Referred to as ‘skiddies’ in the industry, this is typically a teenager with some technical skill, probably sat in a bedroom at their parents home.

They often have an inflated view of their own ability, usually relying on tools that others have written. The most significant issue for the victim is that script kiddies pay little attention to or have little understanding of the law and may even be too young for law enforcement to prosecute their crimes.

Script kiddies will literally play with systems on the internet. An interesting web interface that’s accessible with no authentication will be very attractive to them. Interesting buttons to click on the interface, interesting system diagrams. That button might switch off your dynamic positioning system, but they don’t care; they’re inquisitive. Sounds far-fetched? It’s actually happened.

The best defence against a script kiddie is to ensure that you have dealt with the basics of your security. If you demonstrate even reasonable security defences, they will simply move on to the next organisation that has worse security than yours.

Internet crime pays dividends. You would do well to forget the term ‘cyber’ at this point and think about what valuable data and commodities you transport.

Cyber crime is well funded and generates significant returns.

Consider delaying a vessel containing a commodity such as oil or LNG. Delaying the vessel through a cyber attack could move a spot price on the market, particularly at a time of high demand.

Crippling of a port could also create significant issues for shipping. Issues of this nature have already occurred to Maersk and COSCO. Theft of cargo can also be facilitated through hacks.

There is no one solution to defending against the cyber criminal. Following internationally recognised guidance from IMO, BIMCO and ISO27001 will better prepare a business.

One would also be well advised to carry out a role playing session with senior executives, simulating a cyber incident. From this, an incident response ‘playbook’ can be created that will significantly help in the management of an unfolding breach. Again, specialists can assist with this.

Ask if anyone on the crew knows the admin password. If not, who does know it?

Is it written down anywhere? It is often written on a note physically stuck to the terminal! Here are some examples of passwords stuck to computer systems found on vessels:

Review the password if it is supplied to you. Is it at least 10 characters long, does it have uppercase, lowercase, numbers and non-alphanumeric (e.g. !”£$%^ etc) content. However, “Password1!” would not be acceptable.

Is the password ever changed? If so, how often? Once per year would be reasonable, or when key personnel leave.

How is the terminal administrated? Does anyone on the crew know how to fix bugs with it, if it failed at sea?

When closer to shore, mobile data connectivity is often much cheaper and faster than satellite connections. Many vessels have facilities that will automatically switch to the cheapest form of data connection. Mobile data connections on crew mobile phones will also spring in to life as they approach shore.

Whilst the detail of cellular network security is beyond the scope of this, there are some basic principles that will be of use to the seafarer and vessel operator:

2G networks are easily spoofed – a hacker can trivially set up a fake cellular base station with <$100 of equipment.

3G networks require ~$5,000 of equipment to successfully spoof.

4G networks can be spoofed, but expensive equipment is currently required

Image from: www.insinuator.net