Introduction
The world cruise industry continues to be characterized by a significant growth rate. In the global cruise community, two such American giants as Carnival Cruise Lines (CCL) and Royal Caribbean Cruises (RCL) dominate. The modern cyberspace and the level of development of information technologies provide unique opportunities to manage the most complex technological processes in the industry of cruise lines. Such a wide range of possibilities is increasingly being used for criminal purposes by hackers. Even though cruise ships are equipped with the most advanced technologies, they remain vulnerable to cyber attacks that may lead to economic, political, and social damages.
Cyber Security Concerns
In 1819, the first steam engine called Savannah was constructed, and it entered the history as a pioneer of transatlantic cruise shipping, making the first cruise from Savannah, GA, the US to Liverpool, England. However, upon returning to the US, the steam engine was dismantled, and the ship continued to cruise under sail. The leader in transatlantic cruises of the 20th century was the British ship company White Star Lines, which had a very ambitious plan to build the first cruise fleet (Gladden 59). The company created a new class of ships and built three vessels: Olympic, Titanic, and Britannic. These were the most grandiose liners of that time, the biggest and the fastest, with their interiors striking the imagination of contemporaries. These giant ships were used for the transportation of poor people on the lower decks and, at the same time, of richer individuals on the upper decks during cruise trips.
Since the 1970s, the cruise tourism industry has continued to evolve. The size of ships has been increasing, more and more diverse entertainment for passengers is available on board, and one can visit almost every country in the world today. The cruise ship industry, similar to any other major sphere of activity, develops in parallel with the technical progress: ships become more technologically-advanced as more and more processes are automated, computerized, and internet-based (Kirby). Electronic systems on cruise ships are used to store and process the personal information of customers and employees, and all organizations without exception are obliged to follow certain rules and implement technologies to secure data processing in order to minimize possible harm to individual identity, financial status, and so on (International Cruise Ship Industry 1).
Considering that almost everything controllable by technologies has a weak spot, any security gap on the ship will increase the system vulnerability, which modern hackers will aim to exploit for both financial and personal gains, as well as for the thrill of cybercrime. The problem is that “black hat” hackers (or cyber criminals, in other words) “usually have extensive knowledge about breaking into computer networks and bypassing security protocols,” and are also frequently engaged in writing and disseminating malware, “which is a method used to gain access to these systems” (Symantec Corporation). By using their skills, not only can they steal important and sensitive data but may control the ship distantly. Therefore, managers should strive to ensure a high level of compliance with security standards to avoid data breaches and any other adverse events that involve hacking.
Motivation for Hacking
The paramount question that should be addressed is what drives hackers. Taking into account the importance of obtaining an answer to the above question, Thycotic, working in the field of cyber security, conducted a survey of 127 hackers at the Black Hat USA conference in 2014 (“What makes today’s hackers tick?”). It was revealed that 51 percent of respondents reported that their main motivation was to search for emotions and fun, while 18 percent said that they were stimulated by the need for money. The overwhelming majority of them, to be more precise, 86 percent, were also convinced that they would not be held responsible for the implementation of their cyber attacks; therefore, they continued to commit their malicious acts (“What Makes Today’s Hackers Tick?”). The conclusion of the study is as follows: the number of attacks carried out is much higher than the level of system monitoring. Today’s hackers are more adaptable than ever before, and this allows them to perform numerous attacks on various systems, increasing the success of their actions without increasing the degree of risk.
There are three pivotal reasons that make hackers target the cruise ship industry. The first one is a personal challenge as they perform these attacks to prove something to themselves. This does not mean that there is no element of danger from such attacks. Personal benefits compose the second motivation as numerous cyber attacks are made for the purpose of stealing personal data or money. It may also be one of the forms of vandalism. Sometimes, this is done to sow chaos by triggering an accident of IT systems (“What Makes Today’s Hackers Tick?”). In other cases, there is a certain political aspect called “hacktivism” as, for example, conveyed by the groups of hackers who work under the name Anonymous. The key goal is IT administrators – people with direct access to servers and systems where a large amount of confidential information is stored, in particular, those of customers or users. This means that when a hacker has gained control over access codes, he or she can easily and quickly take control of the entire system.
