USCG says cyber incident reveals potential vulnerabilities on commercial vessels

Prompted by a recent cyber malware incident onboard a deep-draft vessel which significantly impacted its shipboard network, the US Coast Guard (USCG) has issued Marine Safety Alert 06-19, Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels.

In February 2019 a deep draft vessel on an international voyage bound for the Port of New York and New Jersey reported that they were experiencing a significant cyber incident impacting their shipboard network. An interagency team of cyber experts, led by the USCG, responded and conducted an analysis of the vessel’s network and essential control systems. The team concluded that, although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted.

However, the interagency response found that the vessel had been operating without effective cybersecurity measures in place, “exposing critical vessel control systems to significant vulnerabilities”.

Prior to the incident, the security risk presented by the shipboard network was well-known among the crew

It was not known whether the vessel was representative of the current state of cybersecurity aboard deep draft vessels, but the report said that it was “imperative that the maritime community adapt to changing technologies and the changing threat landscape by recognizing the need for and implementing basic cyber hygiene measures”.

The USCG noted that this was not just an IT issue, and pointed to cybersecurity as being a fundamental operational imperative in the 21st century maritime environment. The USCG strongly encouraged all vessel and facility owners and operators to conduct cybersecurity assessments to better understand the extent of their cyber vulnerabilities.

Commenting on the report, insurer Gard said that “while the IMO has given shipowners and operators until 2021 to incorporate cyber risk into ships’ safety management systems, cyber criminals are already at work. Data is an asset and protecting it requires a good balance between confidentiality, integrity, and availability. Cyber security depends not only on how shipboard systems and processes are designed but also on how they are used – the human factor”.

Nigel Stanley, CTO at TUV Rheinland, said that the maritime cybersecurity challenge could be significant. Ships were increasingly reliant on digital and operational technology to control and manage their multiple systems and, without proper controls, a cyber-related event or incident could detrimentally impact these systems and disrupt the operation of a vessel. Although most safety critical systems were designed to be fail-safe, this in itself could impact vessel availability and revenue earning.

Cyber related activism could also impact the maritime sector, he said. “As it is agenda driven, determining when a threat may give rise to significant risk can be difficult, but high profile environmental or geopolitical events may act as a catalyst”.