Chris Adams, Head of Loss Prevention, Steamship Mutual, discussed how cyber risks affect navigational safety at the 2017 SAFETY4SEA Conference. Considering that the computerization of operating and control systems on vessels requires effective cyber security arrangements, it is vitally important to raise awareness of cyber security risks with personnel and to implement safe practices to avoid putting systems at risk. If however, navigational data should be compromised by a cyber event, traditional navigation skills should ensure that the ship is not placed at risk. Mr. Adams presented two case studies to question whether there is confidence that shipping assets are really protected.
My flight yesterday was delayed, as there was a fault with the aircraft which made it unsafe to go to Athens. I don’t know about you, but when men with toolboxes appear on an aircraft, I feel distinctly uncomfortable. Turned out, it was a computer issue. One of the flight computers was defected, but was easily resolved: They installed a new one and confidence solved. It was only a computer issue, what could possibly go wrong? After all, if a computer fails on a plane, surely pilots could rely on flying the machine.
Computerization and connectivity on ships is increasing all the time. But the level of control and automation of computers on ships has not reached the same levels as in the aviation industry. So, if computers on ships become unreliable, how great are the risks?
Cyber security is a very hot topic at the moment and it seems to be constantly on the headlines, we are all aware of it, we all fear of the day when we open our computers and see a message on the screen that says “Oil files have been encrypted. In order to reinstate those you need to pay a ransom.”
The issues that give rise to those risks are familiar. To counter those risks we build defenses. In medieval days, communities defended themselves by building castles. They were extremely difficult to attack and penetrate, but with a bit of lateral thinking, you can get round even the strongest defenses: The legend of the Trojan horse tells us that it is far more effective to work from the inside.
So, in the cyber context, the firewalls, the anti-virus software, are all the electronic version of a castle. But if you are to attack, it is easier to manipulate those on the inside to do work for you, using legitimate credentials. That is where social engineering fits in and where we see that the vulnerable human, as always, is the weak link.
It is dramatic to think of a hooded hacker seizing control of a ship somewhere and steering this ship to disaster with the crew powerless to intervene. But this is an over-dramatization. The cyber threat to ships exists at a much more mundane level and it is similar to the threats that exist in any organization ashore.
As human is the weakest link, it is vitally important to raise cyber security awareness, to train with your personnel in cyber security issues and have robust procedures in place.
Conventional wisdom has it that if a ship’s system becomes compromised, you have watchkeepers in place who will note when data becomes unreliable and they will then apply traditional navigational skills to avert disaster. Over-confident about that. Can we sleep easy, knowing that valuable assets represented by the ships, the cargoes they carry, the personnel onboard, are adequately safeguarded by those to whom we entrust the safe navigation?
Rickmers Dubai, in January 2014, was involved in a collision with a small tug “Kingston” and its tow, which was an unmanned crane barge, called “The Walk on Wizard”. The collision happened in Dover strait, and both vessels were in the south westbound traffic lane of the traffic separation scheme.
It was a typical January night in the English Channel. There was 5-6 force southwesterly wind, the sea state was moderate to tough, but visibility was good. It was the 0.00-4.00 am watch, the Rickmers Dubai was bound from Hamburg to Genoa. She was making a course over the ground of 233 at 15,4 knots. The officer of the watch was a 2nd officer, experienced and qualified for a number of years, and this was his second trip on the vessel.
The vessel was well-manned and she had onboard a bosun and four ABs and that meant there was an abled-body seaman to act as a dedicated look-out.
But at the time of this incident, the AB, who was destined to be in the wheelhouse during this watch was down below carrying safety rounds.
The vessel was using ECDIS as a primary means of navigation, but she also had an expand radar with R- fitted that was in use.
The Kingston was bound from Ipswich to Southampton, and she was making good a course of 237. She was being overtaken by Rickmers Dubai, as she was doing only 6 knots, she has a tow that was 250 meters astern of her and both the tow and the tug were lit. But significantly, the tug was not transmitting information on AIS, she was not over-sized in order to have an AIS transmitter mandatory.
There was absence of this important information; the channel navigation information service (CNIS), which looks after this particular area of the channel, was issuing a safety broadcast to mariners, at regular intercourse, to warn of the presence of tows and it had issued a broadcast at 23.40 and another at 00.40. There was due to be another one, at 01.40, but that was not made because of pressure of other work on the watch manager. There was no evidence that any of those broadcasts were heard by the watchkeeper on the Rickmers Dubai.
In the findings of MAIB, the 2nd Officer was found to be relying entirely on the ECDIS, but because there was no AIS transmission from the tug, the tug effectively was invisible on the ECDIS screen. She was not invisible on the radar, but it is clear that the radar was not used as an aid to an effective look-out.
The inquiry also found there was a low state of arousal of the 2nd officer. He was alone on the bridge and music was heard on the background, a very relaxing atmosphere not consistent with the level off traffic in the environment.
Although it was not causative of the collision -and this is relevant to the issue of cyber security- on the forensic examination of the USB dongle to the VDR, it was found that a movie had been deleted from that, so that piece of equipment was obviously being used for inappropriate things.
The 2nd officer first saw the lights of the tug when it was very close and fine on his bulb-bow. On that point the tow was just off the bulb-bow, he did not see the turn. He decided that he was going to watercourse at port, in order to pass the tug down its portside, completely unaware that he was overtaking a towing vessel.
The Rickmers Dubai then contacted the crane barge, fouled the tugs tow line, the lead of that changed rapidly from a stern to ahead and the tug was towed backwards at over 14 knots, with its towing deck submerged. Unfortunately, the hydrolics failed, the break failed and the line rendered, but was extremely fortunate that no one was killed.
Second incident is about a carrier, the Victoria that grounded in Kattegat in September 2015. She was not taking a pilot, even though this is difficult passage. The officer of the watch was the Chief officer. At the time of the incident, 6.15 pm, the ship had a speed of 12.2 knots. The weather conditions were ok, with moderate sea conditions and moderate wind. She was on manual steering, so the guy who was dedicated to act as a look-out was actually on the wheels, so the ship had no dedicated lookout.
The attention of the Chief Officer was distracted by the fact that he was trying to also supervise the crew who were plying ceiling foam to the vessel’s hatches on deck.
So, although the course set required was 340 over required to achieve that a course of 335 on the compass had been set to allow for set. But, actually, if you look at the AOS records, the ship was making good 353 T on average.
Also, during the Chief Officer’s watch, the third officer relieved him for a meal break for about 20 minutes. But despite there being a 2nd watchkeeping officer involved, for a period of almost 2 hours between 4.25-6.15 pm, the ship’s position was not verified, the course steer was not checked and no navigational marks were sighted.
Except from being distracted, the Chief officer was also fatigued because of the loading operations at the load port, but the effect of all of this was the vessel ran aground at over 12 knots on a rocky shoal that was clearly marked on the chart.
What I would like you to do now is to consider some cyber event that occurs to a ship that has the effect of making some AIS information invisible: It introduces a GPS error that puts the ship in a position that is consistently west of its true position. We have seen in the news, relatively recently, an incidence of GPS spoofing in the Black Sea, where GPS signals were incorrect- it is not impossible.
Something else that introduces an error between the gyrocompass and the autopilot that actually puts the ship on a track that is 13 degrees east of that which is been set. Are we confident that a watchkeeper is going to detect those errors? Both of the above incidents are identical to that.