ContributionsOperationsTech

Fear, fake news and cyber hype

Rod Johnson, an occasional Splash contributor, attacks those who peddle cyber fear to sell their products.

Hackers took ‘full control’ of container ship’s navigation systems for 10 hours

Tanya Blake, editor, Safety at Sea, 22 November 2017

 

Remember this? It didn’t happen. Fake noos.

Like so many scary cyber stories, this one isn’t true. Not only that, it couldn’t be true. This is a quick examination of the way that declining editorial expertise is diluting the maritime press, the woeful lack of expertise in self proclaimed marine cyber experts and marine cyber risk as actually experienced.

There are clues in the article to the identity of the ship allegedly hacked. I used these clues, and the excellent Clarkson’s SEANET service, to find the one ship that fitted the profile, and was in the right place at the right time (if we go with the idea that a post panamax container ship on a voyage from Cyprus to Djibouti wouldn’t fit into Limassol). Then I made discrete enquiries with the owner, who of course was in very much in tune with what’s going on with other German owners. The net result is that the target ship wasn’t involved and neither was anybody else’s ship, in the Red Sea or anywhere else. While we’re on the subject of apocryphal stories, the story doing the rounds that hackers capsized a semi-sub also never happened.

These enquiries took me a couple of days, allowing for other people’s busy diaries and properly framing the enquiry to obtain a candid answer. Fact checking is easy. Even for journalists.

Then I looked at the nature of the source. I also spoke with the editor about the source, who quite rightly chose to protect it so I suppose we’ll never know just how well informed, reputable and expert the source is. I’m sure you can form your own opinions on that. All of the claims made are hearsay. I couldn’t help but notice the massive conflict of interest from the source, who appeared to be doing nothing more than inventing a scary story to sell a product. So now we’re at no facts checked, no first party involvement and crude fear based marketing. And this in an otherwise respectable maritime journal.

Finally, even though as a ship driver I know this sort of thing can’t happen I took a quick trip through SOLAS as applied to a ship with a post-2010 keel date and over 300 gt (our candidate ship). We’ll assume that it had a fully integrated bridge, a VSAT or equivalent connection, a UMS and a NAV-O class notation. I soon discovered that the steering gear is still capable of manual operation, there is remote control of the main engine complete with an emergency stop operated by a dedicated electromechanical means, a magnetic compass and a folio of back up paper charts. The steering gear is also capable of being operated directly and locally, as is the main engine. Plenty for the enterprising deck officer to be getting on with in the absence of anything else.

Even if we assume that quite incredibly every single electronic navigation system was connected to the internet, used a commonly available remote user interface, there were no access controls, there was a visible IP address for every component and that there was little or no latency in the ship/shore connection our Somali cyber pirate would find that the crew had, in the face of his fiendish attack, switched off the electronics and reverted to full manual control.

The fanciful attempt to remotely pilot the ship into the clutches of armed thugs whilst the helpless crew looked on would be instantly thwarted. I accept that for the purposes of this scenario the Third Officer may, on discovering that the display screens on the bridge had gone dark, have had one or two anxious moments trying to recall the significant points of his or her navigation lectures whilst trying to locate the sextant and the azimuth circle for the magnetic compass (helpfully buried underneath the mops and buckets in the cleaning locker).

The sad fact is that many of the cyber ‘experts’ currently peddling fear to sell their services don’t have any professional maritime experience or any real understanding of ship operations and they seem to be increasingly desperate to gain some traction by trotting out increasingly risible stories. This is really harmful to an industry that does have an issue with the risks attached to increased automation and ships becoming always on line and is trying to find a sensible and practical approach to the real risks .

I saw a recent LinkedIn post suggesting that hackers could snap a bulk carrier in two by remotely hacking the loading computer. The headline picture was of a tanker. Not only could the author not distinguish between a tanker and a bulk carrier, he was quite obviously completely ignorant of bulk carrier loading procedures and the role played by the Chief Officer in not snapping the ship in two. You know who you are. Take it down.

It would be remiss of me not to restate the current actual state of cyber threat facing modern shipping. Crews are becoming increasingly reliant on equipment powered by computers in the same way that they were once reliant on equipment made of mahogany and brass. Smaller crews are increasingly reliant upon automation to carry out the essential work of machinery and cargo condition monitoring. Ships crews increasingly want access to social media and the internet to relieve the isolation and boredom they experience. Time in port, shore leave and adventure have been denied them by reduced turnaround times, remote terminals and ports and shore authorities that now view good hearted simple sailors as prototerrorists.

That electronic equipment can be damaged by introducing malware into it, usually locally and usually negligently when physical media normally used to host the Second Engineer’s porn collection is used to move data between platforms on board. The same effect can be achieved with the use of a large hammer or a fire hose. Insurers see physical damage by negligence in exactly that way. A well run ship with a competent crew will care for electronic equipment in the same way that they used to care for mahogany and brass equipment. The sage advice provided by BIMCO and the Lloyds Market Association is all they need to do that.

