Cruise Ship Cyber Security Challenges


The cruise sector has a variety of specific and complex challenges for designing and implementing an effective cyber strategy. Firstly, with such large vessels carrying over 5000 passengers on a constantly deployed vessel, the ability to have patching windows, service outages or periods of upgrades can be extremely limited due to the tight economics of having the vessel underutilised. Additional complexity is introduced when consideration is given to the vast array of systems involved in providing all the facilities and attractions that modern passengers expect - audiovisual systems and stage management systems are often as complex as those found in West End or Broadway theatres and specialist knowledge can be extremely difficult to locate within the available pool of crew.

OT within the cruise industry can be unparalleled in scale and complexity, with detailed troubleshooting knowledge often limited even amongst senior crew. Given the requirement for absolute reliability of secondary / tertiary systems, it can be extremely common for OEMs to have direct access to the systems from the vendor headquarters. These connections are often insecure by nature, opening the vessel to significant risk through a supply chain attack. Attacks of this nature have become more common as attackers realise an easier way to their target can be through a trusted third party company.

Additionally, OT often has a significantly longer design life than IT on a modern liner and is not as easy to upgrade without extended periods of downtime and sea trials. During a recent engagement, Nettitude carried out an assessment of various OT systems utilised within the industry and found multiple critical vulnerabilities within five days that were responsibly disclosed to the manufacturer. Some of these vulnerabilities caused irreversible hardware failure and malfunction from simple network scanning techniques as well as more advanced issues.

So, what are Nettitude's recommendations for cruise operators to answer these challenges?

Read the full article