5 cybersecurity lessons shipping should learn from other industries
CyberOwl has engaged with over 50 shipping owners, operators and equipment manufacturers in the last 12 months. More is being done on vessel cyber-physical security than is publicly evident. While different strategies and priorities are being applied, there are some clear common challenges. Some strategies are already bringing in early successes, but has the maritime sector learnt the lessons from peers in more cyber-mature sectors?
As 1 January 2021 approaches and IMO's first move to bolster cyber resilience in the shipping sector through the ISM Code starts to bite, there is a steady stream of activity across the shipping supply chain developing cyber resilience capabilities. On the surface of it, this is promising. However, the competitive and secretive nature of the sector means organisations prefer to privately get ahead of their competitors, rather than take the more mature approach of collaborating against the common adversary - the cyber attacker. So there remains a lack of awareness, understanding and knowledge-sharing, resulting in quite a lot of confusion. This is restricting the pace of resilience-building and edging the maritime sector towards the top tier of soft targets for the cyber criminal.
At CyberOwl, we have been investing time with over 50 ship owners, operators and OEMs in the last 6 months to gain a deep understanding their cyber security challenges and what they are actually doing to address them. We have set out our findings in the next sections. This was partly through co-hosting successful cyber "war game" events with the Society of Maritime Industries in Athens [link] and Singapore [link] that brought together senior IT, security, safety and operations managers at shipping companies to debate preparedness, priorities and responses to a simulated cyber attack on their vessels. But it also combines views from fleet operators we have spent time with based in the UK, the Nordics, Germany, Benelux, Turkey and Cyprus.
Fools say that they learn by experience. I prefer to profit by others' experience." ― Otto von Bismarck
From our discussions, common challenges are surfacing. And it is becoming clear the maritime sector is in danger of tripping over the same stumbling blocks that other sectors, such as oil and gas and energy, have previously encountered. Some of these are particularly worth noting.
There is still false confidence that perimeter security is good enough. Majority of fleets have implemented basic perimeter IT security on their vessels, most commonly firewalls or antivirus software. The main assumption here is that a clear perimeter can be defined for the vessel network and therefore controlling the ingress and egress points is sufficient. The reality is that modern vessel networks and the increasing demand for connectivity services for crew and passenger welfare means this is no longer true. Firstly, you have to assume that the vessel systems are already compromised and an active threat is already inside. Mature sectors have accepted this tired rhetoric. Trust nothing. Secondly, perimeter devices like firewalls have repeatedly been proven not to be good enough to block the entry of every attack. Without behavioural analysis and anomaly detection, these are simply rule-based systems constantly trying to catch up with the latest attacker tools, techniques and procedures. Even if technically possible, the cost of maintaining advanced firewalls does not always make commercial sense. Finally, there are other ways of penetrating vessel systems that completely circumnavigate the traditional perimeter. An attacker (insider or outsider) that is able to obtain privileged access, for example, can penetrate the vessel system. Once they are in, a security strategy based solely perimeter security is rendered entirely ineffective. A layered approach is needed. And situational awareness or visibility needs to sit at the heart of that.
Security of vessel IT systems and operational technology (OT) systems are being treated as separate technical silos. This delineation is increasingly unrealistic in a world accelerating towards digitalisation, integration of operations and automation (as opposed to fully unmanned). To illustrate with just one example, planned maintenance systems (PMS) are increasingly integrated with sensors and telemetry across the vessel or an intelligent remote asset management system (iRAMS), in order to feed in real-time intelligence of the engine and vessel assets it's monitoring. The PMS is often run on an on-board workstation and hosted on a server on the vessel business or administration IT network. The workstations are typically Windows machines, sometimes running old versions of operating systems with known and wide-ranging vulnerabilities and in some cases with open access to USB ports where a crew member may conveniently charge their mobile phone. This increasingly common setup presents a whole range of attack entry points and vectors, opportunities for the cyber criminal. However one assesses the risks, this just illustrates that impermeable borders between the IT and OT systems are harder to rely on.
Cyber-physical security is still being dealt with as an "IT problem", but with limited authority or decision-making on budget given to the IT Director. CIOs, CTOs and IT Directors still appear to be the highest authority within organisations that are left with the responsibility for building vessel cyber-physical resilience. But paradoxically, they have limited authority over vessel OT systems and often do not have much autonomy over budgets and priorities for capability investment in OT security. Responsibility, with little authority. It is worth noting this is at odds with the direction of travel of regulation and guidance from the IMO, classification societies and other bodies, which are all seeking to closely link cyber security with safety. Mature critical national infrastructure organisations, for example, that have to manage IT, OT and industrial IoT (IIoT) systems have already started structuring their security organisations differently, with a Chief Security Officer that is given clear remit over the security of both IT and OT systems.
There is a naïve assumption that cyber incidents are easy to detect. During one of the cyber "war games", a scenario of malware being introduced by a subcontractor to the vessel power management system was explored. The simulated symptoms were clear: the power management system has failed and the vessel was now running on emergency generator and switchboard. What was less clear was the appropriate urgent responses required. A widely supported view seemed to be for the IT or cyber security team to immediately work on containing the spread of the malware. The assumption here is there is sufficient situational awareness to alert the IT of cyber security team. The fact is that existing cyber resilience technologies and processes on vessels are generally not good enough to provide the situational awareness and actionable intelligence to identify and understand a cyber attack on a vessel system. FireEye research tells us the average dwell time of a cyber attack globally, across all sectors and technologies is over 170 days. This means it's taking organisations over five months to detect an attack. One should expect the shipping sector to perform below the average, given the unmitigated vulnerabilities and lack of maturity. This trend has been getting worse over time. And a huge contributing factor to the lengthening dwell times relate to compromises to OT systems.
Risks from the loss of availability of critical vessel systems are well understood. Recent ransomware attacks, Maersk and James Bond-type thrillers have helped stretch the imagination.So you often encounter a false sense of security that manual processes can be put in place to override any systems that have been disabled through a cyber attack. On the other hand, risks from the loss of integrity is poorly understood. Penetration testing exercises have already demonstrated that vessel systems can be easily manipulated to lie to you [link]. One common retort is that a disabled navigation system, like ECDIS, is of limited risk; there are simply manual tools and processes that help overcome this. But what happens if data from positioning sensors have been manipulated to feed the bridge erroneous information during a near-port manoeuvre or in busy shipping zones? The "look out the window" strategy is clearly not fullproof, as demonstrated by the recent collisions between the Greek carrier Pireas with an anchored Malaysian government vessel Polaris, or the tanker Antea with the pipe-laying ship MV Star Centurion. Incidentally, loss of integrity is a top concern of defence naval organisations but the commercial shipping world are yet to be alive to the risks.
These are lessons that shipping operators should be learning from other sectors. There has not been a major shipping cyber attack that has devastated a fleet yet. But continue to ignore the warning signs and the prognosis is worrying. In Part 2, we will explore areas where the fleet operator is calling out for collaboration, often frustrated that very little can be done on their own, even as the risks appear obvious and escalating.
CyberOwl has developed a cyber-physical protective monitoring system for vessels - Incus Marine - to improve situational awareness for the fleet operator. This is a first of its kind vessel cybersecurity monitoring capability that provides early warning of escalating attacks on vessel IT and IoT systems, identifies behavioural anomalies and improves change management in vessel OT systems and minimises the overhead on the vessel security / operations team by applying risk-based prioritisation.