THIS ARTICLE/PRESS RELEASE IS PAID FOR AND PRESENTED BY NTNU Norwegian University of Science and Technology - read more

The ship is not behaving as it should. What's up? Captain Odd Sveinung Hareide explains to the others on the bridge what he has done, what he is prioritising right now, and the next move.

What do you do if a hacker takes over your ship?

The risk of cyber attacks against a ship is real. The working crew on board must be allowed to practice handling these risks in a realistic way. Now they can.

Communications Adviser
Presented by: NTNU - Norwegian University of Science and Technology

You’re on the bridge, with the ship’s course shown on the digital display. But why is the ship continuing to turn west?

Everything looks normal on the computer screens in the dark wheelhouse — but outside, the land is dangerously close. What’s going on?

Down in the engine room, workers report via radio that everything is normal, but they wonder why the bridge has changed course. The engines are revving and the ship is picking up speed.

The engine room hasn’t done this. What now?

Cybersecurity is a hot topic for the entire maritime industry, as well as in academia. A joint team recently conducted a completely new cyber security course at NTNU in Ålesund, Western Norway.

From left: Arnt Myrheim Holm and Marie Haugli-Sandvik are working on the last few preparations before the training starts in the ship simulators.

Probably the first of its kind

Over two months, course participants have looked at digital threats. They have assessed the risk of existing digital threats and realistically practiced a cyber attack on a ship under way.

The key focus is on risk management of cyber attacks and building resilience.

Marie Haugli-Sandvik and Erlend Erstad explain that where information technology and people meet, there is room for digital vulnerability. Security breaches can come in through the ship’s systems, through the port system, and through the people who operate or supervise them.

Both are PhD candidates at NTNU. They are studying how the maritime industry can become better equipped to handle cyber attacks.

They have developed and now run the maritime digital security course, which appears to be the first of its kind in Norway.

International requirements

  • The Norwegian Maritime Directorate and the Norwegian Coastal Administration have a strategic goal that seafarers and personnel be offered essential digital security skills. The starting point is international requirements from the IMO (International Maritime Organization).
  • The international industry associations and shipping organisations therefore focus on this topic.
  • Within the basic requirements for shipping, there will soon be even stricter minimum requirements for cyber security. Stricter requirements for training, practice and training will all come next year.

Developed with the industry

“We developed this course in close collaboration with the industry,” Erstad says. “We have listened to what they want, looked objectively at their needs, and then tested the best solution we can come up with.”

“It’s always better to have a broad perspective and different approaches with new projects and methods. Established businesses can also benefit from a fresh look. NTNU is a good place to try out new ideas. As researchers, we can help meet the industry’s urgent needs while at the same time discussing solutions with them for the future,” Haugli-Sandvik says.

PhD candidates Marie Haugli-Sandvik and Erlend Erstad are studying maritime digital security and have developed a course together, thought to be the first of its kind in Norway.

Not enough training in cyber security

Haugli-Sandvik conducted a survey this winter among 293 deck officers from 11 major offshore shipowners in Norway.

  • 83 per cent said that they had taken part in some form of cyber security training.
  • 15 per cent answered that they had never received training.
  • 2 per cent didn’t know if they had had training.

“82 per cent of the deck officers said that they had received the training as e-learning and/or that they had participated in digital safety campaigns sent by their employer,” she says.

To a large extent, employers were responsible for this training, in the form of courses. This demonstrates that the industry wants to take responsibility, Haugli-Sandvik believes.

But there are many standardised and general IT security courses.

“Most of the training wasn’t directly operationally oriented and/or adapted to the maritime industry,” Haugli-Sandvik says.

This is illustrated by the fact that 66 per cent of the surveyed deck officers said that they were uncertain or disagreed that they had enough training to handle a cyber incident on board.

Major consequences

Digital IT events can have consequences for ship operations. They can affect administrative systems for ship manifests, passenger lists, digital certificates and sailing licenses and the like. This can delay or impede operations.

Companies that are exposed to these problems can experience significant financial consequences and damage to their reputation.

The Norwegian National Security Authority (NSM) points out that activity in the cyber world can be so advanced that we don’t actually notice it, and covert activity can remain hidden for a long time. How should crew on board react to discover hidden threats?

How can the crew on board make the right assessments in advance or make concrete decisions in the brief window of time a few minutes before a ship runs aground?

Knowing what to do, both to prevent this from happening, and to practice what to do if it does, is critical for the industry.

Is the ship capsizing? Captain Odd Sveinung Hareide makes contact with the engine room.

Deck officers and cyber security

Haugli-Sandvik’s research looks at how deck officers experience cyber risk at sea.

Her project is part of the work of NTNU's SFI MOVE centre (Marine Operations in Virtual Environments). They work on how future maritime operations may look. They do this through the use of digital twins, machine learning, and control centres on land.

“I’m studying how targeted guidelines, training and risk communication can be developed for maritime cyber security. I am also investigating what tools we should develop to handle new cyber risks we may experience at sea,” she says.

To be resilient

Erstad, on the other hand, is looking at cyber resilience at sea.

“I’m looking at the best way that navigators can be resistant to, prepare themselves for, and overcome, cyber attacks against the integrated navigation systems on board the ship,” he says.

