Reading the posts I feel like a lot of HN doesnt fully understand what we're defending against? These ships are BIG.
First, "manually control" engines and rudder isnt a thing. You're talking about a rudder that could be four stories tall. manual input is physically impossible and you wouldnt want it anyway. screw around with the rudder too much or too quickly and the underway mass of a 500,000 short-ton tanker will rip it out of the ship.
a tanker engine starts at 2.5 stories tall (8-10m). Before ECM and modern SCADA automation these things could take an entire day to start. Everything from fueling to speed and fire suppression are intimately linked through a network on the ship. you can restrict these networks from the rest of the ship but its generally not advised. ship engines communicate with breaker panels, engine controls on the bridge, and telemetry from shipping companies for preventative maintenance.
the solution to this is to have a SOC or rapid response team combined with redundant systems. assume a serious compromise is a failure condition and start the EPO/Mayday.
all it takes is a hacker to add a couple extra zeroes to the idle speed of the engines and youre now a runaway ship, or worse, a runaway engine fire.
I was in the US Navy decades ago, long before these digital systems. That said, there are many ways to control rudders, and for that matter engines, that don't rely on someone hooking up a block and tackle (although that actually was the method of last resort for destroyers, of course much smaller than these cargo ships). Taking "manual control" simply meant not running the steering directly from the bridge, e.g. instead running it from the hydraulic controls in after steering (a compartment directly above the rudders).
Exactly, ultimately there is always a point where the digital control meets up with the mechanical control that does the actual work. If the digital fails then you assess the mechanical control directly.
> First, "manually control" engines and rudder isnt a thing. You're talking about a rudder that could be four stories tall.
Except it is actually a thing. Large ships have a separate emergency steering hydraulic circuit driven by its own generator, and operated by hand, commands given from the bridge by radio or telephone.
Namely that every tanker, chemical tanker or gas carrier of 10,000 gross tonnage and upwards or every other ship of 70,000 gross tonnage and upwards, the main steering gear shall comprise two or more identical power units. Theres no requirement for separate circuits in these large applications. "power units" meaning we just duplicate the engine/partial drivetrain and slave it to the SCADA system as a standby unit. these standby's can be started by using residual air in the compressor system (if available) or by diverting charge air from the compressor system to the standby.
remember: we've been hacked, so compressor valves are likely to be locked shut (or worse, destroyed) until someone can get down to the engine room and force-open the valve manually.
ships will often "flip" between engines for service intervals, so it can be useful for the SOC team during triaging the problem, but the failover likely wouldnt provide much help.
to answer the question "couldnt we steer using air?" and yes you could, but it would be glacially slow. you might only have enough power air to move 5-10 degrees.
I’m in an adjacent industry, with less risk of death or commercial loss, and the compressor backups only output to SCADA. The pressure regulation is all relay based and the on switch is a manual secondary contactor.
I absolutely admit I dont know all the fine points (I'm a diesel engine mechanic by trade) but ive worked on large diesels for tankers. Theyre a mechanical Goliath, and they cost nearly as much as the tanker. The shipyard that contracted us frequently ganged engines together to a single controls system from Siemens/Fischer or part of a larger command system with a small "service mode" override you could patch a laptop into for diagnostics. Newer ships just send that diag data straight to us over satellite or wifi (sending techs is costly)
Also another problem I noticed is the engines are often on the ships controls (network maybe?) As the manufacturer name. Something like MANN1 and MANN2 or MITSU1 is a dead giveaway: thats propulsion.
You probably still have a better perspective than me; at least having worked on these specifically.
I suspect that at least some ships/designs are done right ‘right’.
(1) the engine controllers are internal safety limits and have very controlled input ranges. Cummins engines as an example.
(2) the network has a ‘Battlestar’ mode where you can just cut the wire. People would still need to connect laptops or jumpers locally to control devices in anything beyond a ‘max’ vs ‘idle’ vs ‘off’ mode… but 100%, ready, and off should be enough in an emergency.
> First, "manually control" engines and rudder isnt a thing.
I think you're taking "manually control" a little literally here. Based on the other comments I saw that used this phrase (or roughly similar phrases), it didn't sound like they expected a crew to strap a rope to the rudder and start pulling.
It sounded more like a way to physically disconnect everything "smart" in the event that it became compromised, and have a way to interact manually with the rudder (now air-gapped) via dumb electronics (probably integrated circuits and an analog pid system) would meet their criteria.
That may or may not be possible for various reasons on modern ships, but what's being implied in this comment doesn't seem to be being suggested.
First, "manually control" engines and rudder isnt a thing. You're talking about a rudder that could be four stories tall. manual input is physically impossible and you wouldnt want it anyway. screw around with the rudder too much or too quickly and the underway mass of a 500,000 short-ton tanker will rip it out of the ship.
a tanker engine starts at 2.5 stories tall (8-10m). Before ECM and modern SCADA automation these things could take an entire day to start. Everything from fueling to speed and fire suppression are intimately linked through a network on the ship. you can restrict these networks from the rest of the ship but its generally not advised. ship engines communicate with breaker panels, engine controls on the bridge, and telemetry from shipping companies for preventative maintenance.
the solution to this is to have a SOC or rapid response team combined with redundant systems. assume a serious compromise is a failure condition and start the EPO/Mayday.
all it takes is a hacker to add a couple extra zeroes to the idle speed of the engines and youre now a runaway ship, or worse, a runaway engine fire.