With a growing number of key shipboard systems now becoming digitized and interconnected, cybersecurity is an increasingly important part of maritime risk management.
To date, the number of recorded maritime cyberattacks has been minimal. But as the commercial shipping industry moves into the autonomous era, the risk of threats will grow.
“Increasing automation will make shipping more efficient, but will also leave the industry increasingly vulnerable to cyber-criminals,” says Joseph Carson, head of cybersecurity at ESC Global Security in Estonia. “Critical systems could be prevented from functioning, resulting in collision, pollution and environmental damage, and possibly ships being redirected. Ship and cargo hijacking is a possibility.”
To gain regulatory approval, the support of ship owners, operators, seafarers and the public, the operations of remotely-controlled and autonomous ships must be as safe as those of manned vessels. Robust cybersecurity—both in terms of technological systems and human behavior—will therefore be critical.
More Potential Routes for Infection
The move toward full autonomy will see the increasing interconnectivity in shipboard systems. For cybercriminals, this multiplies the avenues of attack. “Autonomy means more software, more functionality, more sensors and more intelligent nodes sitting on the network,” says Dr. Robert Oates, a product cybersecurity specialist with Rolls-Royce. “This means more potential routes for infection.”
“Ship and cargo hijacking is a possibility.”
Moreover, the use of off-the-shelf components and big data within autonomous systems means that hackers can leverage their familiarity with the technology. With maritime networks increasingly resembling office networks, all the skills hackers have acquired targeting traditional IT systems can be brought to bear on the shipping industry.
“Component providers are effectively building risk into their products and passing it up the supply chain,” says Oates.
Moves toward connected shipboard systems are already increasing cyber risk. By July 2018, all ships will be required by the International Maritime Organization to use the Electronic Chart Display and Information System. Relying on internet-based software and updates, this GPS-based system is clearly open to digital corruption.
Operators of autonomous shipping systems will clearly need to keep on top of newly released software and hardware vulnerabilities, and patch security holes promptly. Regular system upgrades will be vital to avoid obsolescence.
“The lifetime of ships built now will coincide with the rise of incredibly powerful quantum computing,” adds Oates. “In a few years, the cryptography we are currently using is not going to provide an adequate level of protection. Cryptographic agility is essential to ensure up-to-date security.”
The Human Angle
One of the major variables governing autonomous ship cybersecurity will be one that is common to all connected assets—human awareness and behavior. Effective cybersecurity begins by ensuring that all concerned personnel understand the range of cyber-threats, the reasons behind them and how their actions can affect the integrity of interconnected systems.
Operators will need to keep on top of newly released software and hardware vulnerabilities.
“Operational technologies are key to ensuring we minimize cybersecurity risks in the maritime industry, but it all starts with people,” says Luis Bento, head of innovation, strategy and research at Lloyd’s Register. The organization issued ShipRight guidelines for autonomous ships in July 2016, defining six levels of autonomy and related best practices.
Maximizing the safety and security of autonomous systems demands a full understanding of their characteristics, as well as their functional success and failure paths. In the maritime and offshore sectors, that means understanding the interconnectedness of onboard systems and equipment, as well as their connection to shoreside digital networks.
“Too few companies consciously define their interoperability position,” says John Jorgensen, director for cybersecurity and software at the American Bureau of Shipping (ABS). “They know when data is flowing or not, but don’t understand what the data is, what can touch it, or how machines communicate without human interference.”
The Time Is Now
Going forward, it is clear that the shipping industry must do more to preempt the inevitable security issues associated with autonomous systems. But it will need assistance.
While recent guidelines from entities such as Lloyd’s Register and the ABS are helpful, clear and discrete solutions to specific cybersecurity challenges are still thin on the ground. In an industry which operates on tight margins, those solutions will need to be affordable and user-friendly, as well as timely.
“I am a keen proponent of digitalization and automation in commercial shipping,” says Lars Jensen, CEO of Copenhagen-based maritime cybersecurity firm CyberKeel. “But the time to think about cybersecurity is now, before automated solutions are built, not afterwards.”