Cyber Attack Vulnerabilities
According to the report of European Union Agency for Network and Information Security (ENISA), the analysis of cyber security aspects in the maritime sector raises puzzling statements that cyber security awareness is low or even nonexistent, including the industry of cruise ship. A small concern with cyber threats is also noted by the International Cruise Ship Industry, partially specializing in the safety of the marine industry (2). In particular, the fact that many employees in the maritime sphere are accustomed to being part of an almost “invisible” industry makes them feel secured. More often than not, if an ordinary person does not live near a significant port, he or she cannot imagine the real scale of the entire industry.
Along with the growing reliance on automation, the risk of external interference and disruption of the operation of key systems is significantly exacerbated. Hackers may interfere with the management of the vessel or the operation of its navigation systems, disconnect all external communications of the vessel, or acquire confidential data, as stated in Express’ report on the safety of navigation for 2015 (Kirby). The issue of relevance is complicated by the fact that not all information about successful attacks is widely publicized. Business owners can often keep silent about it, fearing such consequences as loss of authority, claims from clients and insurance companies, and initiation of investigations conducted by third-party organizations and government bodies
The complicated nature of cruise ships as well as their low protective measures contributes to vulnerability. For instance, Voyager of the Seas with the displacement of 137,000 tons is almost one and a half times that of its predecessor, the giant Queen Elizabeth II. The operator of the liner is the American company Royal Caribbean. In 1557 cabins, half of which has balconies, there are 3840 passengers, and the crew team consists of 1180 people (“Voyage Further. Discover More”). The length of the ship is 311 meters, the width is 48, and the height from the keel to the top of the chimney is 72.3 meters.
Voyager of the Seas has 15 decks, four of which are called Royal Promenade and have a length of 120 meters. According to the plan of its designers, all four Royal Promenade resemble the Burlington Passage in London with shops and restaurants. The ship’s theater is named La Scala, and the performances in it can be viewed by 1,350 spectators (“Voyage Further. Discover More”). The largest restaurant for 2100 seats occupies three decks in height, and a special rock of ten meters high is built on one of the decks where climbers can practice. There is an arena with an artificial ice rink. Moreover, this cruise ship provides an opportunity to get married – on the upper deck, just behind the pipe, there is a church.
Such a great variety of services requires a rather complicated system of equipment, monitoring, electricity, and control. On the largest cruise liner in the world called Oasis of the Seas, the total length of electrical wiring is sufficient to stretch it across the whole of North America. As one more vivid example, the ship is held in place by the special Global Positioning System (GPS), which is connected with three unique steering columns called azipods. Technically, azipod can be compared with the reversible engine of the aircraft with an emergency stop as it allows the ship to quickly reduce its speed to zero. Had Titanic had an azipod unit, it could have stopped just before the iceberg and escaped collision. Energy nodes have such a reserve and autonomy that during an accident Voyager of the Seas retains half of its capacity.
In addition to personal data of passengers and crew members that can be stolen, there are more dangerous threats associated with navigation, docking, and entering other countries’ ports. It is essential to identify two main systems that navigate cruise ships. The Automatic Identification System (AIS) serves for the transfer of a ship’s identification data (including its cargo), information about its condition, current location, and course (Kazimierski and Stateczny 1143). The device works by transmitting signals through the very high frequency (VHF) range between vessels, floating relays, and shore AIS-gateways that are connected to the Internet. In its turn, Electronic Chart Display and Information System (ECDIS) collects and uses AIS messages, data from radars, GPS, and other ship sensors from the gyrocompass and compares them with stitched cards (Kazimierski and Stateczny 1144). It is used to navigate, automate some tasks, and enhance navigational safety.
