Professional Documents
Culture Documents
12
N vigator
THE
Inspiring professionalism in marine navigators
FR
EE
Cyber Security
Cyber hygiene and the use of ICT on board
NSTITU
LI
A free publication by The Nautical Institute in association
TE
ROYA
OF
VI
A
G ATI
O
NAV
David Patraiko FNI
Director of Projects, The Nautical Institute
Tel: +44 (0)20 7591 3134Fax: +44 (0)20 7591 3131 David Patraiko FNI, Theresa Nelson MNI
OF
VI For the RIN Dr Andy Norris FRIN FNI Milton Keynes, Buckinghamshire
A
G ATI
O
NSTITU
LI
TE
ROYA
OF
N
VI
A
G ATI
O
#NavInspire
OF
N
VI
A
G ATI
O
My officers, cadets and crew are enjoying in Bataan, Philippines, where I am currently
reading The Navigator. The content is very enrolled in the Marine Transportation BSc
open and inspiring. Our thanks must go degree. It can be used as a reference for
Get the app to the AMSA PSC Inspector, who brought professionalism in maritime navigators.
us these magazines when he came up in Moreover, it serves as an eye opener for us
Townsville last call. to be really cautious in the maritime industry.
Capt. Jo Juson, Kwangsi Thank you, and well enjoy reading it!
Join the debate on LinkedIn In the long run, I am endeavouring to
http://www.linkedin.com/groups/ I am a deck cadet onboard the vessel work in pilotage in Singapore. During my
Nautical-Institute-1107227 Glovis Composer. I am learning so much cadetship I became deeply fascinated
from The Navigator especially the CPD with the pilotage whenever we went to
Follow us on Twitter issue and Take 10. I shared some of the our home port, Singapore. At that time,
https://twitter.com/NauticalInst topics with the crew onboard our vessel. I was already thinking of working in that
We dont have a hard copy onboard but profession, commanding the vessel safely.
We are active on Facebook I shared the app with the crew to show The maritime profession is a never ending
https://www.facebook.com/ them this informative magazine. process of learning, and I will continue my
Ernest Alfred Burgos endeavours to work in this different field
thenauticalinstitute in the maritime industry. I
Watch our videos on You Tube Greeting to all my brothers in know this will take time,
this profession! I am a die- but just by dreaming
http://www.youtube.com/
hard fan of this magazine, about it, I am already
TheNauticalInstitute but since I shifted to the starting to see how I can
offshore industry, it is very realistically bring it about.
You can read a digital version of The
seldom or not at all that Niel Borja
Navigator, or download it in PDF format at I can see The Navigator
http://www.nautinst.org/publications magazines on board. I was Just wanted to share my
happy to finally receive thoughts. The issue dated
a copy of the magazine February 2016 was really
here in Dubai. Long live a great help for me. Im in
Navigators! my second contract in this
Alvin Belleza position, and the thoughts
Renomeron I gathered from that issue
building on competence were indeed
I was lucky to be introduced to The helpful for guiding my development.
Navigator magazine at a training workshop Thank you.
with Capt Yashwant Chhabra at the Loid Anthony Cadungog
We welcome your news, comments and opinions on the topics Maritime Academy of Asia and the Pacific Third officer, Orient Centaur
covered in The Navigator. We reserve the right to edit letters for
space reasons if necessary. Views expressed by letter contributors
do not necessarily reflect those held by The Nautical Institute Be a distributor! To sign up for a copy of The Navigator for your vessel, visit http://www.nautinst.org/navonboard
Knowledge is Power
M
ost of you reading this and needed to charge up their phone
will have a smartphone quickly. Or maybe that laptop in the engine
onboard with you at the control room, which was delivered by
moment. I know this the manufacturer to run the main engine
because, each year since under strict instructions that it must
2012, Futurenautics has run the Crew never be connected to the Internet. A
Connectivity Survey, which asks around laptop, therefore, with absolutely no
3,000 seafarers about their access virus protection or firewall that,
to, and usage of, devices and being the only open computer
connectivity onboard. 2015 on the vessel, has been
was the year in which surreptitiously hooked-up
smartphones overtook to the FleetBroadband
other devices to become so that the crew can
the most common We have all come to rely get online.
piece of equipment
seafarers have
on our smartphones, Password-protected?
