While cybersecurity is getting more complicated across the board, the challenges that the maritime industry faces are especially unique. Cruise ships require persistent connectivity for recreation, financial transaction processing, health care operations, customer data, and ICS control systems for navigation — all compelling targets for cyber-attacks. Vessels’ reliance on third parties for support only increases the risk of breaches.
Nevertheless, most cruise lines are short on technical capability, and have little or no cybersecurity budget, let alone the organic human capital.
This was certainly the case for the cruise line that Moran Cyber was called in to support. The shipboard network, which controls critical maritime systems such as fuel, propulsion, and navigation, was complex and poorly architected.
“Our audit firm looked at the flat, Layer 2 shipboard network and proclaimed it a security risk for our maritime systems,” explained Alex Soukhanov, Director of Moran Cyber. “There was no segmentation of the individual control systems. A vendor for our propulsion systems could also see what was happening with our navigation systems. Obviously, this is an unacceptable risk in today’s cyber threat environment.”
In addition to the lack of segmentation and un- restricted access for third-party vendors, network congestion was causing downtime issues and legacy systems had no inherent security. It was no wonder that the vessels failed an internal security audit.
But the audit’s recommendation that they dry dock all of the ships for three to four weeks for a complete networking overhaul, including millions of dollars’ worth of upgrades per ship, wasn’t a realistic option. “There is too much revenue at stake even with a small amount of downtime,” said Alex. “Plus, the cost of new networking hardware and software was prohibitive, and we didn’t have — and couldn’t hire — the staff to support hundreds of new firewalls.”