Blog: Maritime Cyber Security

Cyber threats to shipping explained

Andrew Tierney 18 Sep 2024

TL;DR

  • Modern vessels are becoming increasingly connected.
  • While it is unlikely that hackers could fully control a container ship remotely, they may be able to disrupt systems such as the Power Management System (PMS), leading to blackouts and associated loss of propulsion and steering.
  • Although manual recovery is possible, it can be time-consuming and challenging, especially during manoeuvring.
  • Securing these systems is a growing challenge, with current regulations not fully addressing cyber threats.

Introduction

The events in Baltimore earlier this year brought maritime cybersecurity into the spotlight. Initial outlandish claims asserted that the MV Dali was certainly hacked, whilst others made the equally incorrect claim that there was no possible way that any ship could be hacked.

Both sides demonstrate a lack of knowledge about how ships are architected and the degree to which they are connected.

Ships can be hacked. The impact of this is hugely variable, depending on the type of vessel and the attack that is carried out.

Container ships

A large container ship has one huge main engine for propulsion. For this main engine to run, it needs support by ancillaries, mainly pumps, which are powered by electricity. This is unlike many smaller engines, where pumps and cooling are run directly from the engine. The electricity that powers the ancillaries comes from generators, which must be running for the main engine to work.

The same is true of the steering. The rudder is moved using hydraulic rams, with the hydraulic system requiring electrical power. Without that power, the rudder cannot be moved.

It is possible for a ship to blackout, where the main power supply is no longer available, resulting in the main engine and steering stopping. This will result in loss of propulsion and loss of steering.

To reduce the risk of a vessel blacking out, multiple generators will be running when the vessel is manoeuvring. On most large container ships, there will be four generators. These can run together to provide redundancy.

These generators are controlled by a Power Management System (PMS), which will endeavour to keep the required number of generators running. The PMS is frequently connected to a wider network on the vessel called the Integrated Alarm and Monitoring System (IAMCS, but also IACS or IMCS or even just “automation”). IAMCS is used to control and monitor machinery from various Human Machine Interfaces (HMIs) across the vessel.

The degree to which the PMS can be controlled from the IAMCS is varied, and can range from simple commands through to significant reconfiguration.

On a container ship, the navigation and IAMCS are often two independent systems, but sometimes are network connected.

When a ship blacks out, an emergency generator should automatically start and power a small number of essential services. This includes the steering and enough ancillary equipment to start one of the larger generators. By regulation, this emergency generator has up to 45 seconds to start and provide power. Steering would be regained at this time, alongside generators starting. Once various pumps have started, the main engine can be used again.

45 seconds without steering or propulsion isn’t an issue if you are in the middle of the ocean. If you are coming alongside, or navigating between narrow bridge piers, it is far more of a problem.

On most container ships, the steering control systems are relatively basic. It can be controlled by an autopilot, or operate in several more manual modes. On every container ship we’ve examined in detail, it has been possible to fully disconnect the autopilot by using a physical switch located on the bridge.

If the control systems fail, it is always possible to fully manually override the steering. This cannot be done from the bridge, and would need several people to head to the stern of the vessel and make some changes to the steering gear. They would then act on instruction of the bridge over radio or phone. Getting from the accommodation to the stern could be 200 metres – not quick, particularly if it is pitch black as some or all lights are off as a result of the blackout.

For control of the propulsion, container ships still have a ship’s telegraph, with “full ahead” and so on. The control systems around these can be relatively complex. Most engines will have a range of speeds (“critical revs”) where you should not operate them to avoid resonances and severe vibration. iIn recent years, most ships will have a system to limit maximum power to reduce pollution. It is also possible to take manual control over the main engine, bypassing all but the necessary control systems.

This raises a hugely important concept – there is a human in the loop. There will be someone on the bridge who can easily take manual control over the steering and propulsion at any point in time. They can always look out of the window rather than relying on electronic navigation systems too.

The issue is one of time – taking manual control can be time and labour intensive

Starting a generator and connecting to the main bus is normally as simple as pressing a single button on a screen. How do you do this if the PMS is not operational? The complexity varies by vessel, but it could involve using controls local to the generator to start it, waiting for it to come up to speed, and then closing several circuit breakers. If you need to start a second generator, it is vital that this one is synchronised correctly with the other – a further complication. Manual management of the system will need to be performed as the load drawn by the ship varies. What would take 30 seconds normally can take several minutes and require several members of crew.