on ships. For the laptops and constant I also know that
record, the others theres a 60-70%
are laptops, hard
access to the Internet likelihood that the
drives and other to help us run our lives. password you
types of mobile use both for your
phones. Oh, and
Yet how safe are we, personal devices
one guitar. Yeah, sitting quietly behind our and the corporate
I know. I dont think network onboard
he understood
screens? The answer will be the same, and
the question. might be rather alarming that the password in
There is something question has an 80-
else I know about your 90% likelihood of being
smartphone. If it is running either weak, default or quite
Android software and apps easily guessable. If a little
then there is a 90% likelihood brute-force cracking doesnt
that it is carrying malware work, then I know exactly where
malicious software which should to go next to check out the kind of
not be there. If it is an iPhone running personal, intimate details about you and
iOS then thats up to an 80% likelihood. your friends and family that will allow me to
Thats malware of which you will be entirely fashion a very plausible email.
unaware, and unlikely to affect your usage Where do I go for that? Facebook, which
of the device at all. It is sitting there quietly, I know is the number one social media site
waiting until the phone is plugged into for seafarers accessed by around 79% of
something else, when it will execute and you while youre at sea. The email, when it
infect whatever machine it has been offered. arrives, wont come from me. It might come
That machine might be a laptop, or from someone in your IT support unit ashore
desktop PC, or perhaps the ECDIS, telling you that they think that someone
because someone was low on battery has been trying to use your login to access
4 | The Navigator | June 2016
CYBER SECURITY: CONNECTED DEVICES
the network, but they know it cant be you network that is malware beaconing IP
because HR say youre at sea. It might addresses from ships networks all over the
correctly identify the name of the vessel and world is so great that its beginning to
its next port of call, and ask for your login cause network issues. To the extent that
43%
credentials in order to investigate. And I the provider is contacting its customers
know that there is a 70%+ likelihood that and trying to help them root out the
you will supply them. malware in their systems.
But you might not. On the off- This would tend to bear out our
chance that youre one of the 30% survey findings, because 43% of you
who decides to dig a little further, reported that you had sailed on a
OF YOU REPORTED
recognises a spelling mistake in the vessel which had become infected
company name in the email address
THAT YOU HAD SAILED with a virus or malware. Yet 88%
or just gets a little suspicious, thats ON A VESSEL WHICH of you claim never to have received
still not a problem for our hacker. HAD BECOME INFECTED any advice or training around cyber
Financially motivated cyber crime is WITH A VIRUS OR security or hygiene.
a US$1 trillion+ per year industry and it MALWARE There are a lot of numbers here. For
can be very random. Not always, though. most cyber criminals, its a numbers game.
Sometimes, individuals are carefully Every single one of the scenarios I have
targeted because they have access to outlined above has taken place on a ship or
systems or privileges which others dont. shore-based office. The guy who plugged
Navigation officers onboard ship have his phone into the ECDIS was responsible
access to systems which could be crippled for malware wiping every single electronic
or not in return for a ransom. The good chart on the vessel.
news, or bad news depending upon your Unlike the majority of seafarers,
perspective, is that according to our survey, PROPERLY TRAINED AND people who run shipping companies, and
seafarers have above average technology RESOURCED, YOU ARE particularly shipping associations, are often
skills and competence you guys are pretty far from technology-savvy. They have failed
savvy. So youre likely to make the hackers A LINE OF DEFENCE to understand that technology dependence
job harder. But not that much harder. STRONGER THAN ALL leads to cyber risk and have not adequately
addressed the issue at board level in the
Risky recruiting THE FIREWALLS AND same way they would address any other
For the first time in 2015, LinkedIn appeared PRIVILEGES YOUR IT type of risk. It is a risk to you because their
as a favourite job search site for deck
officers, according to our data. Even if
DEPARTMENT CAN networks and their vessels are your home
and hold a wide range of data about you.
youre happy where you are, theres no MUSTER For example, the data on your phone alone
harm in connecting with a recruiter on right now is worth around $14,000 to a
LinkedIn who is advertising the kind of cyber criminal.
jobs you might be interested in, paying a The truth is that attackers no longer
bit more money. When that recruiter asks target infrastructure, they target people. So
you to contact him directly by email to if you are one of the thousands of seafarers
discuss opportunities, you will. Then, when who have been given no cyber hygiene
he sends you a positions-listing sheet support, training or advice then I suggest
encouraging you to take a look and let him you ask for it or seek it out.
