 2020, “… Operators rarely know if an attack has taken place, invariably writing up any anomaly as a system error, system failure or requiring restart.”

CASE STUDY: ELECTRONIC CHART DISPLAY

An important OT system on board a ship is the electronic chart display and information system (ECDIS). This system is critical for ship navigation and course planning. ECDIS integrates data from several electronic navigation sensors and displays it on a video monitor both in the form of a graphic image and alphanumeric information.

Nominally, there are at least six inputs into the ECDIS. They include data from the following OT systems:

1. Global positioning system (GPS)

2. Automatic identification system (AIS)

3. Radar and automatic radar plotting aid (ARPA)

4. Ship’s gyro compass

5. Ship’s echo sounder

6. Ship’s speed log

Additionally, the ship’s physical parameters—length, beam, draft, tonnage, engine power, types of steering, maneuvering characteristics, etc. are entered into the ECDIS so it can predict the outcome of an intended maneuver or course change.

These inputs can affect the accuracy, precision and reliability of the ECDIS. Therefore, they are very important for accurate navigation and plotting. These inputs can also affect visual and audible alarms when in a dangerous situation such as a vessel on a collision course or a contact having a closest point of approach (CPA) closer than set in the Captain’s Night Orders.

In a May 24, 2018 article in the publication Safety4Sea, there is recognition that the ECDIS is highly relied upon and can fail due to human error. This article noted that the number of ECDIS failures has increased when USB flash drives and charging cables are connected to the ECDIS.

For instance, three ECDIS failures occurred in 2010. They were caused by malware/viruses on USB flash drives resulting in malfunctions. The malfunctions can result in error messages and false alarms. In 2016, a seafarer plugged his smartphone into the ECDIS to charge it, and as the phone began to update itself, it wiped the entire chart folio. This could be especially catastrophic if the ship is transiting a highly congested corridor or navigationally restrictive channel.

Another very important data feed to the ECDIS is the GPS signal. GPS spoofing is an attack on the GPS signal with the goal to override a GPS-enabled device’s original location. This spoofed signal can produce an incorrect position, erroneous navigation or flawed timing information.

GPS spoofing is done by an attacker using a radio transmitter that broadcasts fake GPS signals and interferes with GPS receivers nearby. For instance, an ECDIS could display the incorrect GPS location or clock time because of a spoofing attack.

A Nov. 12, 2020 article on Nextnav.com said one 2019 study found that Russia frequently spoofs GPS data to mask military activity in Syria, Crimea and elsewhere. As of 2020, more than 7,900 ships have experienced GPS outages connected with Russian GPS spoofing activity since 2016 – a significant hazard for maritime activity that relies heavily on GPS receivers for positioning and navigation.

The study also found that Putin’s movements are frequently masked by GPS spoofing activity. Unfortunately, during the early days of the Russian invasion of Ukraine, jamming and spoofing of navigation systems occurred.

When originally developed, the Automatic Identification System (AIS) was used as a safety precaution to avoid collisions at sea. With time, AIS use has evolved and there is increased reliance on the system. Today, governments and security agencies also use AIS to detect and prevent illicit activities at sea. 

Ship AIS spoofing involves creating a nonexistent vessel or masquerading a vessel’s true identity—possibly for military or illegal purposes. In this case, this results in the spoofed ship hiding or transmitting false positional data so that a vessel appears to behave legitimately and deceives stakeholders and authorities. 

AIS has cybersecurity problems, too. The U.S. Maritime Administration has advised that AIS devices do not inherently have virus or malware protection, so cybersecurity best practices against hacking should be adhered to if you connect your AIS to a network or update it using removable electronic devices (e.g., USB drives).

As observed above, the ship’s physical parameters – length, beam, draft, tonnage, etc. are entered into ECDIS so it can predict an outcome of an intended maneuver or course change. What if the draft value were significantly reduced? This could result in the ship running aground with no audible or visual alarms occurring. The integrity of the ECDIS setpoint data needs to be ensured.

OT AND ON-VESSEL CYBERSECURITY PLANS

As this article has attempted to demonstrate, OT systems are prevalent on board your ship and they have cyber security vulnerabilities that should be alleviated. Here’s a few thoughts on actions you should at least take as recommended by the US National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA):

• Create an accurate OT network map to detail “as-operated” assets: Understand your key systems/components and how they connect in the network.
• Manage your passwords: Change the password on your OT devices from the manufacturer’s default. Change the passwords on a regular basis. This applies to IT systems, too.
• Restrict network access to critical vessel systems (e.g., ECDIS): Segment your IT and OT networks to prevent their uncontrolled cross-communication. This includes Wi-Fi connectivity.
• Ensure your critical OT systems are not directly accessible via the internet: Eliminate and/or control any third-party connections to your critical OT systems.
• Update software on critical OT systems and devices: Make sure your systems and devices are running the most recent version of software and ensure they are updated when the manufacturer releases an update.
• Secure USB ports on all critical IT and OT systems: If you need to use a USB for updates, ensure that the USB is virus-free before using it on the component. Keep dedicated USBs locked up in a secure location.
• Physically secure your critical IT and OT equipment on the ship.
• Create an OT resilience plan and incident response plan: Implement a continuous and vigilant system monitoring program.
• Use trusted cyber security advisors familiar with shipboard IT/OT systems to help you implement these guidelines. With your defensive efforts, successful cyber-attacks on the maritime industry’s OT systems will not increase in the immediate future.  

Ernie Hayden, MIPM CISSP GICSP (Gold) PSP, is an industrial control systems cyber and physical security subject matter expert. He has extensive experience in industrial controls security, the power utility industry, critical infrastructure protection/information security, cybercrime and cyberwarfare.