Erstad says the researchers have benefitted from working with researchers at the Cyber SHIP lab at the University of Plymouth in England, which also works with maritime cyber security.

To practice realistic actions and situations in a safe environment, NTNU has opened a Cyber Range. It has been developed specifically for the maritime sector.

The Cyber Range enables practitioners and researchers to uncover vulnerabilities in maritime navigation and control systems for ships.

Erlend Erstad and Einar Johan Lukkassen from NTNU evaluate the response from the bridge. Marie Haugli-Sandvik and the other participants and observers, prepare for the exercise to continue.

Simulated event

The larger course exercise relied on ship simulators at NTNU in Ålesund. These simulators are also unique in their design when it comes to realism. The participants took their seats in ship simulators, designed like a bridge on a larger ship underway in the North Sea.

“We made the simulated scenario close to what actually happens on a ship, as well as to what happens in the communication between the ship and on land. But even though the scenario uses full-scale maritime bridge simulators, the focus was mostly on getting a good discussion going,” Erstad says.

The exercise also included participants from DNV, Norwegian Hull Club, NORMA Cyber, Solstad, public institutions such as the Norwegian Coastal Administration and the Inland Norway University of Applied Science, as well as from the University of Plymouth. They were invited in as observers and as resource persons in the simulation.

“We learn the most from the dialogue between the participants in the rehearsal and in the review afterwards, not least because you can then see what was practiced and the event itself from another point of view,” Erstad says.

Whilst half the group worked in the ship simulators, the others worked on desk exercises before they met to reflection, review and summarise what they had learned.

Strengthening the weak link

Professor Kevin Jones at the University of Plymouth points out that a cyber attack can pose huge problems for the global economy and trade.

“When the large container ship Ever Given ran aground in the Suez Canal, weather and wind were blamed as the cause. Although this was not a cyber attack, the incident illustrates the consequences that can affect a vulnerable global system,” Jones says.

90 per cent of world trade is predicted to be linked to maritime transport, through maritime supply chains. It’s entirely believable that a similar incident could occur due to digital vulnerabilities, as a result of unauthorised access to computers and control systems.

“The weak link is the human being, and we have to strengthen this link. Humans are the resource on board that can handle such a situation,” Jones says.

“There’s a lot at stake here. The weak link is the human being and we have to strengthen this link. Humans are the resource on board that can handle such a situation,” Professor Kevin Jones says.

Adapted skills development

The exercises and the specific course with the participants, helpers and observers have strengthened the two researchers’ view that it is important to adapt skills development to the precise circumstances at hand.

The course offers a clear practical approach to risk management in a digital perspective. This is also included as part of NTNU’s master’s programme in operational maritime management.

“It is important that businesses in the maritime sector familiarise themselves with their values, the digital threats and vulnerabilities they have. Managers need to know their employees will be able to handle the digital threats, and understand the needs they have for skills in working with digital security,” Jones says.

Cyber safety at sea

The maritime industry must raise awareness of what's at risk by not preventing cyber attacks. Here is some general advice:

Checklist at individual level on board:

  • Install security updates as soon as they come and automatically as much as possible.
  • Do not assign administrator rights to end users.
  • Do not allow the use of weak passwords. Introduce, where possible, that users document their identity through multi-stage security and approval procedures (multi-factor authentication).
  • Phase out older ICT products.
  • Do not allow anything other than software that has been approved by the company or unit supplier.

Checklist at system level on board and ashore:

  • Introduce a system for authentication and authorisation for users of necessary information.
  • Introduce protection of all data at the appropriate level, based on the sensitivity of the information.
  • Introduce controlled access for IT users on board and ashore, so that each individual only has access and rights to the information for which they are authorised.
  • Introduce controlled communication between ship and shore, with safety in focus.
  • Introduce a response plan for cyber incidents based on thorough risk assessments.

Reference:

Erstad et al. A human-centred design approach for the development and conducting of maritime cyber resilience training, WMU Journal of Maritime Affairs, 2023. DOI: 10.1007/s13437-023-00304-7

Challenges identified by the Norwegian National Security Authority's Risk Report 2022

  • The Norwegian Maritime Directorate and the Norwegian Coastal Administration have focused on a number of challenges identified in the report on strategy for maritime digital security 2020.
  • In its 2022 Risk Report, the Norwegian National Security Authority (NSM) points to a threefold increase in the number of serious incidents and cyber operations from 2019 to 2021. The corresponding report for 2023 addresses the issue that there are many vulnerabilities in unclear supply chains, and that with more unpredictability the industry needs to be better prepared.
  • The maritime industry has worked with digitalisation in both traditional information technology systems (IT systems) and in operational technology in systems for automation, propulsion, management and other control systems. The greater the use of remote connection, integration and digitisation in operational technologies, the more vulnerable the operation can be.
  • At the same time, the lifetime of larger ships is generally between 25 and 35 years, and digital upgrades in the entire international fleet usually happen gradually and over time. There is great variation in computer equipment on board both for administrative functions and control systems.
  • The situation is much the same as for ports, where more and more operations are being automated. When it comes to port traffic alone, incidents have been uncovered that have result from cyber attacks IT and administrative systems. These lead to business interruptions, information theft and manipulation linked to smuggling.

Read more content from NTNU:

ntnu partner
Powered by Labrador CMS