The government has warned that poor cyber security of digital and communications technologies in cruise ships could render them vulnerable to physical damage, piracy, fraud, and ransomware.
Owners and operators of cruise ships must improve the cyber security of their ships’ digital systems to prevent physical attacks and loss of sensitive data.
In a research note published with the help of the Department for Transport and the Defence Science and Technology Laboratory, the London-based Institution of Engineering and Technology has warned that poor cyber security in cruise ships’ digital systems are rendering such vessels vulnerable to a variety of threats posed by hackers, including physical damage, loss of sensitive data, as well as fraud.
The fact that cruise ships are now increasingly reliant on digital and communications technologies surely makes them more efficient but at the same time, increases the importance of addressing inherent vulnerabilities.
Stronger cyber security practices will not only prevent financial losses but will also prevent hackers from accessing data on routes, cargo carried by ships, as well as sensitive data belonging to personnel and passengers.
‘The integrity and availability of such (digital) data are therefore critical for the safe and secure operation of the ship and its systems especially where systems are integrated into a system of systems each interdependent on the others for data acquisition, computational analysis or physical actuation.
‘Understanding these interdependencies and relationships between systems at a data or information level is essential in maintaining the integrity of the overall system of systems’ the report said.
IET suggests that ship operators must commission cyber security assessments to assess, prioritise, and mitigate the risks associated with the ships that are being assessed.
At the same time, developing a new Cyber Security Plan (CSP) will also help operators create restricted access areas, conduct background checks on employees, restrict usage of removable media and portable devices, and implement passwords to system consoles and displays.
Ship operators must also conduct regular reviews of their ship’s CSP and update them to reflect any identified gaps, shortcomings or organizational changes, or changes which have arisen for political, economic, social, technological, legal or environmental reasons.
Fleets or individual ships should also have dedicated cyber security officers (CySOs) who will be responsible for physical, personnel and process security, ensuring the development, periodic review and maintenance of CSPs and implementing and exercising the CSPs.
The report also calls for setting up of Security Operations Centre (SOC) which will observe potential, emerging and actual threats to the ship’s operations, determine whether proactive measures are required to reduce the risk to an acceptable level, and identify suitable security controls.
Earlier this year, cyber security experts warned that the UK’s fleet of four Vanguard-class nuclear submarines could be vulnerable to cyber-attacks via malware injection during manufacturing, mid-life refurbishment or software updates and data transmission. They also warned that hackers could use weaponised underwater drones to conduct close proximity kinetic and cyber-attacks on ballistic missile submarines.
Senior Royal Navy officers and the Defence Secretary are also aware of the fact that the Britain’s latest 65,000-tonne aircraft carrier, the HMS Queen Elizabeth, cost £3.5bn to build but it seems that it could be as vulnerable to hackers as hundreds of NHS computers running the Windows XP operating system.