According to the or ENISA, “Maritime cyber security awareness is currently low, to non-existent.”
Imagine, if you will, a huge behemoth of a ship – a tanker or a cargo ship – controlled by hackers. Imagine a LPG or LNG ship being used as a remotely controlled bomb. Instead of buying a ship for the relatively cheap price of $15 million, one could simply take control of the ship remotely and guide it into a target from thousand of miles away. Imagine the boom that 135 million cubic yards of natural gas could make if an LNG ship were run aground beneath the George Washington Bridge, on the West side of Manhattan. Not only would the main thoroughfare up and down the East Coast potentially be obliterated, the blast could conceivably emulate a nuclear blast in its bursting radius. A major part of Manhattan would disappear, as would a critical portion of New Jersey. Oh, I forgot to mention, people, LOTS of people, might die. This would probably be considered an act of war, more people could conceivably be killed than on 9/11/2001.
This is especially disturbing, as the International Maritime Organization (IMO) has mandated the transition from the primary use of paper charts to the Electronic Chart Display and Information System (ECDIS) beginning in 2012. On the surface this is a fine and noble cause, updates received from weather satellites and reports of pirates enable a ship to avoid hazardous areas, this could be deemed rerouting for safety and security.
This is where the disconnect first appears. The ENISA is calling for a merger between their standards and the IMO. This is fine, until one reviews the IMO documents for remote operations – THERE IS NO MENTION of CYBER-SECURITY. Not one. IMO mentions ‘cyber’ as a developing problem in a total of two documents in the forms of warnings, but other than the training of the Ship, Company and Facility Security Officer, there is no mention of a security functionality and there is absolutely no mention of cybersecurity anywhere.
ENISA has first exposed a problem in their report, IMO still has to address this problem.