know whether youre interested in being Theres one other thing I know about
put forward, you will click on the attached Are you inspired? you. Properly trained and resourced,
document, download it, and read it. Theres you are a line of defence more solid and
no harm in that, right? Other than the fact impregnable than all the firewalls and
that the recruiter is me, and contained privileges your IT department can muster.
within the document is malware which, I know that. The cyber criminals know
when opened will begin beaconing to an Tell us at that. Now you know it too.
external IP address that will allow me to
install a PHP reverse shell on your system,
#NavInspire
search, collect, change or remove sensitive Author: K. D. Adamson, Futurenautics
data or access systems at will. Futurenautics Crew Connectivity Survey
Sound unlikely? Ive been reliably can be viewed as a PDF online at
informed by one connectivity provider that www.futurenautics.com/crewconn15
the volume of unauthorised traffic over its
June 2016 | The Navigator | 5
CYBER SECURITY: ONBOARD SECURITY
P
rotecting a ships computers Cyber security should start at the senior
can be compared to protecting management level of the company ashore.
your home. A fence keeps You cannot protect a ship 100% against Cyber security onboard
strangers out, just as a computer cyber incidents (a cyber incident is anything ships protects:
is protected by a firewall. If that may adversely affect an onboard
your fence breaks, you must mend it. Your system, network and computer or the operational technology against
firewall must be kept up to date to prevent information it handles). So it is important the unintended consequences of a
malware from getting in. to have contingency plans ready for when cyber incident;
On the other hand, there need to be something goes wrong. information and communications
gaps in the fence to allow wanted visitors Senior management has the strategic systems and the information they contain
in. We must be able to welcome friends responsibility to decide on how best to from damage, unauthorised use or
and family while assessing the risk of protect the ship. For example, a barge modification, or exploitation; and/or
inviting in a stranger. Some guests are trading in inland waters will be protected
granted access to every room in the differently from a 15,000 TEU container ship against interception of information when
house, while the delivery guy might just be trading worldwide. Cyber security is related communicating and using the internet.
allowed into the hallway. But even if you to business processes and crew training,
offer your aunt unrestricted access to your as well as technical systems. It is not just a
home, you may still decide to keep your matter for the IT department.
valuables in a locked safe. In other words, Cyber security has both safety and case anything happens to the IT and/or
you are in full control. security aspects. So all plans and operational technology (OT) on board.
When it comes to life onboard ship, procedures for cyber risk management Cyber security should be considered at
officers must take control to make sure should be seen as complementary to all levels of the company, from senior
they know who has access to what data, the existing security and safety risk management ashore to crew on board,
and who is allowed in rooms containing key management requirements contained as an inherent part of the safety and
technical equipment. in the International Safety security culture necessary for the safe
Management Code (ISM) Code and efficient operation of a ship.
Industry guidelines and the International Ship
In January 2016, a and Port Facility Security Identifying a threat
group of industry (ISPS) Code. Firstly, you need to understand the specific
organisations including Both information threats to which the ship and its operations
BIMCO published new technology (IT) and are exposed. For example, if a container is
Guidelines on Cyber operational technology very valuable, there may be criminals who
Security Onboard (OT) might be vulnerable want to steal the contents. In order to do
Ships. These can be to cyber threats. so, they need to know the location of the
downloaded for free container and ship. So this information must
from www.bimco.org. Awareness be restricted to as few people as possible.
