It is unanimously agreed that the ‘human element’ is the most pressing concern from a maritime cyber security perspective. What has been altogether more divisive is how to approach this problem constructively. A meeting of prominent representatives from the maritime cyber security community, at the Safety At Sea 2019 maritime cyber security round table, yielded vociferous responses to this question, among various others.
“Relevant training coming down from the management to the staff and crew on board is key,” said Shane Rossbacher, Intelsat’s maritime director. “People need to recognise that a cyber security breach has occurred, and there is a responsibility to come forward and ensure that these issues are known.”
When networks on board vessels are designed to be separate – with ‘air gaps’, in industry terminology – that is in itself regarded by some ship designers as cyber proof. But, ABS Advanced Solutions’ Senior Technical Adviser Cris DeWitt pointed out in his presentation, this is hardly adequate. An innocuous hardware change, such as the connection of a wireless printer to two different networks to produce logs, could expose entire operational technology (OT) networks to an information technology interface. “In this case, there are two access points, one of which, the wired – is known and the wireless – unknown. There are automated exploit tools that are designed to take advantage of that exact thing.”
While attendees were adamant that training must be provided to warn ship crews against these changes, admissions abound that this alone would not be enough. “We need to understand that engineers are inventive people and are going to try and find workarounds to issues they face,” said a prominent cyber-risk insurer. “Rather than saying ‘these are the systems; do this, don’t do this’, we should look at hardening systems: saying, ‘our people are going to do this’.”
In fact, one speaker’s unique take on the position of the crew was that they should be regarded as the vessel’s own “white-hat hackers” – revealing issues that would not otherwise have been considered. This, they said, would, at least in a holistic sense, be an influence for good. “In this industry we are trained in redundancy; we build all of our other systems with redundancy, and cyber security is no different. Think: have I built my company structure, my processes, with redundancy?”
A collective onus was shared by players in the shipping industry, to come forward when affected by cyber crime; the suggestion of a universal, anonymised reporting architecture received unanimous agreement. All have a role to play in protecting their fellows, suggested Rossbacher. “One of the lessons we took from the discussion today is that we are all part of the maritime supply chain, and have a key role to play, and a responsibility to ensure the security of our partners, and of our end users.”
Perhaps the most important step of all is to have a comprehensive plan for dealing with the result of an attack – “when”, not “if” it happens, as Lewis Woodcock, head of cyber security compliance at Maersk Line and a veteran of the 2017 NotPetya ransomware attack, knows firsthand. “Treat cyber security as being akin to safety, because for crew, it is,” he said. “Start with the worst-case scenario for a cyber attack. Ensure there are no silos: different teams will be involved, commercial, legal, HR teams.
“Have a plan for keeping communications aligned without access to email or intranet – think about what other channels would have to be used.”
Kevin Jones is an executive dean of Science and Engineering at the University of Plymouth, where the Maritime Cybersecurity Research Group uses its laboratories to test various original equipment manufacturer (OEM)-donated equipment for its cyber resilience. Unlike many industries, asset-heavy maritime presents a unique risk, he said. “This means you have to be concerned not only with information risk, confidentiality – you also have to worry about what happens in the OT world; horror scenarios, ships doing the wrong thing. Studies show that if the UK lost three critical ports, the survival of the nation’s infrastructure is measured in days.
“At the roundtable, what was a really interesting was getting a mix of operational viewpoints between general industry representatives and cyber security specialists. It’s very useful for us, to find out what the state of the world is; we always want to ensure that what we’re doing is of relevance, and that we don’t lose sight of real-world concerns.”
The Safety at Sea team is heartened to see that the maritime industry is moving away from the assumption that equipment is cyber-proof, and crew alone bear the blame when vessels fall prey to hackers. “It is an old problem, and one that touches every corner of the maritime industry, to see crew being scapegoated when things go wrong,” said Safety at Sea editor Tanya Blake. “Historically, the cyber security field has been no exception.
“What’s really encouraging is an emerging will to work with crews, to encourage them, rather than penalise them, for coming forward with their concerns. They are, after all, the front line in this fight, as we have seen highlighted by the US Coast Guard recently, among others – most at risk in the event of an attack.”
“The banking sector began this trial and error period decades ago, and today has the strongest leverage in cyber security,” said one expert prediction. “Brace yourself, because for maritime, the next decade will be trial and error. You will suffer – but you will get stronger.”