In this interview with Help Net Security, Peter Broadhurst, Maritime Senior VP Safety, Security, Yachting and Passenger, Inmarsat, talks about the impact of cyber threats on passenger vessels and superyachts, and provides an inside look at maritime cybersecurity today.
When thinking about cyberattacks, vessels may seem like an unusual target.
It is true that an individual vessel is not necessarily a significant target for cyberattacks. However, physical security, and specifically piracy, has been a problem for the maritime industry for a long time and so exploitation of a vessel may well become an issue.
Physical security relies on the ransom of the cargo against the crew onboard. Without the human element, cyber events do not have the same impact. Different vessels have specific vulnerabilities that have driven regulators to act and introduce a new cyber security regime for the industry, requiring commercial shipping, cruise vessels and ferries, and charter and private superyacht sectors to adopt a stricter approach to cyber security.
The threats for vessels will continue to adapt and evolve, with reports of a fourfold increase in cyberattacks on maritime targets that coincided with the industry’s move to home-based working through the COVID-19 pandemic. Targeted, and untargeted, attacks on vessels are increasing, so it is important for professionals to implement a viable solution supporting IMO 2021 compliance.
But with digital transformation happening in all levels of an organization, they are increasingly connected and some carry valuable loads. What’s particularly at risk? What are attackers most interested in?
There are a number of risks involved. The most exploitable is the vessel as a back door, or entry in, to the corporate organisation, which is the real focus of attention. An individual vessel has some data that is of interest, such as manifest lists, crew information, and so on, which can be used in traditional hacks and exploits. However, being connected to the corporate infrastructure allows access to the larger prize where reputation, major disruption and financial gain are the highest. It is true that cargo has been exploited for contraband, and cyber and insider cooperation has supported these illegal activities.
For superyachts, which often have High Net Worth Individuals onboard, high complexity of systems and good internet connectivity, the risk of cyberattacks and costly incidents are significant. They can focus on ransom and theft from passengers, industrial espionage, and privacy breaches. If one compromised device is brought onboard, that device could connect to the main network and infect other devices, PCs, servers and engine monitoring systems.
The maritime industry continues to adopt new technologies and automation. With all that’s being introduced, along with a plethora of legacy technology that can’t be changed, how can IT leaders tackle these complex architectures and accurately evaluate cyber risk?
The maritime industry is a very broad phrase. It covers seafarers, vessels, ports, insurance, shipping companies, yacht owners and managers, brokers, charterers, and more, and is a very large industry. Across all these, new technologies are being adopted, including automation.
Like all other industries, security is now recognised as part of an IT implementation rather than an add on, so the maturity is increasing. This includes specific protection on the vessel where risk is an everyday occurrence. Building and taking a ship to sea is a risk, but, because of the history and the lessons learnt, this is managed by shipping companies and crew extremely well.
Cyber has to have the same approach. The IMO initiative to push shipping towards recognising the risk and taking some pragmatic steps to assessing the risk is the right way forward for the industry. This is also acknowledged by most countries that have guidelines for port operations and vessels under their flag, as shipping is seen as a critical component of their infrastructure.
What are the unique challenges involved with protecting the critical operations of a modern vessel? What cyber threats should security leaders be aware of?
A vessel is the most remote office/operation you can imagine. Connectivity is critical for safe and efficient operation, as well as for the welfare of the crew. It is unique in its environment and there are standards to ensure equipment conforms to the environment and there are standards around the implementation of services. It is a well-represented industry, supported by a lot of best practices, of which cyber is now a part.
Although, the maritime industry is one that is moving towards a more mature cyber position, it is based on a legacy of vessels that have been in service for a number of years and have been added to over those years, such that no two ships are alike. Therefore, an evaluation of current status and an understanding of the way forward, along with tighter controls around security, are probably the simplest and most prudent steps to take.
What advice would you give to a newly appointed CISO of a sea shipping company that wants to establish a maritime cybersecurity action plan?
It is easy to say, but my advice would be to ‘just get on with it’. Action plans are not new to shipping – vessels have plans for safety, fire, flooding, and so on. An effective cybersecurity plan, which includes multi-layered network protection, an understanding on onboard assets, and a training programme, can be adopted pragmatically and without costing a lot of money. Seafarers understand risk if it is explained, documented and trained.
Cyber is no different and once the risk is understood and explained, and controls are put in place, the risk can be mitigated. Training and awareness are essential components, but, again, seafarers are used to this. Therefore, there is nothing to be feared about implementing cybersecurity action plans, while also taking advice on the environment and conditions under which the vessel operates.