The Nature of the Shipping Industry Presents Unique Challenges for Hardening Cybersecurity
By the end of the decade, it is expected that the world’s first autonomous container ship will have embarked on its maiden voyage, moving goods around the coastline of Norway. Together with other initiatives currently underway, such as the development of remote controlled vessels, this will mark a new era of connected shipping technology and demonstrate that the $210 billion industry is ready to embrace the future.
These advances are to be celebrated, but simultaneously they bring with them a high element of risk, as more on-board elements become exposed to the kinds of cybersecurity concerns that we’re more familiar with on land.
Much has been written about the dangers of Operational Technology (OT) in industrial environments, and we’re used to the traditional challenges of doing business at sea, from piracy to bottlenecks at container ports. What we’re not used to is recognizing that a container ship is an OT environment just like any other, and at risk of targeted and generic cyberattacks.
The threats are very real: researchers have demonstrated proof of concept attacks against many of the most common maritime systems, and there’s evidence of problems in the wild in which navigational computers were infected with malware on a USB stick being used for upgrades. Even worse, there have also been public reports that critical communications systems have been left effectively unprotected, thanks to defenceless interfaces and failures to change default credentials.
The nature of the shipping industry does present highly unique challenges for hardening cybersecurity, but they are not insurmountable. For firms that get it right, cybersecurity will be a powerful enabler in the world of more automated and unmanned shipping.
The challenges of integrating new technologies in shipping
One of the most difficult challenges with maritime cybersecurity is that every ship is different. There’s little standardisation, especially when it comes to on-board control systems, and a high mix of legacy systems – many of which were never designed with security in mind – and additional networked technologies which have been added over time.
When integrating new on-board systems, not enough attention has been paid to the principles of “secure by design”. As a result, many vessels have a ‘flat’ network structure, in which new internet connected systems for navigation and communications have been placed on the same networks as older control hardware. This introduces multiple vulnerabilities into systems which do not have adequate built-in protections.
In addition, the operating environment is also much more challenging than typical industrial setups. Most ships rely on Very Small Aperture Terminal (VSAT) satellite communications for connectivity, which is low bandwidth and high latency. It can carry some communications, such as email and navigational data, but isn’t reliable enough for the most effective security measures recommended to shore bound industries: regular patching and updates.
Manual patching can still take place, but the current nature of the industry means that ships spend as little time in port as possible. When they are docked, and bandwidth is available, security updates come a long way down the list of priorities, behind upgrades to navigational software and downloading new digital entertainment for the crew.
There is also a lack of skills among on-board crew. All too often the person responsible for IT combines the role with another position, leaving little opportunity to monitor for, and respond effectively to, a cybersecurity incident. Remote monitoring for issues that could indicate a security breach is an option, but difficult thanks to the lack of reliable bandwidth while at sea.
Propelling maritime security into the future
While a change in the approach to cybersecurity is needed, it will have to come from the maritime industry itself. Regulations and government interventions of the kind we’ve seen relating to critical infrastructure on land will be harder to enforce at sea, especially given the preference for low-regulation flags of convenience many merchant shipping lines show.
Indeed, it’s likely to be insurance companies rather than governments that provide the motivation for shipping companies to invest seriously in better protection. Specialist insurers are developing policies based on their exposure to cyberattack and are likely to act as a prime driver for better practice. There will be a tightening of due diligence before policies are issued and claims processed.
The industry does recognise the issue. Last year, the International Maritime Organization (IMO) published excellent guidelines on cybersecurity to enable safe and secure shipping. These guidelines are sound and advocate a risk management approach to cybersecurity.
A risk management approach starts with identifying which systems, data and interfaces are unprotected and pose the greatest risk if compromised, and how to protect them and mitigate the consequences of a successful attack. In a maritime context, this means securing devices and networks by closing unused data ports and ensuring full network segregation between OT and IT systems. Importantly, crew systems – such as terminals for entertainment or personal email – should be kept independent of everything else. One of the primary threats remains inadvertent infection via a flash drive or mail attachment.
To this end, better training of staff is an imperative. As the IMO guidelines state: “Senior management should embed a culture of cyber risk awareness into all levels of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.”
There’s also a lack of basic security provision, such as the use of VPNs for communication and data transfer, and strong user authentication for on-board systems, which can be picked up in a full security audit and addressed. And that’s the
important point here, these are all addressable issues.
Even so, cybersecurity costs money in an industry which typically runs on tight margins, and a lack of resources is a key factor in the challenges faced today. This is made more difficult by the fact that every ship is a unique configuration of legacy systems and incremental upgrades, making fleet-wide deployments of security solutions tough. Effective cybersecurity must also be business efficient cybersecurity.
That is why one of the best ways to improve resilience to cyberattacks and harden maritime networks is to work with partners who are developing the expertise needed through experience. Partners whose knowledge is relevant to both existing systems and the supply chain for new deployments.
The maritime industry can reap the benefits of improved automation and data services, but it can’t do it securely by itself.