Does a dual system create redundancy?  As an example, most vessels will have two ECDIS, or electronic chart systems, for redundancy. Few vessels now carry backup paper charts other than basic ‘get you home’ versions, as they are expensive and hard to keep updated. A colleague remembers collecting chart updates from the ships agent at each port, which he had to cut out and paste on to the chart.

Having two redundant systems sounds like a good idea. However, most of the ECDIS units we’ve tested have been running old operating systems or were missing critical patches and were trivial to compromise. Two easily hacked ECDIS units on board. Great!

Both ECDIS are often updated at the same time, removing the benefit of redundancy. This often has to be done, as otherwise there would be inconsistencies in the charts on each ECDIS.

What systems onboard are dual for redundancy, can we list them, and if they are updated at the same time?

Manual control of a ships engine usually involves three sticks: one for the fuel pump, one for start air and one for engine direction. Fuel pump rate does not directly correlate with engine speed – there are many variables that affect this, even air humidity will change how the engine performs for a given lever setting.

Shifting the engine to stop or reverse involves using start air to restart each time. Air tanks usually contain enough air for 10 starts under automatic control, requiring 45 minutes or so to recharge. Under manual control, even a skilled operator will probably only get 5 engine starts. That’s 45 minutes and potentially 5 changes of propeller direction.

Imagine a junior officer trying to deal with failing navigation systems, all bridge sensors offline, steering gear not responding and engine levers inoperative. Manual control is an option but, as an aviation pilot, I know very well how quickly one can become overloaded with information and become incapable of dealing with a situation. Fixation on a single error quickly leads to loss of the wider picture.

A Ponemon data breach report in 2017 showed that it took US organisations an average of 206 days to detect a data breach. That’s a statistic from shore-based organisations, where IT and IT security personnel and expertise are usually available.

So how does a ships crew, where perhaps one person on the crew has a small amount of basic IT skill, detect a breach of a vessel?

If you don’t know, you can’t take action. At what point do you decide that the navigation systems are no longer trustworthy? Who makes that decision? The inexperienced third officer? Do they wake the captain?

Who decides to take the vessel out of track control mode? Remember, security isn’t binary – something is a bit odd, but all the digital systems seem to agree with each other. A security incident doesn’t have to involve alarming ransomware taking control of cargo manangment, it can be much more subtle than that.

Even with years of forensics experience, sometimes investigators struggle to determine the cause of an incident. I remember one case where a human hair in a switch port was causing public IP addresses to be spoofed on the internal network. We didn’t believe it either, until we removed the hair and replaced it several times, at which point the spoofing stopped and started consistently!

So you take action, you assess the incident and decide you need help. You pick up the satphone to HQ. The satphone isn’t working as it uses the same, vulnerable satellite terminal that the hacker exploited. What next?

The usual response is ‘ships can’t be hacked.’ When I dig further, what they usually seem to mean is that ‘processes aboard the bridge mean that the captain or officers will spot the issue and take manual control’

We see the same pattern when security flaws are discovered in an industry for the first time. Back the early 2000’s, few industries outside financial services and government took security seriously. ‘Why would hackers be interested in us’ was the usual objection.

Over time, as financial services and governments improved their security, other industries became easier targets for hackers looking to monetise their gains. I remember charities objecting ‘We’re a charity working for good causes, why would hackers attack us’ – yet soon they were being used for validating stolen credit card data through small test charges.

Hackers will come to every industry, starting with those with the weakest security. Why develop hugely costly nation-state grade malware to hack a bank when you can exploit Windows XP systems in shipping and generate similar returns?