In the following article, Franks Coles,CEO at Transas, highlights that the maritime industry’s approach to cyber-risk must cover all shipboard systems.
The time has come to introduce robust certification and approval processes for all electronic equipment on board ships. This is the only realistic way of tackling cyber-risk within the shipping industry.
There has always been a certain degree of risk associated with entrusting computers to perform tasks previously carried out manually. This is not a new phenomenon. It has been with us since the 1960s and 1970s since electronic systems escaped the laboratory and found their way into real-life applications.
The reason the subject comes under intense scrutiny today is that these systems are becoming ever more complex and are increasingly interconnected. The complexity makes it harder to detect errors that could lead to irrevocable failure. Greater connectivity allows failures to propagate or cascade through a system and also gives hackers, whatever their motivation, much greater scope to find a weak point of entry into a system. Such is the scale of the problem that, in defence circles, it is a widely held view that the next war will be fought not on the battlefield but in cyberspace.
Where does that leave the maritime industry? The equipment found on ships is traditionally subject to countless prescriptive rules, standards and regulations aimed at ensuring the safety of crew, vessels and their cargoes, as well as the environment.
However, not all equipment is treated equally. There are gaps in this regulatory oversight. The hardware for establishing connectivity between ship and shore is a particularly glaring omission. It is all the more worrying as ships grow more reliant on electronic communications in their operations, especially for safe navigation but also for the ongoing maintenance and upkeep of machinery systems, and to satisfy official and commercial reporting requirements.
From LRIT and GMDSS, to AIS and ECDIS, bridge hardware has to be designed and built to agreed standards (formulated jointly by authorities and industry) in order to gain certification that allows manufacturers to supply and install it. Yet, there are no equivalent requirements for antennas, modems and other satellite communications equipment. Each satellite services provider will have a different way of addressing security and cyber-risk. That is a big risk in my view.
Modems, for instance, may be supplied with default passwords, which are rarely changed or are easy to crack. This was the technique employed to great effect by hackers carrying out the Mirai DDOS attack on Internet infrastructure last October. Once known to malicious third-parties, this information could be used to disable the antenna. This could already have serious repercussions for the manned vessels of today. In the case of the unmanned ships currently under development it would be disastrous. Without a hardened communications channel an autonomous ship is unlikely to ever leave port – let alone ply a commercial voyage.
The lack of effective certification for communications equipment has consequences for other equipment. When Transas manufactures an ECDIS capable of downloading chart updates over the Internet, the router and hardware firewall component is scrutinised in the approval process to ensure we are not leaving the ECDIS console and thus mariners exposed to any cyber vulnerability. If we decide to switch to a different router, we have to start over.
Apart from the time involved, this is also an expensive exercise, with costs ultimately feeding through to the end-user. However, there is no similar obligation on manufacturers of satellite communications hardware. In my view, this creates a dangerous gap in the regulatory framework for protecting ships – and one that should be plugged quickly.
Some communications providers propose cyber-security add-ons as part of their offering to ship-owners, which are typically filtering solutions. In my view, this approach addresses symptoms that present themselves at the service level, but not any underlying vulnerabilities found in the infrastructure. The complexity of modern software and hardware makes it difficult, if not impossible, to develop components without flaws or to detect malicious insertions. Vulnerabilities could exist right down to the firmware or chip level. The Mirai attack mentioned above was so effective because the default password had been burnt into the firmware.
It is therefore incumbent on IMO and allied organisations to step up and address this reality. Furthermore, we have to proceed on the assumption that flaws do exist and take a risk-based approach to ensure that when something goes wrong, we have steps in place to minimise the impact. For this reason, the role of class societies cannot be underestimated. Certification for all electronic equipment will provide a level of assurance to mariners that the equipment they rely on is fit for purpose.
However, certification for manufacturers is only half the story. One appeal of a risk-based approach to tackling cyber threats is that it can be implemented at various levels. Shipping companies can self-audit and implement their own internal procedures geared towards securing their computer systems. These should cover operations both on ship and on shore.
The cyber discussion in maritime is driven by fear. Some have even argued we should remove tech from ships completely and run them like we did 50 or 100 years ago, which is patently unrealistic. As with so much in life, we cannot eliminate risk entirely, but we can take steps to minimise exposure to unnecessary risks.
Source : By Frank Coles, CEO, Chief Executive Officer at Transas
Thank you & Best Regards,
Eng. Dimitrios Nikolaos Spanos
Lead Maritime Auditor / Principal Surveyor
Member of IRCA, IIMS, ELINT, HELMEPA & Nautical Institute