There is a quick link at http:// Some of the main points In general, there are two categories
www.nautinst.org/NavInspire from the industry guidelines which of cyber attacks, which might affect
The guidelines are designed to develop may be relevant to you as a seafarer: companies and ships:
understanding and awareness of key Every ship is different, as is its trade and Untargeted attacks, where a companys
aspects of cyber security. They do not focus cargo. Start by identifying the threats and or a ships systems and data are one of
on the technical aspects of cyber security. vulnerabilities to develop a response in many potential targets; or
6 | The Navigator | June 2016
CYBER SECURITY: ONBOARD SECURITY
Risk assessment
Targeted attacks, where a companys
or a ships systems and data are the A risk assessment will help find out how
An awareness
intended target. vulnerable and how exposed the different programme for
Untargeted attacks are likely to use tools systems are. The Industry Guidelines outline
and techniques available on the internet to two risk assessment methods used by seafarers should cover:
locate known vulnerabilities in a company the crew or by a third party. When doing
and onboard a ship. For example, to try it yourself, elements of a Ship Security Emails and how to behave in a safe manner;
to locate the container, the criminals may Assessment can be used to physically test
check if a valuable container is mentioned and assess the IT and OT systems on board. Internet usage, including social media, chat
on social media. This method is called 1.Identify existing technical and forums and cloud-based file storage where
social engineering. procedural controls to protect the data movement is less controlled
Targeted attacks may be more onboard IT and OT systems. Is there and monitored;
sophisticated and use tools and unused or defective software, or are
techniques specifically created for targeting systems outdated or unpatched? Use of own devices;
a particular company or ship. To locate a 2.Identify specific vulnerabilities in IT and
container, for example, they may send a OT systems, including human factors, Risks related to installing and maintaining
personal email to someone who knows and the policies and procedures software on company hardware;
which ship the container has been loaded governing the use of these systems. Do
on. This email may contain malicious you use passwords, are personal profiles Poor software and data security practices
software or links that automatically changed regularly, etc? where no anti-virus checks or authenticity
download malicious software. Such 3.Identify and evaluate key shipboard verifications are performed;
software will then send the information to operations that are vulnerable to cyber
the criminals, thereby enabling them to attacks. For example, who is allowed Safeguarding user information, passwords
intercept the container. access to what systems and what are and digital certificates;
they allowed to do?
Vulnerabilities 4.Identify possible cyber incidents The physical presence of non-company
There are a number of onboard and their impact on key shipboard personnel, for example where third-party
systems which may be exposed to operations, and the likelihood of their technicians are left to work on equipment
cyber risks. It is important to occurrence. For example, what without supervision;
identify these systems and to do if the communication
their vulnerabilities. They to the shoreside has been Detecting suspicious activity and how
could include: compromised? to report if a possible cyber incident is
Cargo management in progress;
systems Training and awareness
Bridge systems. Even You can reduce the The consequences or impact of cyber
bridge systems that risk of cyber incidents incidents to the safety and operations of
are not connected to by procedural controls, the ship;
other networks may focusing on how seafarers
be vulnerable, as use the onboard systems. Understanding how to implement
removable media are often Plans and procedures that preventative maintenance routines such
used to update such systems contain sensitive information should as anti-virus and anti-malware, patching,
from other onboard networks be kept confidential and handled according backups, and incidence-response planning
Propulsion and machinery management to company policies. and testing; and
and power control systems In many cases, a cyber incident is
Access control systems e.g. for started by personnel working in the Procedures for protecting against service
the accommodation and cargo company. Personnel, even with the best of providers removable media before they are
control rooms intentions, can be careless, for example by connected to the ships systems.
Passenger servicing and using removable media to transfer data from
management systems one computer to another without taking
Public networks for passengers precautions; and data can be mishandled
Administrative and crew welfare and files disposed of incorrectly. To limit
systems. These are particularly these risks, training and awareness should
vulnerable when they provide internet be developed for:
access and email. They should not be Onboard personnel, including the Master,
connected to any safety critical systems officers and seafarers; and Author: Aron Frank Srensen, Chief Marine
on board Shoreside personnel who support the Technical Officer at the Baltic and International
Communication systems management and operation of the ship. Maritime Council (BIMCO)
June 2016 | The Navigator | 7
watch out
In this series, we take a look at maritime accident reports and the lessons that can be learned
If you find our accident reports useful, check out The Nautical Institutes Mariners Alerting and Reporting Scheme (MARS). A fully
searchable database of incident reports and lessons, updated every month. Seen a problem yourself? Email the editor at
Mariners Alerting and Reporting Scheme mars@nautinst.org and help others learn from your experience. All reports are confidential we will never identify you or your ship.
