Maritime vessels and ships are gradually using more systems that rely on digitalization, integration, and automation – all of which call for structured Maritime cyber risk management protocols. As all forms of digital technology continue to advance, the union between information technology (IT) and operational technology (OT) on board vessels and their connection to the world wide web produces a greater attack surface that must to be addressed.
Introduction to Maritime Cyber Security
Maritime cyber security is a trending topic for all of the Maritimes and offshore industry due to rapid digital transformation, new threats and the regulations that come along with it. The optimization of operations is a serious focus, and those who use new technologies and digital solutions will always have an advantage. Thus, Maritime cyber security is a growing critical risk area, as ship operations are largely dependent on the effectiveness of its systems’ software applications.
Maritime Cyber Security: Operational Technology vs Informational Technology
Maritime cyber systems for vessels and ships are classified as either Information Technology (IT) and Operational Technology (OT). Maritimes IT includes systems and networks found in offices, oil rigs, and even ports. Compared to Maritimes OT, Maritimes IT is more developed when it comes to Maritime cyber security. It has established procedures, technology and training – all being applied using an information security system. A Maritime cyber breach of IT systems, therefore, has the potential to cause major reputational and financial trouble. On the bright side, it usually does not impact the safety of your ships, crew and cargo.
Maritimes OT, on the other hand, is used for a variety of reasons such as, controlling engines, cargo management, navigation systems, administrative function, etc. Maritimes OT is much less developed in terms of Maritime cyber security, and the attack of any onboard OT systems can be dangerous for the ship and the crew. Until recently, these two systems were mostly separated from one another and from any on-land systems and networks. Today, with the advancement of digital technology there has been much more communication between IT and OT systems.
Some examples of Operational Technologies Include:
- Vessel Integrated Navigation System (VINS)
- Global Positioning System (GPS)
- Satellite Communications
- Automatic Identification System (AIS)
- Radar systems and electronic charts
As you can imagine, Operational Technologies offers major improvements in efficiency for the maritime industry, however, they also present serious cyber risks for vital systems and processes that are required for the operation of systems used in shipping. From a Maritime cyber security standpoint, these risks can stem from vulnerabilities such as, weakened operations, integration, and maintenance – as well as from direct Maritime cyber-attack. Disturbing of the function of an OT systems may also present significant risk to the safety of onboard staff and cargo, inflict damage to the environment, and hinder the ship’s operation.
Canada’s Response: Maritime Cyber Security Centre of Excellence
Recognizing the significance of cyber-attack, Montreal’s Polytechnique University developed Canada’s Maritime Cyber Security Centre of Excellence – a five-year project that will focus on Maritime cybersecurity, reports Global News.
As presented above, critical systems that are used for navigation and engine control, are slowly connecting to the internet to allow remote diagnosis and to avoid always having to deploy a mechanic to a ship which could be both very costly and time consuming – however, this is nowhere near as costly as a breach.
For example, our readers may remember that in June 2017, several companies – including the Danish shipping company Maersk – were attacked by the NotPetya ransomware virus. Maersk took almost two full weeks to recover – costing the organization at least 300 million USD.
The project aims to have identified all major vulnerabilities within 1 years’ time, however, the process is likely to be ongoing as new Maritime cyber threats surface all the time.
The Dangers of Autonomy
On top of the integration of IT and OT, the notion of Maritime Autonomous Systems (MAS) is also on the agenda. Many of the new production vessels will be entirely remotely controlled from the shore. Autonomy itself presents many benefits as well as concerns.
A Maritime cyber-breach might have damaging consequences for the crew, the passengers, and the cargo on board. As well, we must consider that many freighters carry toxic substances – a cyber incident could lead to massive environmental consequences or a hijacking incident with theft of valuable cargo.
Summary & Conclusion
Maritime organizations must not delay and move in the direction of protecting their IT and OT systems, providing a reliable operations environment, from both a performance perspective and a Maritime cybersecurity perspective. Proactive and reactive measures must be engaged with penetration testing and in-depth security awareness being the most important solutions. All in all, the context maintaining effective Maritime cybersecurity is not simply an IT concern, but an operations technology concern as well. If you would like to learn more about Maritime cybersecurity, penetration testing or awareness training, we invite you to contact us for more information today!