There are two directions of hacker attacks: the first is for AIS-providers collecting data from AIS-gateways installed on the coasts to collect AIS information and, further, to provide commercial and free services in real time (for example, MarineTraffic). The second type of attack is at the broadcast level directed at the AIS protocol. The attack on the protocol may be carried out using software-defined radio (SDR). The protocol architecture was developed for quite a long time; a sender’s validation mechanisms and encryption of the transmitted data were not provided since the probability of using expensive radio equipment to compromise the technology was regarded as low (Kazimierski and Stateczny 1146). One may note the possibility of the following scenarios: provision of false weather information to specific vessels to force them to change course to circumvent a nonexistent storm; falsification of Emergency Position Indicating Radio Beacon (EPIRB) signals that activate alarms in nearby ships; and the possibility of conducting a DoS attack on the entire system by initiating an increase in the transmission rate of AIS messages.
If one considers a hypothetical situation of a hacker attack, some potential consequences may be outlined. For example, the placement on the AIS-maps of the non-existent military ship of the country A in the territorial waters of the country B can provoke a diplomatic conflict. In addition, an attack by a hacker can lead to a deviation of the ship from the course as a result of substituting messages about a possible collision or moving it to a certain point in the water area by creating a false emergency beacon signal. In the complete set with ECDIS-systems, there are usually no means of information protection. It is also worth noting that Windows-based systems deployed on long-stayed ships do not always manage to receive even critical safety updates within reasonable time.
Vulnerabilities found by the researchers, largely associated with the server Apache, are installed in conjunction with the system. The implementer of malicious code can be an external infringer acting through the Internet or a team member using a physical medium to update or supplement navigation maps (Bothur et al. 85). The vulnerabilities found could read, download, move, replace, and delete any files on the workstation. With this development of events, an attacker gains access to reading and changing data from all service devices connected to the ship’s on-board network. Therefore, correct operation of the ECDIS-system is rather important, while its compromise can lead to the most adverse consequences such as injuries and even deaths of people, environmental pollution, and large economic losses.
Actual Examples of Past Events
On June 22, 2017, the US Navy Department received a message that the captain of the ship near Novorossiysk, Russia discovered that the GPS had incorrectly located its position (Weise). It allegedly was on land, in Gelendzhik airport. Having ascertained that the equipment is working properly, the captain contacted the neighboring vessels and found that the signals from the aeronautical information service indicated that they all occurred at the same in the airport. It touched at least 20 vessels. Weise notes that although the incident has not yet been confirmed, experts believe that this is the first recorded case of GPS manipulation – a long-spoofed attack, in which case spoofing is a fake signal from a ground station that misleads a satellite receiver.
In 2017, Danish shipping and logistics company Moller-Maersk reported that the virus that led to serious financial losses entered the system through the Ukrainian computer program (Baker). The company published a financial report for the second quarter of the above year that emphasized the impact of Petya virus attack at the end of June. Maersk preliminary estimated that financial losses from cyber-attacks are $200-300 million (Baker). The company claimed that as a result of the attacks suffered, the sea container traffic Maersk Line, operator APM Terminals as well as the logistics company Damco were engaged in collapse. Petya virus blocked computers, encrypted the information contained on them, and extorted money for unlocking the system. Microsoft declared that the virus was distributed through the accounting software M.E.Doc.
Another vivid case of compromise of satellite systems occurred in July 2013. The students from the University of Texas at Austin were able to decline $80 million yacht from the course using equipment that did not cost more than $3,000 (Dodson). Using a GPS simulator that is applied, for example, to calibrate equipment, they duplicated the signal of a satellite and gradually increased the power, thus managing to “convince” a ship’s navigation system to receive messages from the spoofing device and to reject the signal of the real satellite as interference (Dodson). After the navigation system began to work through the data of two satellites and the attacking device, the researchers managed to deflect the vessel from the initial course.
