Cyber criminals are opportunists—whether their target is on land or sea. If the opportunity is lucrative, threat actors will be knocking on the door. Additionally, malicious insiders, nation-states, and terrorism are now unfortunately part of the collective cyber threat to ensuring passenger safety and continuity of operations on cruise ships.
After 30 years of working in information security within the public sector, including several years as the CISO of Seattle, I’ve seen it all. Across the board, organizations are facing the similar cybersecurity issues, with some unique exceptions in the cruise line industry. I’ve highlighted the four top priorities for cruise lines and their affiliates to improve overall cybersecurity below. If you keep reading past the top four, I’ll dive into the “why” these steps are crucial to maintain business continuity of your off-shore and port-of-call operations.
4 Tips to Improve the Cybersecurity of Cruise Ships
While the cruise line industry has a complex threat environment to navigate, there are four clear steps cruise ships, contractors, vendors, and ports-of-call operators can take to reduce the impact of a security incident.
The recommendations below provide a general overview of critical steps to take, if not already in place.
- Security Awareness Training and User Education
Phishing (attempts to get login credentials through fake sites) is the most common vector used nowadays because it’s so easy. And because there have been so many data breaches and dumps of user credentials for sale on the dark web, reuse of shared passwords can make it trivially simple to gain access to a ship’s network. User education should be addressed through on-going security awareness training of all connected staff.
- Network Segmentation
Recreational and transaction networks must be logically separated from ship’s operational networks. Additional, operational technologies should, to the extent possible, be physically separated through ‘air-gapping.’
- Manage Risk
Use a standard framework like the one provided by the National Institute of Standards and Technology (NIST) and identify gaps in controls. Assign a likelihood to an unwanted outcome due to a control gap, and the potential impact that would accompany the outcome – the product of the two is your risk. Assign a disposition to each corrective action: avoid, accept, mitigate using additional controls, or transfer through insurance.
- Detect and Respond
Support the ability to effectively detect and respond quickly to cyber incidents so the impact of any incident is minimized. Cleaning up an infected computer is the impact you want; inability to process cardholder data, unauthorized disclosure of protected records, or disrupting a ship’s operation for extortion are the impacts you don’t want. Authentic detection and response lowers dwell time, catching intruders quickly so they can be expelled quickly.
The Top Cyber Threats Facing the Cruise Industry
Now, the threats. Because ships require persistent connectivity, Internet-based threats will always be extant. Royal Caribbean Cruise lines reported recently that it receives 1 million attacks per day. This brings up an important distinction—those are not attacks. For the most part, that is the background noise of the Internet, which is easily observed by network monitoring. It's not personal—that volume of attack activity will not diminish any time soon. Organizations should address this through preventive controls and employee training.
However, actors that specifically target cruise lines for the bonanza of passenger records, financial transactions, and extortion potential through service disruption are on the rise. This trend is due to the commoditization of sophisticated attack tools but also with the backing of nation-states. As an example, North Korea is considered to have been behind a global ransomware campaign as a profit-making venture. I note that the targeted attacks against the hospitality industry are rising, and the cruise industry may find itself in those sights.
The new threat is that of randomized collateral damage. Mainly originating from the domain of state actors, the harassment of economies and disruption of infrastructure through cyber means is just getting going. In 2017, Maersk went out of business for about three weeks to the tune of $300M even though they were not the target of that attack. Russia poking the economy of Ukraine resulted in billions of dollars of global loss by organizations having nothing to do with those geopolitics. And as I said, all indications are that this is just getting going.
Cruise Line Exposures Impact the Safety of Everyone Involved
Cruise ships are essentially floating hotels, with all the amenities expected of the hospitality industry. They require network connectivity for recreation, financial transaction processing, healthcare operations, and customer information storage. These are all targets, which invite threat actors to gain access.
Additionally, ships operate a variety of industrial control, or SCADA systems that effect physical movement based on electronic signaling. These “operational technologies” are widely known to be some of the most critical (for ship’s navigation, e.g.,) yet insecure environments and subject to disruption through means both sophisticated and simple. Add to that the dependence on GPS for navigation, and the confirmed ability to “spoof” GPS signal, possibly causing collision or misdirection.
The introduction of Internet-of-Things (IoT) technologies is exacerbating the exposure. While the efficiencies in power use, physical security, surveillance, et al., are driving increased usage, IoT devices are incredibly hackable. When connected to the network, unsecure IoT devices are easy to find and weaponize to launch further attacks, disrupt operations, or compromise to use for their CPU power.
Another exposure is when a ship makes a port call and converts to a land-based Internet carrier. In the airline industry when a plane is at the gate, all emphasis is on security. As the plane pulls back, protocols dictate that the emphasis refocuses to safety. Without a similar mindset in the cruise ship industry, both sides of that interlink may have different ideas on what constitutes ‘security,’ and this may be especially important, depending up the ports-of-call.
Finally, to make all these exposures worse, the IT security emphasis in the cruise ship industry has been focused primarily on preventive controls, which are technologies and processes designed to prevent compromises. Little effort has gone into continuous monitoring, detection, and response to limit the damage from a successful incursion.
Detect and Respond to Foreseeable Cybersecurity Incidents
You may already have protective controls in place—and while those are critical—today, prevention is not enough. Risk managers consider a cybersecurity incident as a foreseeable event. What does that mean for the IT leader? Without detection and response built into the cybersecurity program, today’s reality is that threat actors are likely already in the network. The goal is now to limit the impact of the threat actor. That is where the functions of detection and response come into play.
While IT teams are busy coping with an endless stream of security alerts, patching vulnerabilities, and running trap to avoid the latest breach in the news, threat actors are still getting into networks and causing substantial damage. In fact, in 2017, it took on average 191 days to detect threats in reported breaches.
Not all organizations can afford to build out the detection and response functions in-house. In those cases, a quality Managed Detection and Response (MDR) provider can help reduce the impacts of foreseeable cyber events at an affordable cost.
Whether you choose to source detection and response in-house or out, it is mission-critical in today’s cyber threat landscape to get really good at quickly kicking out the bad guys. However, buyer beware—not all MDR solutions are the same. A trusted MDR provider like CI Security understands the dynamic cybersecurity threat landscape the cruise industry faces today.
Authentic MDR puts real, trained experts in a security operations center leveraging technology to watch for intrusions 24/7. At CI Security, we are focused on continuously innovating upon our Gartner-recognized MDR solution to help customers stay ahead of cybercrime and prepare for foreseeable cyber events, whether at land or at sea.