Shipowners to publish series of articles on common onboard cyber-risks

In collaboration with Secure State Cyber, Shipowners’ Club said that it would be releasing a series of short FAQ articles identifying common cyber risks on board and what actions Members can take to ensure the security of their vessels.

The first article focuses on passenger vessels and the cyber risks associated with on board Wi-Fi and passenger devices.

Should passenger vessel owners and operators make Wi-Fi available to all passengers?

These days passenger vessels are almost always expected to provide Wi-Fi for guests but the Club noted that there were associated risks in allowing passengers to use publicly available Wi-Fi on board.

It was strongly recommended that passengers be offered a guest Wi-Fi network, with client isolation that stops a user’s device from detecting and sending data to other devices on the same network.

It was also recommended that this network be kept completely separate from the Wi-Fi network responsible for controlling the ship’s navigation and communication systems including that for on board administrative tasks.

There should be clearly established controls that prevent devices accessing both the public Wi-Fi and the restricted systems. Further network segregation should also be implemented for the administrative network and the critical ship systems such as the Industrial Control System (ICS). This also extends to include the devices that can connect to critical systems on board.

No passenger or crewmember should be able to use the same device to access both the public Wi-Fi and the restricted systems.

Should mobile phone / USB charge points be made accessible to passengers?

A simple principle to be kept in mind was that, if a physical connection to a device was possible, then the contents of that device were accessible. However, there were exceptions and it was recommended that Members only offer Dedicated Charging Ports (DCPs) / USB ports to passengers for charging their devices.

DCPs provide power via USB ports without any possibility of data transfer.

By offering anything other than DCPs for charging, Members and passengers should assume that data transfer is possible from their devices.

Members can provide a reasonable guarantee of security by performing cybersecurity audits or having their systems regularly assessed for security faults or vulnerabilities themselves.