Cyber Security: The Emerging Threat to Passenger Safety
Not a day goes by where we do not hear of a company breach, cyber-attack or a company facing a virus or ransomware scenario. Although defenses can be put in place to mitigate such issues, every industry is uniquely different. We have seen an evolution in the cruise industry, with the rising levels of passengers resulting in the introduction of new technologies and the internet of things (IOT) in order to make the journey more engaging and personalized. This new technology means that every facet of the ship is digital, from the dinner reservations to locating people on the ship.
With thousands of people’s information available cruise line digitization makes them a target for hackers.
The use of new and emerging technology can be vulnerable to an attacker because of the reliance on internet connections. Email phishing can be used to implant a virus on to a ship just as easily as one of the thousands of passengers on board opening an email, or uploading a USB drive that is infected to provide an attacker access to the internal systems.
Although these should be of concern to any company, in 2017 the biggest threat vector was the internal user. Mistakes made both intentionally or unintentionally were left unreported mainly due to concerns of employee repercussion; this alone has caused many companies than ever having to face this scenario. Whether you are on board a ship, within a port terminal or assisting with bookings at an office, mistakes happen when education and training are not implemented correctly or at all.
In recent years, cruise liners have become reliant on the interconnectivity of IT systems and operational technology to create a digital environment to manage the successful delivery of a holiday to every passenger. Whilst ships become smarter the dangers increase tenfold in raising the risk of cyber-attacks, where the effects can be devastating. The Transport Department in the U.K. Government issued a warning in in the “Cyber Security for Ships” code of practice in 2017 about the vulnerability of the maritime industry, stating that if the computer systems are hacked, then at worst there could be a danger to life. If the hack were a terrorist move, then this could certainly be the case.
However, the cruise industry is far more likely to have the data of its passengers taken advantage of. For example, if a passenger’s data such as a bank card or personal information has been uploaded onto the online systems, (which would be used to make their stay more personalised and automated) then their details can be infiltrated and they could become the victim of fraud.
As IT becomes increasingly involved in every aspect of our lives it’s easy to see clear advantages, this also brings vulnerabilities, challenges and safety to the forefront. Researchers have demonstrated that it is possible to remotely take control of a vessel by spoofing its GPS positioning, gaining the ability to manipulate operational control panels that manage the ships propulsion and through this ransomware disable the ship until the hackers have been sated. This of course would be devastating to a cruise ship causing chaos on board, putting passengers in peril and ruining the company’s reputation.
The cruise industry has a proven ability to compete with other holiday destinations. However, this will quickly diminish if passengers feel unsafe. It is apparent that the time to define a clear and secure strategy relating to cyber security is paramount to maintaining confidence in the cruise industry from its customers.
The maritime industry has previously failed to recognize the risks of cyber attacks. However with the developments of cruise ships becoming floating digital worlds of their own, it is crucial for the safety and integrity of the industry and it passengers that cruise lines start recognizing and understanding the increasing threats and what the outcomes could be.
So where are the particular areas of concern that need to be raised within shipping?
Cyber-attacks in the maritime industry are left unreported compared to onshore attacks. In today’s industry, more and more ships are internet connected resulting in a cyber-attack at sea risk being more dangerous than onshore.
The lack of any inbuilt encryption or authentication codes for navigation systems is an issue where attackers can and do see shipping as a soft option for attack, be it for enjoyment, state sponsored or for ransom.
Everyone has heard of the day to day breaches occurring with these within the leisure industry. However, let us not forget many ships have multiple point-of-sale (POS) terminals in place. If left unsecured, with no antivirus, accessible to the internet and on a primary infrastructure network this is a popular chosen attack vector following attempted WIFI hacking or a phishing campaign.
Cyber security training is a requirement for all employees, from the owner of the shipping company to the junior deck hand. In 2015 only 12 percent of crew received cyber security training. In subsequent years this figure slightly improved but well below the size of growing threat. In 2017 reports indicate only 47 percent of crew were aware of cyber-safe policies or cyber hygiene guidelines which is better but still not even close to making the industry cyber secure.
The main problem with cyber security is the belief that cyber security preventative measures are expensive, there is no understanding of the value and many believe it won’t happen to them. As the general perception of being hit by an attack is very unlikely hence expenditure to apply safeguards is not a priority concern. A common response you will hear is that cyber-attacks are largely an onshore issue. The reality is that where there is technology and people the exploitation of technology for nefarious means will always take place in some form, be it at sea on onshore.
Remember cyber-attacks not only cost money to correct but affect the reputation of the company. A reputation that the maritime industry has built over years of service yet can be easily destroyed because the lack of funding of an appropriate cyber security investment.
Understand the risk, then the value and then check the price of not taking action.
Ian Richardson is CEO and Co-Founder of TheICEway and Patrick Carolan is Technical Director for CRIBB Cyber Security.