Although the emergency generator should start in 45 seconds, it is possible for it to fail. As with the main generators, this could need someone to attend the emergency generator room, start the engine, and connect it to the bus. This can easily turn 45 seconds in minutes.

The IAMCS allows an engineer to use a computer to control complex machinery all around the vessel from a computer screen. After a blackout, most of the ancillary systems should automatically come back online, allowing the main engine to be restarted. But what happens if this doesn’t work? Once again, someone may need to manually start pumps and move valves. This all takes time.

All of these failure modes are known. Each vessel will have Standard Operating Procedures to recover from these situations. Drills will be carried out periodically to ensure that everyone knows what to do.

How often do these events actually happen? Some ships could go years without blacking out, others can be troublesome and blackout every few weeks. The crew should take action to prevent blackouts reaching the point where they could impact safety.

The trigger for a blackout could be any number of things, ranging from bad fuel to the ship rolling and causing a loss of oil pressure. For this post, the trigger is not the important aspect – it is how it is handled.

So, in summary, container ships:

  • Can and do blackout, losing all electrical power.
  • Will lose all propulsion and steering when blacked out.
  • Steering should be available in 45 seconds.
  • Propulsion should be available shortly after.

Hacking ships?

As of yet, we haven’t considered a hacker trying to impact the vessel. Let’s look at each of the systems in turn.

Most container ships’ autopilots are relatively simple, but it is increasingly common to find that navigation systems have a network connection to allow updates. A hacker could impact the autopilot, causing the vessel to turn. In this situation, it would be possible to disconnect the autopilot and manually control the steering. The autopilot would not be in use when manoeuvring – someone will be on the helm.

Propulsion control is very rarely connected to a network. It is therefore highly unlikely that a hacker could take control of propulsion. If they could, it would be possible to manually override this, although it could take some time.

The PMS and IAMCS are frequently network connected. A hacker could impact the PMS, causing the vessel to blackout. Although it would be possible to recover from this situation, this may be challenging, particularly if the attacker has significantly altered how the system operates.

If significant parts of the IAMCS are impacted – such as “bricking” all the HMIs – then restarting systems on the vessel becomes more complex, so it takes longer still to recover.

We have yet to see an emergency generator with a network connection. It is very unlikely that a hacker could impact the emergency generator. That said, if an attacker has control over the PMS, there is potential for interactions with the emergency switchboard that could make recovery from a blackout more challenging.

Discovering which systems are connected and how would be extremely challenging without access to detailed documentation and to the vessel itself.

You may have heard of the Swiss cheese model used with risk. A series of layered, but imperfect, defences are represented by slices of Swiss cheese with holes in them. Most of the time, the holes are not aligned with each other, preventing an incident from occurring. But sometimes the holes align, leading to a failure.

The real world

I am firmly of the opinion that it is incredibly unlikely that someone could take full remote control of a container ship. Even if they had remote control, it is likely that this would be noticed and could be overridden by the crew.

However, I think it is entirely viable that an attacker could impact the PMS or IAMCS, leading to the vessel blacking out and the associated loss of steering and propulsion. It may be possible for an attacker to trigger repeated black outs which cannot be easily or quickly recovered from. It may also be possible to significantly increase crew workload by attacking other systems at the same time, such as stopping the IAMCS working. This would increase the chance that the attack is poorly handled by the crew, leading to significant impact. An attacker could certainly get into the position where they help align the holes in the cheese.

The outcome of prolonged blackout is largely unpredictable, but if triggered at the right time could result in a collision.

Cruise ships and DP vessels

There are other types of vessel that have more complex systems onboard. The two most notable are large cruise ships and dynamic positioning vessels.

Any large cruise ship built since 2010 must comply with a regulation called Safe Return to Port (SRtP). These mandate that a vessel should remain safe, even in the event of significant fire or flooding. From the perspective of vessel design, this has resulted in significantly more redundancy in engine room and bridge systems. However, most classification societies only require that the systems are restored within an hour and can require manual action by the crew. SRtP’s main concern is recovery from, not prevention of blackout.

There is no requirement to publicly report a blackout on a cruise vessel unless there is direct safety impact.

Cruise ships can and do blackout, and this often results in serious incidents:

2013 – Carnival Triumph (pre-SRtP) – an engine room fire resulted in a blackout with loss of steering and propulsion. In addition, the emergency generator also suffered mechanical failures, leaving the vessel on battery power several times. This event lasted for several days.

2019 – Viking Sky (post-SRtP) – one generator was out of service for maintenance, and during heavy weather, all three of the running generators shut down, resulting in prolonged blackout. The ship came perilously close to land, and a large number of passengers were evacuated by helicopter.

There are also dynamic positioning (DP) vessels, where the position of a vessel is automatically maintained using thrusters. This includes offshore support vessels – such as anchor handling tugs and subsea support – and even complete drilling platforms. Moving off station carries risk to life and the environment.

There are several classes of DP vessel, but these all require additional redundancy to reduce the chance of the vessel being unable to hold position. For the most part, the system should handle most failures automatically and remain safe. DP regulations mainly concern the prevention of blackout – a contrast to SRtP where recovery from blackout is the goal.

There are failures in DP vessels. An organisation, IMCA, handles reporting and analysis of these failures. There is much greater transparency in reporting blackouts in the DP industry as a result.

Some cruise ships are designed almost identically to DP vessels, although there are very few that fully comply with the regulations.

Many modern cruise and DP vessels are diesel-electric. Large generators generate electricity, which is then used to drive propulsion motors. Although the machinery and control systems on these vessels have significantly more redundancy than a container ship, this comes with increased levels of automation and increased complexity in control systems.

Under ideal conditions, the control of all propulsion and steering will use a simple interface – often just a joystick – that commands the many thrusters and other pieces of machinery in a coordinated way. There will also be manual control of each piece of equipment – but this can get complex very quickly. There can be the main propulsion and rudders (often independent), bow and stern thrusters, and podded propulsion all on the same vessel.

Whilst the design intent of the dynamic positioning console is that it can only monitor the PMS, the most common architecture uses a shared network with all other systems. As a result, an attacker has a single common network that they can attack, and could take full control over the vessel.

Manual control and isolation of the various components on a DP vessel would be significantly more challenging than on a containership. Whilst there will be manual controls for the main propulsion and various thrusters, holding position in even mild seas could be challenging.

On some of these systems, there is practically no network segmentation from any two components in the system. A compromised console in a HVAC room can connect to PLCs and other control systems across the vessel. Wiping the configuration of a PLC could cause connected machinery to become inoperable.

Vessels that comply with SRtP require a safety centre – a space that allows the management of emergency situations. From the safety centre, you must be able to control powered ventilation, watertight doors, CCTV, fire detection and fighting, and some machinery. On a large cruise ship, the only way to manage so much information is using a Safety Monitoring and Control System (SMCS). This “glues” together all these different systems, allowing them to be effectively handled. Control over the SMCS is highly likely to result in serious impact to vessel operations, particularly if the dynamic positioning system is not properly segmented from it.

We commonly find that DP systems and SMCS are significantly network connected. Mostly these are well designed dedicated gateways installed by the vendor for remote support. Sometimes, they are connected directly to the core network on the vessel, leaving the systems exposed to significant risk.

For DP vessels, a Failure Mode and Effects Analysis (FMEA) has to be carried out. This is a complex analysis that determines if the vessel has enough redundancy in the event of failure. They must also undergo periodic trials to ensure that the actual vessel behaves as the FMEA expects.

The FMEA examines common-mode failures, where systems fail for the same reason, and hidden failures, where a backup system fails without being noticed. But, as of 2024, the FMEA does not consider the impact that an active attacker could have on systems. But even with that in mind, we wouldn’t really expect an attacker to do anything that would be considered a “failure” – they’d likely be using the system as any normal member of crew would.

Conclusions

Modern ships are increasingly complex and connected. Without a good understanding of how their machinery and control systems are architected, it is difficult to understand how much risk they are exposed to, or how to secure them properly.

A significant proportion of large modern vessels have critical systems that are network connected. In many cases, people are not aware of these connections and do not understand how they are secured. Finding and understanding these connections can be challenging.

Seafarers do not receive any formal or mandatory training on the security of these systems. Frequently, there are no pathways for crew to report concerns around the security of third party systems connected to critical systems.

Regulations and standards do not factor in active attackers, largely focusing on conventional threats such mechanical and electrical failure and human factors.