Andy Cuff said all shipping operators must take cybersecurity seriously (Image: Computer Network Defence)
Britain’s maritime industry must embrace the government’s code of practice for cybersecurity to protect cruise ships, passenger ferries and other vessels from cyberhackers.
To date, the maritime sector has mostly turned a blind eye to cybersecurity – with ships being moving targets it’s often perceived that they’re too difficult to attack and provide little value to hackers. However, the threats are real and recently there has been an increase in the number of cybersecurity breaches at sea. For example, superyachts have been remotely controlled by hackers, while container shipping line Maersk has been devastated by ransomware. Certainly, recent events have shown that this is not the case, so cybersecurity ought to be as routine as loading containers correctly and providing physical security to ward off pirates.
The exponential rise in connected technology, coupled with a laissez faire attitude to security, has resulted in many maritime vessels and fleets becoming easy victims. In addition, recent publicity about poor security in the maritime sector has resulted in many attackers pouncing on this weak and lucrative link.
Passenger shipping is more vulnerable to attack than sectors of the maritime industry – cruise ships and ferries are effectively welcoming potential hackers aboard in the guise of passengers. They not only have prolonged access to both the guest and crew wi-fi networks, but also physical access to the network itself. Consequently, management must make sure that guest wi-fi is segregated from the other networks on the vessels. If the networks are not effectively segregated, then there’s a much greater risk of the operator’s systems being hacked.
The problems can largely be rectified if the maritime industry embraces the Department for Transport’s Code of practice: cyber security for ships. The document explains and defines the risks facing the industry and advises how they can be combated. It is designed for organisations with one or more ships, as well as insurers, ships’ senior officers and those responsible for the day-to-day operation of maritime information technology, operational technology and communications systems.
An achievable and affordable starting position for companies in the maritime sector is the UK government-backed Cyber Essentials scheme, which covers five of the most important controls that help to protect against 80% of the current cyber threats. Many of Computer Network Defence’s (CND) clients are surprised at how achievable Cyber Essentials is – users who are IT literate can self-certify, and we provide differing levels of support.
I would also strongly advise that the connected control systems onboard vessels are segregated from other networks. In addition, we occasionally go on to provide clients with some deeply technical support, such as detecting when their mobile phone calls are being intercepted, bugsweeping and remote monitoring from our Security Operations Centre.
To safeguard its future, the maritime industry must defend itself against cyber threats or it will be holed below the Plimsoll line.
Andy Cuff is managing director at Computer Network Defence