Security is the Achilles’ heel of connected technology. In the maritime space, cyber risks conflate with vessel safety making a multifaceted response essential, says Inmarsat Maritime security head Peter Broadhurst
Today an estimated 30,000 vessels globally have some sort of access to always-on Internet via satellite. At the same time, a mix of increasingly sophisticated equipment – from electronic navigation systems to computer-controlled engines – is finding its way on board modern tonnage. This means ships can no longer be considered protected by an air-gap from cyber threats.
As on land, the risks are multifaceted. Organised crime groups, ‘hacktivists’, former or current members of staff, and even nation states, might all be considered malicious actors with a motive to disrupt operations at sea. Systems can also be compromised in benign ways, perhaps due to carelessness or lack of knowledge among a vessel’s crew.
Even if the networks on board are segregated between, say, systems for ship operation, crew welfare and remote access to suppliers, these divisions can over time be eroded through ad hoc interventions by the crew or suppliers, even when ostensibly acting with good intentions, such as to expedite an urgent maintenance task. The separations can also be compromised by manual transfer of data – a practice that appears particularly widespread at sea.
Matters are further complicated by the fact that shipping lines operate a mix of vessels which they either own or charter for a short period. Additionally, vessels and other key systems often carry an analogue heritage, being built for analogue control, with digital solutions grafted on later often with only minimal consideration given to security issues.
“Several welcome initiatives aimed at raising cyber-crime awareness in the maritime space and offering guidance on its prevention are underway, but there are concerns that the fragmented nature of these activities diminishes their overall impact,” says Peter Broadhurst, Vice President Safety and Security, Inmarsat Maritime.
Industrial standards for maritime back-end systems are few and far between, resulting in an IT landscape littered with custom-built solutions, which have undergone limited systematic testing of cyber security issues. At the other end of the spectrum, some shipping companies, notably container lines, have reached a stage of electronic commerce where business operations cannot be handled manually for any extended period, making them especially vulnerable to an extended deliberate or accidental system outage.
The intrinsically global nature of the supply chain, business relationships and the diversity and complexity of operational activities offer another weak-spot, which a determined intruder might be tempted exploit.
With so many variables involved, the potential consequences are hard to calculate. They might amount to a simple inconvenience or extend to a missed port arrival and significant commercial penalty. The worst-case scenario would an attack that jeopardises the safety of the vessel and its crew. “Cyber-security and safety are now so entwined that there is a growing realisation that they must be viewed through the same lens,” says Broadhurst.
As the industry turns to greater automation and digital solutions such as the Internet of Things, Big Data etc., in pursuit of cost efficiencies and becomes more tightly integrated within the connected economy, these risks are likely to intensify. “Until recently, it was relatively straightforward to distinguish between information technology and operational technology systems. The former processed data to generate information, while the latter used data to control or monitor physical processes. However, the Internet of Things is beginning to blur the boundaries between the physical world and cyber world,” explains Broadhurst.
Of course, the industry and its regulators are not blind to the cyber threat. In early 2016, BIMCO issued a set of guidelines comprising high-level recommendations on cyber-risk management accompanied by a selection of more practical self-help measures that concerned vessel owners can take immediately.
Prepared with input from a range of organisations, shipping lines, a handful of relevant manufacturers and Inmarsat, these guidelines were well-received, to the extent they were tacitly endorsed by the IMO, which used it as the basis for its own best-practice.
Recognising that no two organisations in the shipping industry are the same, and that prescriptive regulations are unlikely to keep up with rate of technological change, these guidelines take a risk management approach rather than impose hard and fast rules. “The risk-based approach offers greater resilience as policies and actions can be adapted in response to evolving threats. It also dovetails with existing safety and security management practices,” says Broadhurst.
The five principles at the heart of the Guidelines are: 1) to identify cyber-risks; 2) to take steps to protect against these cyber-risks turning into cyber-events; 3) to detect cyber-events in a timely manner; 4) to have plans to respond and get necessary systems up and running again; and 5) to have measures to recover and restore all systems impacted by a cyber-event. These tasks will be developed concurrently and continuously, rather than sequentially. They will also require engagement from senior management, so that a culture of cyber risk awareness can be embedded into all levels of any organisation.
As a major provider of satellite connectivity services to the maritime industry, Inmarsat has a keen interest in minimising its customers’ exposure to cyber-risk. This has grown more pressing following the market launch of its new high-throughput Fleet Xpress service, powered by the I-5 constellation of Ka-band satellites, which enables much more data to flow between ship and shore.
To that end, the company is devising specialised software solutions and stepping up its involvement in industry-wide initiatives to help vessel owners minimise the exposure to cyber-risk. It will soon introduce a unified threat management (UTM) service customised for maritime end-users. Designed to function as an integrated part of Fleet Xpress, it will provide ship owners and operators a pathway for putting the BIMCO guidelines into practice.
Based on the Trustwave platform (now owned by Singaporean telco Singtel), the UTM component is continually updated with incoming intelligence on new cyber-risks. This will be utilised when inspecting data going to and from a vessel. As well as seeking out potential intrusions via the satellite connection, it will also look for incursions stemming elsewhere on the vessel LAN, perhaps the result of an infected USB sticks or devices belonging to crew or visiting contractors.
Inmarsat is also supporting the activities of a joint working group set up by the International Association of Classification Societies (IACS) to formulate a set of recommendations focused on the cyber-security.