Responses to Threats and Their Improvement
As one of the measures to combat cyber attacks, it is important to note the second edition of the Guide to Cyber Security on Ships prepared by Baltic and International Maritime Council (BIMCO), the International Union of Marine Insurance, the International Association of Cruise Lines, the International Maritime Forum of Oil Companies, the Ministry of Railways, Intercargo, and Intertanko. The second edition of the Guide includes information on insurance issues and recommendations for effective isolation of networks (Wilkie). It also includes new practical guidelines for connecting the ship to the shore interface and managing cybersecurity when it enters a port and when it communicates with shore organizations.
The chapters on contingency planning and response to cyber attacks have been rewritten to reflect the fact that the guidelines are aimed specifically at ships and take into account remote conditions in the event of a breach of ship protection. In addition, a new insurance subsection has been added, providing for insurance coverage after cyber attacks, which is an integral part of the risks to ship owners (Wilkie). The Sectoral Guidelines are consistent with the recommendations given by the Guidelines for the Management of Cyber Security of the International Maritime Organization (IMO), which were adopted in June 2016.
To unify the navigation and meteorological information transmission system for the purpose of ensuring the safety of navigation on cruise ships, the Navigation Warnings on the Web (NAVAREA) world navigation warning service was developed. It is called to ensure the coordination of the transmissions of navigational warnings on the radio by all maritime countries. The transmission of navigation warnings, meteorological information, as well as alarms and necessary information when searching and saving should be protected by means of special technologies. What is also essential, crew training should prepare them for cyber attack related emergencies and their further elimination.
Conclusion
To conclude, it should be emphasized that poor preparedness of cruise ship industry in the times when cyber attacks are widely used by hacktivists, criminals, and terrorist groups is the main cause of vulnerability. In addition to the vulnerabilities of software and other weak points in the technical protection of these systems, the problem of the inability to instantaneously apply security updates for systems on ships on a voyage or in remote ports is also critical. Several cases when cyber attacks mislead ships’ systems were noted. As it can be seen from the report, there is an urgent need to disseminate existing policies and guidelines and increase the awareness of the identified problem.
Works Cited
Baker, Joe. “Did the Maersk Cyber Attack Reveal an Industry Dangerously Unprepared?” Ship Technology. 2017.
Bothur, Dennis, et al. “A Critical Analysis of Security Vulnerabilities and Countermeasures in a Smart Ship System.” The Proceedings of 15th Australian Information Security Management Conference Held 5-6 December 2017 at Edith Cowan University, edited by Craif Valli, 2017, Perth, Western Australia, pp.81-87.
Dodson, Brian. “University of Texas Team Takes Control of a Yacht by Spoofing Its GPS.” New Atlas. 2013.
Gladden, Graham P. “Marketing Ocean Travel: Cunard and the White Star Line, 1910–1940.” The Journal of Transport History, vol. 35, no. 1, 2014, pp. 57-77.
International Cruise Ship Industry. “Cyber Security – Is The Cruise Industry Ready?” HubSpot, 2014.
Kazimierski, Witold, and Andrzej Stateczny. “Radar and Automatic Identification System Track Fusion in an Electronic Chart Display and Information System.” The Journal of Navigation, vol. 68, no. 6, 2015, pp. 1141-1154.
Kirby, Will. “Terror Fears At Sea: Cruise Ships Could Be Sunk by Cyber Terrorists, UK Government Warns.” Express.
Symantec Corporation. “What Is the Difference Between Black, White and Grey Hat Hackers?” Norton, 2018.
“Voyage Further. Discover More.” Royal Caribbean, Web.
Weise, Elizabeth. “Mysterious GPS Glitch Telling Ships They’re Parked at Airport May Be Anti-Drone Measure.” USA Today.
Wilkie, Gemma. “Cyber Security Guidelines for Ships Launched Today.” BIMCO. 2016, Web.
“What Makes Today’s Hackers Tick?” Thycotic, Web.