Proud to be a seafarer
Deck Cadet Jisilda Nguli loves life at sea and takes enormous pride in her status as a seafarer. She has
ambitions to become a Master, and is keen to learn from those around her
What made you interested in a an oil tanker ship from my home town. part of the team. Communication is
life at sea? She was called Benguela-Angola and very important onboard ship. Know that
In the beginning, I was just interested in there were seven other Angolan women you can learn something from anyone,
studying, but after two months, I onboard. The weather was tropical, with and most importantly, put the safety of
fell in love with the sea and way of life. a calm sea and light wind. It was the best everyone onboard ship first, along with
I identified myself as an officer and experience ever. the cargo and environment.
loved doing something different from
my family and friends. I could not stop What do you like best about working Where do you see yourself in five
dreaming about one day being a captain at sea? years time?
of a big ship. I love the sea. I enjoy looking at the I see myself as a second officer, sharing
sunset on a clear horizon. I like the idea my experience and travelling all over
Where did you train? that my workplace is just three minutes the world, showing one more time that
I trained in three separate places. First walk from my bedroom, and that I dont women can do anything. I want to take
of all in India at AMET University, where I have to face commuter traffic every day. I part in big conferences with opportunities
did my STCW course and studied English also like being called a seafarer; it makes to speak and encourage others to follow
(Im from Angola and not a native English me proud of myself. this career. In ten years, maybe I will be a
speaker). Then, I did my HND with the captain, doing the same job of sharing my
first year in Angola at CFMA and my How can you become a successful experience. I will enjoy each stage
second year at City of Glasgow College bridge officer, in your opinion? of my career and try to learn as much as I
in Scotland. You have to know how to listen even can. I will do every single course that
when you think it is unnecessary. Follow my company can offer me and keep
What was your first day at sea like? the rules, stay aware of any changes in reading the latest nautical publications.
My first day at sea was amazing! I joined the situation (a good officer is always Above all, I will try to always be happy,
a very friendly and professional crew on alert), remain engaged and work as safe and grateful.
Contact RIN at: www.rin.org.uk | 1 Kensington Gore, London, SW7 2AT | Tel: +44 (0)20 7591 3134
10 | The Navigator | June 2016
10
take 5
Be prepared
Cyber security plans require both safety and security aspects.
All procedures for cyber risk management should complement
existing requirements contained in the ISM Code and ISPS
Codes. Contingency plans must be ready and well rehearsed for
when something goes wrong.
6
App awareness
Android software and apps have a 90% likelihood of carrying
In this issue of The Navigator, cyber security has malware; iOS have an 80% likelihood, of which you will be entirely
fallen under the spotlight. Here are ten key points to unaware until it is plugged into something else (Futurenautics
take in Crew Connectivity Survey).
1 7
Social skills
Attacks happen Social media is a key source of viruses or information for
Cyber security should concern everybody, even those who are targeting individuals. Be aware of what you post!
not computer experts. All seafarers can make a difference.
2 8
Jamming and spoofing
Data protection Global Navigation Satellite Systems (GNSS including GPS) are
Ships officers must make sure they know who can access vulnerable to intentional and unintentional jamming and spoofing.
what data, and who is allowed in rooms containing key By following conventional best practice, such as observing radar
technical equipment. and visual references, you can minimise the risks.
3
Personal risk
9
Risk training
Personal devices (smart phones, laptops, USB sticks) and Every ship will have different risks and levels of risk. All crew
ship systems (navigation, cargo, control, communication) are should be informed and trained about the risks appropriate to
susceptible to attacks. Connecting personal devices to ship their roles, how to manage them and how to react to an incident.
systems for exchanging data or even for charging is highly risky. Regular onboard updates, drills and mentoring are also key.
Dont do it!
4 10
Want to know more?
Know your weaknesses Good advice on cyber strategies is widely available online.
Vulnerable systems include cargo, bridge, propulsion, access Specific guidelines for cyber security onboard ships has been
control, passenger services, public networks, administrative and published by BIMCO and can be found at www.BIMCO.org
crew welfare systems, and all external communication systems.
THE
We want to see
who is reading T
Inspiring profes
sionalism in marin
e navigators
TE
A free public
ation by The
OF
Nautical Institu
NA
VI
G ATI O Institute of Navig te in association
ation
ank you.
13/01/2016
12:53
h is is sue is
he win n e r t
AND t 11 NavSnap
e D so uz a, w in ner of our Issue
to Gavill He
Congratulations O ffi ce r on bo ar d Spar Capella.
ille is Chief some of
competition! Gav ha s se nt The Navigator
is a keen photog
raph er an d Gaville Dsouza
taken on board. HAMPIO N
his photogra ph s N vigator C