For the most part ships systems acquire security through obscurity. In spite of that obscurity I am not advocating complacency; far from it. Modern ships are complex and vulnerable to equipment damage either through negligence or malice. What I am saying is that ship owners can safely ignore the doomsday hype of snake oil salesmen and focus instead upon supporting their crews to increase resilience and reliability at the people level. That might mean a few extra sailors to man the gangway or steer the ship in extremis, a review of security policies and procedures and some education.

Superintendents! Next time you are doing a navigation audit simulate the loss of GPS, trackpilot, ECDIS and Radar and see how long it takes the bridge team to get the ship back under full control. It’s often amusing, always educational and is a good pointer to increasing reliability and resilience .

Modern shipping requires instant communication to be profitable. The experiences of Petya and Notpetya demonstrate how disruptive having communications denied at the enterprise level can be. Sensible controls should be placed on ship to shore communication to prevent the remote infection of communications equipment by email attachments. The IT real estate controlling communications and ships systems should be physically separated. Commercial safety precautions look and feel similar to operational safety precautions and are for the most part people centric. Firewalls and antivirus programmes fulfil the same function as PPE, which is to be the last line of defence if every other safety control fails.

The cyber world we choose to live in offers some wonderful opportunities as well as some new threats. The best way to treat these new threats is to understand what safe behaviour looks like and to promote that behaviour on board. Owners should focus on that before buying another black box or needlessly worrying about evil masterminds seizing control of their ships using a slightly modified Playstation. That only happens in Hollywood.

Splash

Splash is Asia Shipping Media’s flagship title offering timely, informed and global news from the maritime industry 24/7.

Comments

  1. Rod, this an excellently articulated summary of the depths that desperate ignorant cyber-security sales people will stoop.

    Risk protection comes from process, and not the cheap black-box that Del & Rodney will try to sell you in Peckham High Street!

    I wrote for another industry media about this same non-sense, this fake news, recently – as the claims made were completely incorrect and assumptions fundamentally flawed. I will place a name on the origins of the fake news – Pen Test Partners!

  2. Andy — as ever – brilliant comment – would you be keen to elaborate in a contribution for Splash?

  3. Indeed. If an organisation is discounting any (or all) of the people, process and technology components involved, well, it’s flawed. I recently wrote about how one of the more petrifying stats in recent years I’ve read was not really a ‘cybersecurity’ statistic at all. It was from a UK Axelos report showing 75% of organisations suffered staff-related security breaches in 2015. That same report also revealed that very few senior cybersecurity professionals consider their employers, employees, officials and/or contractors ‘cyber-aware’ enough to respond to any data/systems breach and/or ‘attack’ at the organisational level. I’ve also read the numerous reports on ‘alleged’ BAPLIE vulnerabilities. It’s problematic for those of us who do advise on genuine issues with legacy systems. It’s problematic for those of us doing genuine research. It’s not unrealistic to run simulations on all manner of scenarios. Any such scenarios are also flawed unless people and process are incorporated along with any technological considerations. The ability to disrupt a shipping operation can be as sophisticated as a USB stick and a disgruntled employee.

  4. Now you understand why, after a career spent in what is now called “cyber security,” I decided to devote what time and energy I have left to the study of system safety. The amount of hype and snake oil in the former just became too much to deal with.

    I would suggest a note of caution while attempting to gain perspective. To use military terminology, cyber attack is a force multiplier but you have to have a force to multiply. Is it reasonable to fixate on a “pure” cyber attack that achieves its objectives with no other elements involved? Almost certainly not. Is it reasonable to consider cyber as an element in an attack that also involves physical and psychological means to achieve political, ideological, or criminal aims? Absolutely. Such attacks are systems exercises, and defense against them requires a systems perspective.

  5. Accurate and fair… There is an underlying truth that nobody dares speak of. We do not respect, trust or train our seafarers properly. Management of ship operations is woefully short of the committment and focus on human factor impacts on cyber security, on operational risks and the increasing technological advancements.

    Over 50% of all cyber incidents are lack of human training and bad process. Over 80% of all incidents at sea are human factor through poor training. Over 90% of all certified training in a certain Far East country is done on pirated outdated software.

    A certificate is not competence. A lack of strict board level to deck hand understanding of risks and results will produce security, safety and environmental breaches, incidents and disasters. No amount of technology will stop this. You either remove the human altogether, or respect them with proper training, proper investment, proper interfaces and proper proper process and company commitment from the top.

    This applies to cyber security and to the disruption of the current old fashioned ship management style…

  6. I’m just reflecting on Frank’s excellent points as I pen my next one about the gap between ambition and ability I find every day in ship management. I suspect it’s an orthodoxy that recognises cost but is blind to value. Thanks for the measured and valuable commentary from everybody. Season’s greetings!

  7. A stylish, witty, clear, and properly researched, article. Thank you, Rod.

    I particulary liked the gentle sarcasm, but I do wonder if some of it might pass over the heads of some readers!

Back to top button