By Tom MacDonald, Senior Security Consultant at Nettitude
Are ships as remotely isolated as often thought? While the answer to this question varies in complexity depending on marine sub-sector, for the cruise industry, remote isolation has long since passed, making cyber security a crucial concern. What are the primary cyber threats facing today’s cruise ship operators, and what are the industry best practices for mitigating against them?
Context: Nettitude’s Experience
Nettitude have recently completed a variety of cyber engagements for our marine and offshore (M&O) clients, encompassing ISO 27001 assessments and incident response services through to penetration tests and threat intelligence-led red teaming.
As a result of these engagements, we feel well placed to offer guidance on how marine and offshore companies can improve the cyber security practices within their organisations – implementing change at the strategic level to set the conditions for future success, whilst also incorporating some quick wins at the operational and tactical level of marine operations. This article will focus on the cruise subsector of the M&O space, highlighting some of the challenges this industry faces, but also showing where industry specific factors can be used to improve security posture.
Nettitude have been carrying out full spectrum cyber assurance for over 15 years, and firmly believe that an isolationist approach to cyber security is unlikely to result in success. It is critical to consider an approach that comprises changes to people, process and technology within the business. Challenges in one area of the triad can be mitigated with strengths and successes in others. Demonstrating real world impact to your ships’ systems from vulnerabilities found provides a much deeper and more meaningful assessment than a simple list of technical issues found would.
Cruise Ship Cyber Security Challenges
The cruise sector has a variety of specific and complex challenges for designing and implementing an effective cyber strategy. Firstly, with such large vessels carrying over 5000 passengers on a constantly deployed vessel, the ability to have patching windows, service outages or periods of upgrades can be extremely limited due to the tight economics of having the vessel underutilised. Additional complexity is introduced when consideration is given to the vast array of systems involved in providing all the facilities and attractions that modern passengers expect – audiovisual systems and stage management systems are often as complex as those found in West End or Broadway theatres and specialist knowledge can be extremely difficult to locate within the available pool of crew.
OT within the cruise industry can be unparalleled in scale and complexity, with detailed troubleshooting knowledge often limited even amongst senior crew. Given the requirement for absolute reliability of secondary / tertiary systems, it can be extremely common for OEMs to have direct access to the systems from the vendor headquarters. These connections are often insecure by nature, opening the vessel to significant risk through a supply chain attack. Attacks of this nature have become more common as attackers realise an easier way to their target can be through a trusted third party company.
Additionally, OT often has a significantly longer design life than IT on a modern liner and is not as easy to upgrade without extended periods of downtime and sea trials. During a recent engagement, Nettitude carried out an assessment of various OT systems utilised within the industry and found multiple critical vulnerabilities within five days that were responsibly disclosed to the manufacturer. Some of these vulnerabilities caused irreversible hardware failure and malfunction from simple network scanning techniques as well as more advanced issues.
So, what are Nettitude’s recommendations for cruise operators to answer these challenges?
1. Governance, oversight and communications
Inter-team communication between network operations, security operations and OT vendors is essential to ensure that OT does not lead to increased physical risk. Whilst it may sound initially trivial and unimportant, Nettitude have carried out red teaming engagements where it was evident that the network operations and security teams were located on different floors of a building – resulting in severely degraded communications at times of crisis and during incident response. By moving physical location so that all interested parties were closer together and using modern collaborative technology, the mean time to detection (MTD) of abnormal activity dropped sharply. This is just one aspect where the people and process aspects of security can combine to great effect.
2. 24x7 continuous activity
The cruise sector can benefit from some real economies of scale to secure their assets. The entire supporting organisation and business processes of cruise liners are accustomed to 24/7 activity and adopting the ‘follow the sun’ nature of global business operations. This is critical from a people and process perspective, as attackers are rarely in the same time zone as the network defenders and have little respect for the target organisation’s normal working hours. Nettitude’s red team have also used this technique to demonstrate risk to our clients, taking advantage of a weaker Security Operations Centre that operated during night hours to obtain access to defined asset objectives. Cruise liner operating companies are likely to already have a culture that lends itself to differing nations and outsourcers working together to ensure constant availability of logistics, safety and navigation.
3. Clear Roles and Responsibilities
The scale of owner companies can also allow for dedicated staff to be assigned solely to fleet security duties; dockside, at headquarters, as well as onboard as part of monitoring the shipboard assets. It is extremely likely that workstations and servers are already being monitored for service availability by systems administrators, reducing the effort required for a security administrator to gain visibility of network activity aboard the ship. Larger ships are more easily able to add a team of security administrators to the already sizeable crew. A sensible strategy could be to have an ongoing programme of secondment from the shoreside IT / OT team onto a vessel for a short period. This would hugely improve inter-team relationships as well as highlight the constraints and frustrations that each team continually operates within. The end state is increased communication and a greater willingness to appreciate the balance required between security and usability.
Overall, businesses in the M&O space are an attractive target to attackers, and the cruise industry is no exception. However, by implementing sector-specific modern enterprise IT practices around people, processes and technology, implementing a cyber security strategy, and carrying out cyber hygiene, it is possible to drastically reduce the likelihood and severity of a compromise.
To learn more about the developing cyberthreats that are affecting both the cruise and superyacht industries, take a look at our full research report here.
In addition, for more details on bespoke M&O security assurance and consultative services, please get in touch with Nettitude directly at firstname.lastname@example.org.