It’s amazing how quickly technology has turned the average boat into a sophisticated platform of computers and electronics. Fifty years ago, it would have been difficult to imagine navigational charts on a high-resolution screen or global positioning systems that told you precisely where you were at any given moment. A 30-foot cruiser used for weekend raft-ups on Great South Bay has more powerful navigational tools than the bridge of a World War Two fleet carrier like U.S.S. Intrepid.
But like anything that relies on computers and digital data, such systems have their vulnerabilities. It’s no different than our household computers and tablets that slow down due to malware or vir
uses. The issue was addressed by the U.S. Coast Guard in a recent Safety Alert after a deep-draft vessel on an international voyage bound for the Port of New York and New Jersey experienced a significant number of cyber incidents.
The Coast Guard led a team of experts from several agencies that analyzed the vessel’s network and vital systems. Essential control systems had not been impacted, despite the degradation in functionality suffered from the incident. The team concluded that the vessel lacked effective cybersecurity measures, resulting in the vulnerability of critical control systems.
Even before the incident, the crew hadn’t been using the vessel’s network or computers to check their personal email, make online purchases, or check banking information. Thus, the vulnerabilities were already known. But the vessel’s onboard systems had been used for things like updating electronic charts, managing cargo information and communicating with shore side personnel.
We might think of data breaches and cyberattacks as impacting only navigational operations. However, on modern ships, machinery spaces are centrally run from air-conditioned, soundproof control rooms… where watch personnel click a mouse to start a pump or shut down a compressor. Therefore, a ship’s main plant could be just as vulnerable as the electronic charts on the bridge.
Using the incident as a learning experience, the Coast Guard made a number of recommendations to vessel owners. Naturally, for a small vessel, whose “network” consists of the smart phone carried aboard by the owner, some of these things could be of limited relevance. But on larger vessels, the measures could help reduce system vulnerability.
The Coast Guard recommended segmenting networks into “subnetworks” that make it more difficult to gain access to essential systems and equipment. It recommended user-specific profiles and passwords, which is what many of us are accustomed to anyway at work. The goal is to eliminate generic log-ins. The Coast Guard also cautioned against external media, such as USB drives.
They recommended antivirus software and the use of patches, as well as avoiding running executable media from untrusted sources. Seasoned computer users are already aware of such protocols. However, unlike big companies, a vessel is akin to an island, where there is no helpful IT support tech down the hall.
The incident brings many legal issues to mind, such as who is responsible when something goes wrong as a result of a cyberattack. It’s a complex issue, which depending on the vessel, could touch upon marine safety, national security, and simple personal privacy. Vessel cybersecurity could, directly and indirectly, impact so many aspects of boating and shipping.
This topic could bring to mind the people who argue that electronic charts have rendered traditional aids to navigation obsolete. But then what would happen if the system ever went down in a cyberattack, and all those rusting and friendly red nuns and green cans were no longer there? The absence of those aids to navigation could have serious consequences. And that could open a debate that the people who trust their glove compartment roadmaps more than their dashboard GPS systems might just win.
Likewise, ocean navigators who cherish their trusty sextants could also argue that if all those GPS satellites orbiting the earth ever suffered a glitch, as remote as that possibility might be, they’d still be able to take a fix off Venus. And when you think about it, there isn’t much that a cyberattack can do to a well-worn paper chart or nautical almanac.
Ref: U.S. Coast Guard Safety Alert 06-19, July 8, 2019, Washington, D.C. - Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels