What Do You Do if a Hacker Takes Control of Your Ship?
NTNU is training mariners on how to respond to a cyberattack in progress
[By Eli Anne Tvergrov]
You stand on the bridge and the course is seen digitally. Still, why does the ship continue to turn west?
On the computer screens in the dark wheelhouse, everything looks normal – but outside the window, the land comes dangerously close! What is happening?
Down in the engine room, they report via radio that everything is normal, but they wonder why the bridge has changed course? The engines rev and the ship picks up speed. It is not the engineer who has done this. What now?
Cyber ??security is a hot topic for the entire maritime industry, and also in academia. A joint team recently conducted a completely new cyber security course at NTNU in Ålesund.
Probably the first of its kind
NTNU in Ålesund, through its industry program for the maritime industry, has this year offered the new course “Maritime digital security.”
Over two months, the course participants have looked at the digital threat image. They have risk assessed current digital threats and realistically practiced a cyber attack on a ship under sail. The key focus is on risk management of cyber attacks and building resilience.
“Where there is information technology and people, there is room for digital vulnerability. Breaches of security can come in the ship’s systems and they can come in the port system and through the people who operate or supervise them,” Marie Haugli-Sandvik and Erlend Erstad explain.
Both are doctoral fellows at the Department of Ocean Operations and Civil Engineering at NTNU. They are researching how the maritime industry can be better equipped for handling cyber attacks.
The scholarship recipients have developed and now run the maritime digital security course, probably the first of its kind in Norway.
The course is included as part of the doctoral theses they are about to complete.
International requirements
The Norwegian Maritime Directorate and the Norwegian Coastal Administration have a strategic goal that seafarers and personnel must be offered essential digital security skills. The starting point is international requirements given by the IMO (International Maritime Organization).
The international industry associations and shipping organizations therefore focus on this topic. Within the basic requirements for shipping, there will soon be even stricter minimum requirements for cyber security. Stricter requirements for training, practice and training will all come next year.
Developed together with the industry
“The course we have developed has come about in close collaboration with industry. We have listened to what they want, looked objectively at their needs, and then tested the best solution we can come up with,” explains Erlend Erstad.
Fellows Marie Haugli-Sandvik and Erlend Erstad are researching and have built up a maritime digital security course in parallel. This is probably the first of its kind in this country. The course has been carried out as a result of NTNU’s collaboration with the maritime industry and other universities and colleges. Photo: Eli Anne Tvergrov, NTNU
“It is always better to have a broad perspective and several angles in new projects and methods. Established businesses can also benefit from fresh eyes. NTNU is a good and reasonable arena for trying out new ideas. As researchers, we can help meet the industry’s urgent needs and at the same time have a good dialogue about solutions for the future,” says Marie Haugli-Sandvik.
Not enough training in cyber security
Haugli-Sandvik conducted a survey this winter among 293 sailing deck officers from 11 major offshore shipowners in Norway.
83% of these answered that they had taken part in some form of cyber security training. 15% answered that they had never received training. 2% did not know if they had had training.
“82% of the sailing deck officers answered that they had received the training as e-learning and/or that they had participated in digital safety campaigns sent by their employer,” she says.
To a large extent, it was the employers who had been responsible for the training in the form of courses. This shows that the industry wants to take responsibility, Haugli Sandvik believes. But there are many standardized and general IT security courses.
“To a small extent, they had received training that was directly maritime operationally oriented and/or adapted,” says Haugli-Sandvik.
This is shown in the fact that 66% of the deck officers surveyed say that they are unsure or unsure that they have enough training to handle a cyber incident on board.
Challenges from Risk Report 2022
The Norwegian Maritime Directorate and the Norwegian Coastal Administration point to several challenges in the Report on strategy for maritime digital security 2020.
In the 2022 Risk Report, the National Insurance Agency (NSM) points to a threefold increase in the number of serious incidents and cyber operations from 2019 to 2021. The corresponding report for 2023 addresses, among other things, that there are many vulnerabilities in unclear supply chains and that with more unpredictability one must have better preparedness.
Digitization in the maritime industry takes place both in traditional systems for information technology (IT systems) and in operational technology in systems for automation, propulsion, management and other control systems. The more use of remote connection, integration and digitization in the operational technology, the more vulnerable the operation can be.
At the same time, the lifetime of larger ships is generally between 25 and 35 years, and digital upgrades in the entire international fleet usually happen gradually and over time. There is great variation in computer equipment on board both for administrative functions and control systems.
The situation can be transferred to much of what also happens in ports, where more and more operations are being automated. Within port traffic, incidents have been uncovered that show attacks on IT and administrative systems. These lead to business interruptions, information theft and manipulation linked to the smuggling of goods.
Big consequences
Digital IT events have consequences for ship operations. They are rolling out admisnistrative systems for loading papers, passenger lists, digital certificates and sealing permits and the like. Operatiosdns are delayed or impeded.
Large financial consequences accompany a loss of reputation for exposed players. If the ship goes aground, there is talk of major environmental disasters.
The National Insurance Agency (NSM) points out that the activity in the cyber domain can be so advanced that we do not register it, and covert activity can remain hidden for a long time. How should crew on board react to uncover hidden threats?
How can the crew on board make the right assessments in advance or make the concrete decisions in the window of time a few minutes before a ship runs aground?
It is important to acquire knowledge, prevent and practice this that can happen.
Is the ship capsizing? Captain Odd Sveinung Hareide makes contact with the engine room. Photo: Eli Anne Tvergrov, NTNU.
The officers of the deck and cyber security
Scholarship holder Marie Haugli-Sandvik looks in her doctoral work at how deck officers experience cyber risk at sea.
“My project is part of the work in one of NTNU’s 12 centers for research-driven innovation. This centre, SFI MOVE (Marine Operations in Virtual Environments), works with how future maritime operations may look through the use of digital twins, machine learning and control centers on land,” she says. “I am researching how targeted guidelines, training and risk communication can be developed within maritime cyber security. I am also investigating what tools we should develop to handle new cyber risks we have acquired at sea.”
“My project is within maritime cyber resilience,” says Erlend Erstad. “I look at how navigators can best be resistant, prepare themselves against, and overcome, cyber attacks against integrated navigation systems on board the ship.”
Maritime Cyber ??Resilience (MarCy)
The research project is a collaboration between NTNU, Forsvarets høgskole (FHS) with the Naval Academy (SKSK) and the Cyber ??Engineering School (CiS), Kongsberg Defense and Aerospace (KDA), Norwegian Hull Club (NHC) and DNV.
Under the name MarCy (Maritime Cyber ??Resilience), this is financed through the Research Council of Norway and the industrial partners who participated.
Erstad tells about mutual benefit through the good contact with researchers at the Cyber ??SHIP lab at the University of Plymouth in England. There they also research maritime cyber security.
To practice realistic actions and situations in a safe environment, they have opened a larger Cyber ??Range, especially developed for the maritime sector. The arena enables practitioners and researchers to uncover vulnerabilities in maritime navigation and control systems for ships.
Fellow Erlend Erstad together with helper Einar Johan Lukkassen from NTNU evaluates the response from the bridge. Fellow Marie Haugli-Sandvik, together with other participants and observers, prepares for the game to continue. Photo: Eli Anne Tvergrov, NTNU
Simulated event
For the larger exercise in the course, they used the ship simulators at NTNU in Ålesund. They are also unique in their design when it comes to realism. The participants took their seats in ship simulators, designed like a ship’s bridge as on a larger ship under way in the North Sea.
While half the group was in the ship simulators, the others had desk exercises before joint reflection, review and summarization. Many learning points were taken out. Photo: Eli Anne Tvergrov, NTNU
“We put the simulator scenario close to what actually happens on a ship, as well as to what happens in the communication between the ship and the land side. But even though the scenario used full-scale maritime noise simulators, the focus was mostly on getting a good discussion going,” explains Erstad.
The exercise also included participants from DNV, Norwegian Hull Club, NORMA Cyber, Solstad, public bodies such as the Coastal Administration and Høgskolen i Innlandet, as well as from the University of Plymouth. These were invited in as observers and as resource persons in the simulation.
“We get the most learning from the dialogue between the actors in the rehearsal and in the review afterwards, not least because you can then see what was practiced and the event itself from another’s point of view,” says Erstad.
Strengthen those who can handle the situation
Professor Kevin Jones heads the Maritime Cyber ??Threats Research Group and Cyber ??SHIP lab at the University of Plymouth. He refers to the enormous values ??that are at stake in the global economy and trade.
“When the large container ship ‘Ever Given’ ran aground in the Suez Canal, the cause was pointed to the weather and wind. Although this was not a cyber attack, the incident illustrates the consequences that affect a vulnerable global system,” says Jones.
Soon 90 percent of world trade takes place in transport over seas through maritime supply chains. It is realistic that a similar incident could occur due to digital vulnerabilities, and after unauthorized access to computers and control systems.
“The weak link is the human being, and it is this link that must be strengthened. Humans are the resource on board that can handle such a situation!” says Jones.
Adapt skills development
The exercises and the specific course with the participants, helpers and observers have strengthened the two scholarship recipients’ view that it is important to adapt competence development.
The probably unique course in the Norwegian context at NTNU in Ålesund has a clear practical approach to risk management in a digital perspective. This is also included as part of the master’s in operational maritime management.
“It is important that businesses in the maritime sector familiarize themselves with their values, the digital threats and vulnerabilities they have. The managers must know their employees who will handle the digital threats, and understand the competence needs they have in digital security,” he says.
The next course in Maritime Digital Security is planned for autumn this year. The offer will then be tailored to an even greater extent for managers, middle managers, operational (sailing) and administrative personnel in the maritime sector, but will also be very useful for other industries.
Safety advice at sea
The maritime industry must raise awareness of what one risks by not preventing. Here is some general advice:
Checklist at individual level on board:
- Install security updates as soon as they come and automatically as much as possible.
- Do not assign administrator rights to end users.
- Do not allow the use of weak passwords. Introduce, where possible, that users prove their identity through multi-stage security and approval procedures (multi-factor authentication).
- Phase out older ICT products.
- Do not allow anything other than software that has been approved by the company or unit supplier.
Checklist at system level on board and ashore:
- Introduce a system for authentication and authorization of users to the necessary information.
- Introduce protection of all data at the right level based on the sensitivity of the information.
- Introduce controlled access for IT users on board and ashore, so that each individual only has access and rights to the information for which they are authorized.
- Introduce controlled communication between ship and shore with safety in focus.
- Introduce a response plan for cyber incidents based on thorough risk assessments.