As an example, you have lost track control so you need to revert to manual control?  Vessels are required to practice manual steering control. It’s one of the very last systems on board that has a genuine manual control, but it is still time consuming to operate manually. Steering instructions are by VHF or telephone from bridge to steering room; this all ties up busy engineering resource that is likely to be required elsewhere on the vessel whilst arriving in port. It is a pain and lends itself to incidents. We have ships engineers on our team who have been there during manual control exercises.

There is also potential to interfere prior to manual control being implemented. Steering control from the bridge can be either automatic (e.g. ECDIS in track control mode), heading – where the rudder maintains a heading, or manual bridge control. Full manual control involves disconnecting the telemotor and moving a lever in the steering room that physically moves valves to control hydraulic rams that operate the rudder. Manual engine control can be challenging, particularly when manoeuvring:

Control is usually direct from the bridge – the engine control levers directly control the engine control systems. These communicate using serial data networks that can be manipulated.

Control can also be managed from the engine control room, through programmable logic controllers (PLCs) and human-machine interfaces (HMIs). Again, these contain serial data communications that can be tampered with.

Further, any number of minor incidents or technical dependencies can leave a vessel dead in the water. A colleague remembers a simple overlooked microswitch leading to start air not recharging and the vessel quickly becoming immobile.

Those serial control devices are usually connected to serial networks, hacking of which is not difficult. Similar problems have been known about for years in utilities industrial control systems (ICS). The same serial to IP converters that we’ve compromised in utilities are used on vessels. Compromise any point on the serial network and that ‘manual control’ may not work in the way intended any more.

Better to ensure all crew are prepared as you see it can get much worse….You must speak up if there are crew that don’t believe the ship can be effected.

To paraphrase Arthur Schopenhauer, experts in their field will often attack those who question their expertise. One doesn’t need to be an expert navigator or ships officer in order to find issues in shipping systems.

Change has been fast on board vessels; digitalisation has come faster than many may have expected.

Talk of autonomous shipping no doubt concerns many mariners – will they be replaced by computers?  It is those experienced seafarers that have the best chance of spotting security issues when at sea.  Will the computer know the other computer has been hacked?

Can you list the IT or OT on board that is monitored for safety by IT…?  Does that create a list for a higher risk assessment or lower?

An operating system is the most important piece of software that runs on a computer. It manages the computer’s memory and processes, as well as all of its software and hardware. It also allows you to communicate with the computer without knowing how to speak the computer’s language. Without an operating system, a computer is useless. The main task for an OS is to allow multiple different programs access to the computer’s central processing unit (CPU), memory, and storage. The operating system coordinates all of this to make sure each program gets what it needs.

Operating systems usually come pre-loaded on any computer you buy. This is the same for a ships computer.

Most people use the operating system that comes with their computer, but it’s possible to upgrade or even change operating systems. The three most popular and used operating systems for personal computers are Microsoft Windows, Mac OS X, and Linux. Modern operating systems use a graphical user interface or ‘GUI’. A GUI lets you use your mouse to click icons, buttons and menus. Everything is clearly displayed on the screen using a combination of graphics and text. Remember your phone will also use an Operating System but mobile devices generally aren’t as fully featured as those made for desktop and laptop computers and they aren’t able to run all of the same software. However, you can still do a lot of things with them, like watching movies, browse the Web, manage your calendar, and play games.

A Ponemon data breach report in 2017 showed that it took US organisations an average of 206 days to detect a data breach. That’s a statistic from shore-based organisations, where OT and IT security personnel and expertise is usually readily available.

So how does a ships crew, where perhaps one person on the crew has a small amount of basic IT skill, detect a breach of a vessel?

If you don’t know, you can’t take action. At what point do you decide that the navigation systems are no longer trustworthy? Who makes that decision? The inexperienced third officer? Do they wake the captain?

Who decides to take the vessel out of track control mode? Remember, security isn’t binary – something is a bit odd, but all the digital systems seem to agree with each other. A security incident doesn’t have to involve alarming ransomware taking control of cargo management, it can be much more subtle than that.

Even with years of forensics experience, sometimes investigators struggle to determine the cause of an incident. I remember one case where a human hair in a switch port was causing public IP addresses to be spoofed on the internal network. We didn’t believe it either, until we removed the hair and replaced it several times, at which point the spoofing stopped and started consistently!

So you take action, you assess the incident and decide you need help. You pick up the satphone to HQ. The satphone isn’t working as it uses the same, vulnerable satellite terminal that the hacker exploited. What next?