Maritime and port cybersecurity.

Since February, several media outlets—both newspapers and television—have raised concerns about the Week Number Rollover scheduled for April 6, 2019. With alarmist headlines, some even suggest you might need to pull out your paper charts again. So who should we believe? What are the real implications for maritime information systems?

On April 10, 2018, the U.S. Department of Homeland Security, and more specifically CERT-ICS, published a memorandum aimed at users of the GNSS (Global Navigation Satellite System), particularly GPS (Global Positioning System).

This fairly comprehensive and candid article on the U.S. Navy’s cybersecurity priorities deserved a brief analysis.

The U.S. Navy acknowledges—although this was already known—that it has been the target of cyberattacks on several occasions, with varying degrees of severity and impact. On January 7, 2019, the Naval Air Systems Command announced new research efforts across no fewer than 36 domains, ranging from artificial intelligence to resilience, as well as endpoint and server security.

This video was recorded during the well-known hack.lu 2018 conference in Luxembourg. In the first part, Stephan Gerling presents his view of maritime information systems and briefly discusses services such as GPS and AIS. He then focuses on ship-to-shore connectivity, particularly satellite communications.

He goes on to demonstrate design vulnerabilities in the control interface of a “naval” router. The management interface connects to the router via FTP, and the credentials and passwords are stored in clear text, making it easy to retrieve the WLAN credentials of the system.

There are many recommendation guides for implementing cybersecurity measures in the maritime sector. Perhaps too many, and of uneven quality, which can sometimes make things difficult to navigate (put yourself in the shoes of the seafarer or the shipowner who must understand and apply them).

Among these guides, one nevertheless stands out as a reference, both because of the number of associations and major industry stakeholders involved in its development (21 in total) and because it addresses the maritime world in its own terms, adapting cyber threats to the specific characteristics of this sector. This guide, “The Guidelines on Cyber Security Onboard Ships,” has just been released in its third edition.

The new generation of “superyachts” is booming (even if I do not personally own one), and unsurprisingly they are not escaping the broader digital transformation of the maritime sector. With the financial resources typical of the ultra-luxury market, there are effectively very few limits to the technologies installed on board.

High-bandwidth multi-operator satellite connections, GSM and 4G relays (and beyond), Wi-Fi networks, full-coverage onboard video surveillance, highly sophisticated entertainment systems, alarm systems, state-of-the-art bridge and engine systems, and extensive automation: these vessels are not designed solely for leisure. Many owners and charterers effectively relocate part of their business operations to the yacht. In that sense, the yacht should be viewed as an extension of the company itself—yet often a far more vulnerable one. It may lack many of the cybersecurity safeguards present in corporate environments, and the specific constraints of the maritime environment are sometimes poorly understood by corporate CISOs.

Following several questions from readers, for those who still rely on RSS and want to stay informed about (hopefully unbiased, and vendor-neutral) maritime cybersecurity news, you can follow the site’s updates through the following RSS feed:

https://maritimeinfosec.org/index.xml

I am also present on social networks (LinkedIn, Mastodon, Bluesky).

Enjoy the reading, and thank you for your interest and continued support.

Olivier