I, Pirate: A cyber story in the maritime industry

Aybars Oruc discusses how shipping must get to grips with cyber attacks.

 I, Robot – the 2004 film adapted from the short story by American author Isaac Asimov – has an interesting scene.  Two detectives are talking, and we are hearing this dialogue:

I guess we’re gonna miss the good old days.

What good old days?

When people were killed by other people.

In this story, the theme is about robots that start to take the place of humans. Well, in the future, are we seamen set to be replaced by technology?

Even though we cannot talk about unmanned ships, it is possible to talk about unmanned ship projects. For instance, MUNIN (the Maritime Unmanned Navigation through Intelligence in Networks) project is a significant one that has influenced the marine sector, and bothered every seaman who has heard about this project. For some, this is all an imaginary project. However, others believe that this project cannot be stopped and will entirely change the maritime sector. Today, people who are developing this project where navigational areas for testing are determined have only one question in hand: Cyber attack

In general, cyber attacks are known as damaging or steeling information by infiltrating computer systems by expert individuals or institutions on computers and the internet. Generally, cyber attacks happen for entertainment, information theft, to achieve economic gain, to attract attention, or to get ready for larger attacks.

Despite warnings of major maritime authorities and class institutions such as IMO, BIMCO, ICS, INTERTANKO, most in shipping have been ill prepared for any attack. This changed when Maersk was hit in June last year and lost nearly $300m.

Close your eyes and image your ECDIS, GPS, and even AIS devices are hacked. Imagine that your main engine stopped running during navigation in narrow waters. Now open your eyes, because this is all happening in the maritime industry.

After a cyber attack on your vessel, you may notice that you are on a different location than you should be, and you may suddenly run ashore. Your vessel may collide with another one. The type of vessel may be aframax, chemical tanker or even LPG. In such cases, try to imagine the possible effect on you, the vessel, cargo or marine environment. How many people would die?

Main systems that could be affected from a cyber attack in a merchant vessel can be listed as follows:

  • Bridge Navigation Systems (GPS, ECDIS, AIS etc.)
  • Communication Systems (V-SAT, FBB etc.)
  • Mechanical Systems (Main Engine, Auxiliary Engine, Steering Gear etc.)
  • Ship Monitoring and Security Systems (CCTV, SSAS, Access Control Systems etc.)
  • Cargo Handling Systems (V/V Remote Control Systems, Level/Pressure Monitoring Systems etc.

Well, is it possible to protect these systems and prevent any damages from the attack? Let’s take a look. Now around the world, many people are trying to find an answer to this question. But, it is hard to give a concrete answer. Although it is impossible to escape the attack, risks can be mitigated. Risks can be minimised by keeping the software updated, using antivirus software, developing redundancy methods, changing default passwords after installing the devices, restricting file sharing, constantly monitoring network configurations (see also Penetration Test), eliminating all problematic areas, and increasing awareness and knowledge level of office staff and ship crew.

Also, we should consider some international developments about this subject. Here at this point, under IMO-ISM Code, all shipping companies must add the Guidelines on Maritime Cyber Risk Management manual to their SMS manuals until January 1 2021. Additionally, TMSA regulations which have been updated at the start of this month, are also putting challenges on company managers like IMO-ISM Code rules. Staring with flag states and class institutions, various reputable organisations or institutions around the world are organising training programs and publishing circulars regarding cyber attacks to raise awareness in the maritime industry.  Class society DNV GL has started to offer type verification certificates for cyber security for the first time from November 2017. Insurance companies also started to add cyber security related subjects and clauses on their policies. Designation compulsory of a Cyber Security Officer (CySO) for the maritime companies has been already discussed. These are only some parts of the bigger picture.

I guess we’re gonna miss the good old days.

What good old days?

Somalian pirates instead of cyber pirates. At least, we could notice them before they are done with us.


  1. In order to get the real state of the art, I suggest that everybody reads the Contributions(Splash24/7) of 20th and 22nd December 2017.

  2. Fully agree with Mr.Lars H.Bergqvist suggestion, that material presented in a/m Contributions is an excellent debunking of cyber armageddon threats and theories. The contents of these Contributions is proof enough , that authors know what they are talking about. Allow me to chip in , although in less eloquent and elegant way.

    Luckily there are still “some” left on board ships, who use sounding lines, do dead reckoning, use old fashioned ways to determine positions, utilize parallel indexing and were trained to use and understand plotting boards/techniques and other tricks to judge if risk of collision exists. They do some eyeballing by looking out the windows/portholes as well.
    Same guys check the drafts by eyeballing and do draft surveys or do inclining experiment to check GM prior departure when in doubt. They are battle hardened by confronting agents and stevedores, charterers in pre-VGM days, by proving , that deeper and different drafts then expected are the result of different then declared weights of cargo and different then agreed in stow plan cargo distribution. There are still some of us left, who carefully examine vessel’s stability booklets and cargo lashing manuals, various loading programs/sequences and configurations in order to use smartly and effectively the information contained there , just in case the lights go off and screens go black.

    We use our senses, vigilance, continuously updated knowledge and experience to detect or find out what happens or how to prevent it from happening and we do not need some electronic gizmos/gadgets or black boxes to tell us what to do or alarm us. Most importantly we do ask ourselves a question: what if?
    Therefore cyber threats are not the top priority of our concern as if such hit us , we switch to manual modes and good old classics. Simple as that.

    Old salts are concerned with a clear and present danger of those, who have never earned a dime doing our job but make a big pile babbling about our jobs. It is very worrying, that quasi-aducated clutter of those, who never seen even the “contents” page of SOLAS or STCW, gets louder and louder, jamming the voices of common sense.
    2YK was a testing project for Owners gullibility and a biggest scam of the closing century. Looks like the next, even bigger scam is lurking just behind the corner.

  3. Not quite #cybercrap. There’s a lot of points on different subjects mixed up in the narrative. Let’s give the author a break, he’s writing in a second language.

    Yes, ships will be more automated or perhaps unmanned in the future.
    Yes, cyber physical systems present a risk of harm if breached if and when they arrive on board.
    Yes, the defences and controls for shipboard systems are simple and straightforward.
    No, you can’t perpetrate an act of piracy with a PlayStation.

    and yes, any bridge watchkeeper who puts the ship aground because his ECDIS went dark for any reason or because he put complete faith in one navigation system wants kicking from one bridge wing to the other.

Back to top button