Cyber risk management - Maritime wakes up to security risk
Security is the Achilles' heel of connected technology. In the maritime space, cyber risks conflate with vessel safety making a multifaceted response essential, says Inmarsat Maritime security head Peter Broadhurst.
21 June 2017
Today an estimated 30,000 vessels globally have some sort of access to always-on Internet via satellite. At the same time, a mix of increasingly sophisticated equipment – from electronic navigation systems to computer-controlled engines – is finding its way on board modern tonnage. This means ships can no longer be considered protected by an air-gap from cyber threats.
As on land, the risks are multifaceted. Organised crime groups, ‘hacktivists’, former or current members of staff, and even nation states, might all be considered malicious actors with a motive to disrupt operations at sea. Systems can also be compromised in benign ways, perhaps due to carelessness or lack of knowledge among a vessel’s crew.
Even if the networks on board are segregated between, say, systems for ship operation, crew welfare and remote access to suppliers, these divisions can over time be eroded through ad hoc interventions by the crew or suppliers, even when ostensibly acting with good intentions, such as to expedite an urgent maintenance task. The separations can also be compromised by manual transfer of data – a practice that appears particularly widespread at sea.
Matters are further complicated by the fact that shipping lines operate a mix of vessels which they either own or charter for a short period. Additionally, vessels and other key systems often carry an analogue heritage, being built for analogue control, with digital solutions grafted on later often with only minimal consideration given to security issues.
“Several welcome initiatives aimed at raising cyber-crime awareness in the maritime space and offering guidance on its prevention are underway, but there are concerns that the fragmented nature of these activities diminishes their overall impact,” says Peter Broadhurst, Vice President Safety and Security, Inmarsat Maritime.
Industrial standards for maritime back-end systems are few and far between, resulting in an IT landscape littered with custom-built solutions, which have undergone limited systematic testing of cyber security issues. At the other end of the spectrum, some shipping companies, notably container lines, have reached a stage of electronic commerce where business operations cannot be handled manually for any extended period, making them especially vulnerable to an extended deliberate or accidental system outage.
The intrinsically global nature of the supply chain, business relationships and the diversity and complexity of operational activities offer another weak-spot, which a determined intruder might be tempted exploit.
With so many variables involved, the potential consequences are hard to calculate. They might amount to a simple inconvenience or extend to a missed port arrival and significant commercial penalty. The worst-case scenario would an attack that jeopardises the safety of the vessel and its crew. “Cyber-security and safety are now so entwined that there is a growing realisation that they must be viewed through the same lens,” says Broadhurst.
As the industry turns to greater automation and digital solutions such as the Internet of Things, Big Data etc., in pursuit of cost efficiencies and becomes more tightly integrated within the connected economy, these risks are likely to intensify. “Until recently, it was relatively straightforward to distinguish between information technology and operational technology systems. The former processed data to generate information, while the latter used data to control or monitor physical processes. However, the Internet of Things is beginning to blur the boundaries between the physical world and cyber world,” explains Broadhurst.
Of course, the industry and its regulators are not blind to the cyber threat. In early 2016, BIMCO issued a set of guidelines comprising high-level recommendations on cyber-risk management accompanied by a selection of more practical self-help measures that concerned vessel owners can take immediately.
Prepared with input from a range of organisations, shipping lines, a handful of relevant manufacturers and Inmarsat, these guidelines were well-received, to the extent they were tacitly endorsed by the IMO, which used it as the basis for its own best-practice.
Recognising that no two organisations in the shipping industry are the same, and that prescriptive regulations are unlikely to keep up with rate of technological change, these guidelines take a risk management approach rather than impose hard and fast rules. “The risk-based approach offers greater resilience as policies and actions can be adapted in response to evolving threats. It also dovetails with existing safety and security management practices,” says Broadhurst.
The five principles at the heart of the Guidelines are: 1) to identify cyber-risks; 2) to take steps to protect against these cyber-risks turning into cyber-events; 3) to detect cyber-events in a timely manner; 4) to have plans to respond and get necessary systems up and running again; and 5) to have measures to recover and restore all systems impacted by a cyber-event. These tasks will be developed concurrently and continuously, rather than sequentially. They will also require engagement from senior management, so that a culture of cyber risk awareness can be embedded into all levels of any organisation.
As a major provider of satellite connectivity services to the maritime industry, Inmarsat has a keen interest in minimising its customers’ exposure to cyber-risk. This has grown more pressing following the market launch of its new high-throughput Fleet Xpress service, powered by the I-5 constellation of Ka-band satellites, which enables much more data to flow between ship and shore.
To that end, the company is devising specialised software solutions and stepping up its involvement in industry-wide initiatives to help vessel owners minimise the exposure to cyber-risk. It will soon introduce a unified threat management (UTM) service customised for maritime end-users. Designed to function as an integrated part of Fleet Xpress, it will provide ship owners and operators a pathway for putting the BIMCO guidelines into practice.
Based on the Trustwave platform (now owned by Singaporean telco Singtel), the UTM component is continually updated with incoming intelligence on new cyber-risks. This will be utilised when inspecting data going to and from a vessel. As well as seeking out potential intrusions via the satellite connection, it will also look for incursions stemming elsewhere on the vessel LAN, perhaps the result of an infected USB sticks or devices belonging to crew or visiting contractors.
Inmarsat is also supporting the activities of a joint working group set up by the International Association of Classification Societies (IACS) to formulate a set of recommendations focused on the cyber-security.
“The IACS working group aims to unite industry stakeholders and bring about standardised practices. Naval architects often say that safety must be considered from a vessel’s conceptual design stage,” comments Broadhurst. “We believe that the axiom is just as valid for cyber-security as it is for structural integrity.”
The final dimension is to instil better awareness of cyber-risks in the people who work on ships and on shore. The majority have not been formally educated on the risks, which is particularly worrying as a lot of security breaches are caused by human fallibility. “Crew don’t want to cause damage and make their own jobs more difficult, so offering training is a straightforward and effective way of lowering the risk of malware or virus infections, whether through phishing emails or tainted USB drives,” continues Broadhurst.
In surveys, almost half of crew state they have sailed on a vessel that had been compromised by a cyber incident in some way. If other industries offer a yardstick, the prevalence is likely to be under-reported for fear of embarrassment. The problem is not going away – in fact the opposite is true. Furthermore, a multifaceted challenge calls for a multifaceted response involving collective action by industry, technological solutions, and better education. It is perhaps emblematic of the fast-changing times in which we live that having protected seafarers’ safety for nearly 40 years, Inmarsat now wants to help protect their data and systems too.
Vulnerable systems on a modern ship:
• Bridge systems
• Cargo handling and management systems
• Propulsion and machinery management and power control systems
• Access control systems
• Passenger servicing and management systems
• Passenger facing public networks
• Administrative and crew welfare systems
• Communication systems
• Operating system updates (patches)
Core principles of cyber-risk management
• Identify: Define personnel roles and responsibilities for cyber-risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
• Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
• Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
• Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
• Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.
For further details, please contact:
JLA Media Ltd
Wimbledon Village Business Centre, Thornton House, Thornton Road,
London SW19 4NG
Tel: +44 7949 708679