Hacking the Ship Scenario: An Offshore Supply Vessel's Dynamic Positioning System
By Dennis Hackney, PhD, Head of Cybersecurity Product Development
A single cybersecurity incident can result in persistent, costly service disruption. In this case scenario, we analyze what can happen when a hacker targets your vessel during an automated operation like dynamic positioning.
Secure operations of marine and offshore assets are critical to the safety of people, property and the environment. Many hackers today seek not only to gain unauthorized access to company data, but to manipulate operational technology (OT) and cause damage or physical disruption to important industrial systems or processes.
In this vessel scenario, we describe threat actions that can be taken on the Dynamic Positioning (DP) system of an offshore supply vessel (OSV). The operational risk to consider in this scenario is that control and redundancy of the DP is lost during station keeping, which could result in unplanned downtime or, worse, a catastrophic incident.
How It Works
Dynamic positioning (DP) is widely used in offshore oil and gas operations to maneuver and anchor a vessel into a fixed position, especially in deeper waters where wind and waves can affect drilling operations.
Dynamic Positioning Systems
As a computerized and automated system, DP controls the movements of the vessel while relying heavily on sensor technology. Additionally, the added simplification of controlling the main engines and thrusters from a joystick makes piloting vessels via a DP console a simple and common practice.
There are several classifications of DP systems on the market. According to agencies such as the U.S. Coast Guard and the Bureau of Safety and Environmental Enforcement (BSEE), it is recommended that Outer Continental Shelf (OCC) vessels have at least a DPS-2 system, which means a redundant dynamic positioning control system on the vessel.
Leveraging a 2015 joint safety alert recommendations issued by BSEE and the Coast Guard, we have selected the OSV DP system in our scenario as the DP Equipment Class 2 (DPS-2). Such systems can work as a fully automated system, which means a closed-loop system that takes in sensor inputs. We highlight this DPS-2 system because even though it includes redundant components, open interconnectivity leaves all components exposed due to a lack of maritime cybersecurity safeguards.
DP systems control different types of physical elements on the vessel, including the propulsion system (engines), thrusters and the steering (rudders)—depending on how advanced the system is—and potentially an autopilot system. DPS-2 systems require three (3) positioning references that are active to maintain accurate station keeping. Our example DP systems use technologies which are cyber-enabled, posing a risk that ranges from disrupting operations to a potentially catastrophic incident:
System 1: DGPS (global positioning signal)
System 2: Hydroacoustic Position Reference (seafloor system)
System 3: Laser-Based System
The Attack Surface
Our hypothetical hackers already know that OT systems use common information technologies for networking, communications, user interfaces and printing. After some minimal research on the manufacturers' websites and social media trolling, they can become familiar with the virtual holes that exist in the people, processes and technologies used to support operations. These hackers know that OT systems are also becoming simple entry points to gain access and seize control of your vessel, potentially taking the asset and your operation down.
Some owners, operators and equipment manufacturers might believe that the redundancy in a DPS-2 system will act as a failsafe during a cyber incident. This is a common misconception. In the case of a cyber incident on a DPS-2, the system's redundancy does not protect primary or secondary components from exposure. Without a security boundary between redundant components and networks, anything that affects system 1's workstation is going to affect system 2's workstation.
So, how does a DP cyber incident happen? By a computer-related disruption in communications between the operator control stations and the sensors and actuators. A simple virus of the botnet variety can be transmitted from a trusted source onboard, for example someone who plugs in an unscanned USB to update the DP system.
Botnets that are relatively benign as they migrate through IT systems, can be particularly disruptive on an OT network. Botnets are designed to infect computerized hosts and broadcast out on open ports to discover additional hosts to infect as they worm through the network. If the USB is infected with this botnet malware, this action causes rapid infection to all connected operating systems. As the botnet spreads, each infected workstation becomes a "zombie workstation," which goes unnoticed while DP is not in use. A keen hacker can program the botnet to broadcast on a timer or schedule thereby going unnoticed. Unfortunately, our cyber incident occurs when the botnet performs a network broadcast during DP station keeping.
The network broadcast that occurs during DP operation will cause the DP control unit to engage the thrusters, articulate the rudders and/or surge the vessel's engines, resulting in sudden, abrupt vessel movements. This occurs because the networking technologies in the DP control units are not sophisticated enough to distinguish a botnet broadcast from a normal control signal. The consequences could be loss of equipment, life and possible environmental impacts.
Practice Good Cyber Hygiene
This can all happen within seconds. With the adequate cyber hygiene and practices in place, this scenario could be mitigated or carefully monitored remotely by a third-party ally as part of a proactive cyber risk management program. Knowing your cyber risk and having a program in place to detect virtual holes is critical to safety offshore and at sea.
Until recent times, DP systems were historically not connected to the administrative networks or the internet aboard vessels. With more highly evolved and automated DP systems being installed on vessels, it is becoming commonplace for these system Original Equipment Manufacturers (OEM) to offer remote diagnostics and maintenance. DP systems, as well as any other control system, are now becoming increasingly more vulnerable due to the added connectivity. Additionally, due to the complexity of the DP system, most vessel owners must rely on the OEM, system vendors or other independent third-party support personnel to maintain and repair to prevent or in cases of failure. Therefore, it is imperative to ensure technologies and procedures are in place to properly protect connections and track maintenance activities onboard OEM, system vendors or other third-party support personnel.
In the DP example, the threat actor would not require a connection to "hack" the system. A virus could have been introduced during a routine maintenance activity. Crew members could have been prevented by reviewing cybersecurity procedures with the support personnel or scanning the USB drives containing DP updates for viruses before plugging into the DP system.
Best Practices to Know
Companies may apply both procedural and technical best practices as outlined below.
- Develop policies and procedures regarding the use of removable media
- Develop procedures for protection of risks from service providers’ removable media before connecting to the vessel's systems
- Prohibit the application of software updates by service providers using uncontrolled or infected removable media
- Deliver cybersecurity onboarding training to OEM, system vendors or other third-party support personnel
- Perimeter defense such as firewalls are important for preventing unwelcomed entry into systems
- A perimeter firewall between the DP, onboard network and the internet
- Data diodes or the use of one-way (unidirectional) gateways between the DP network and external networks
- Where remote maintenance and diagnostics connections exist
- Route all external connectivity through a dedicated network or redundant network segments were internal company-controlled security tools are in use to monitor traffic
- Implement network traffic monitoring and packet scanning