Cybersecurity is a basic necessity for every business sector today. This also applies to the maritime sector. Not only for commercial cargo shipping, but also for so-called ‘superyachts’. Yet, according to Fortinet, the state of cybersecurity within this sector is quite worrying. New policy measures and a well-considered security ‘by design’ must provide an answer to this.
As in other industrial sectors, in the shipping sector more and more operational systems, from cargo ships to so-called ‘superyachts’, are controlled by IT systems. By linking these IT systems to the operational systems on board and ashore and reconnecting them to the internet, these ships are turning into ‘smart platforms’.
With seafaring smart applications – you could also call them seafaring IoT endpoints – shipping companies and owners hope to gain a lot of benefits. In this way, it can improve environmental friendliness and save on fuel costs. In addition, shipping companies and other ship owners can also save on operational costs, such as cargo and crew management, with the help of these smart systems.
Hazards and risks
Of course, this all sounds very nice, but linking all these systems on-board, and especially with the internet, obviously also entails dangers and risks. According to Global Technology Leader- Smart Ships Najmeh Masoudi of certification and inspection standards specialist Bureau Veritas, these risks are mainly a combination of technology, people and processes.
In the field of technology, its systems are becoming more and more integrated, increasing complexity. Moreover, she goes on to say that operational systems on ships will last up to 40 years and often still run on outdated software. For cargo ships, to have windows XP (or older) on board is still quite common. This, of course, also brings further dangers with it.
The crews often do not yet have the right knowledge to handle these complex systems. As a result, they may unconsciously cause calamities or become victims of cyberattacks. Finally, there is a lack of the right processes and plans to manage any incidents properly.
Cyber-attacks a reality in the maritime sector
The vulnerability of the shipping industry to cybercrime is evidenced by the well-known NotPetya attacks that hit the Danish shipping company Maersk in 2017. This attack was clearly a result of outdated software that was used in the company’s processes; more specifically, not patching vulnerabilities of Windows. This eventually cost the shipping company a total of about 300 million dollars, and 4,000 servers, 45,000 PCs and 2,500 applications had to be reinstalled or replaced. Other maritime incidents included an attack in 2018 on the American shipping company COSCO Shipping and ports such as Antwerp, San Diego and Barcelona.
According to Fortinet’s systems engineer Robert Tom, this shows that the shipping sector is really at risk when it comes to cyberattacks. This not only results in lost business but can also lead to fines and penalties for regulatory authorities, reputational damage, supply chain problems and worldwide declining revenues. Not to mention the fact that cyber incidents can pose a threat to the health and safety of seafarers.
Policy and physical action
These vulnerabilities show that it is time for the shipping sector to take a serious interest in cybersecurity and see it as standard practice. Both in terms of policy and physically, on-board the ships.
When it comes to policy, such as legislation and regulations and inspection standards, Masoudi believes that all stakeholders in the shipping industry should work together. This means that shipping companies, port companies, sector organizations and governments must work together to develop a good model for this. Preferably on the basis of standard protocols, for uniformity in the exchange of data and its protection.
There are already many initiatives in this area, including by the global branch organization International Maritime Organization (IMO) and other interest groups. Individual countries are also increasingly coming up with (additional) regulations in the field of cybersecurity for the shipping sector. The United States, France, the United Kingdom and the Netherlands are good examples of this.
More specifically, the areas of interest of the branch association of classification societies for the maritime sector, the International Association of Classification Societies (IACS). The IACS has issued a dozen recommendations for cybersecurity in order to guarantee the entire lifecycle of vessels. The recommendations range from physical access to and security of these on-board systems to the implementation of data assurance, network security, and securing connectivity. And not unimportantly: there must be a plan for what to do if something goes wrong.
Human factor also important
In addition to all these laws and regulations for cybersecurity, Bureau Veritas’ specialist also draws attention to the human factor. The human factor must also be taken into account if cybersecurity is to be properly implemented. As mentioned above, employees can make mistakes and, on the other hand, there are highly motivated hackers on hand. In short, if you want to implement an effective maritime security policy, you also need to get to know these groups of people.
SD-WAN possible solution
In addition to the policy-related part, there is, of course, also the actual technical part that can improve cybersecurity on board. The various presentations showed that current solutions, such as a UTM, or only antivirus or malware software, are no longer sufficient. The entire stack now needs to be looked at, according to Edwin Edelenbos, director of FWD Innovations, the technical specialist for superyachts, in his presentation. Especially now that, in addition to the many communication networks, more and more integrated systems are being installed on-board instead of various separate applications and appliances.
The addition of SD-WAN solutions on board of ships could be a possible solution in his view. Networks can be intelligently managed and provided with the necessary security. This makes it easier to distinguish between non-critical networks and critical networks.
Distribution between communication and other networks
According to Robert Tom, it is also important to secure the various networks on-board ships separately. On the one hand, he sees security measures for the communication networks in this area, including the addition of Quality of Service (QoS). The latter can be used to determine available bandwidth, to prioritize network traffic and to make traffic run intelligently via the various communication links such as satellite, direct data links to the head office, wifi or mobile connections, among other things. This also includes the management of LAN, WLAN and WAN access and the associated authentication.
On the other hand, according to Tom, these are security measures for operational environments. These include providing deep visibility and analytics, virus scanning, web filters, DNS filters, intrusion detection and intrusion prevention, securing the ICS systems, LAN segmentation, and performing mail and endpoint security. And, of course, all of this needs to be accessible and managed from a single point of view.
Fortinet and Spliethoff
To this end, Fortinet naturally supplies various solutions and applications, such as the FortiGate next-generation firewalls, software such as FortiAnalyzer and FortiSandbox Cloud and the FortiMail application.
In a pilot project of the security specialist, shipping company Spliethoff has now installed these kinds of solutions and applications on-board its ships. The main goals were to secure not only the operational systems of the ships, but also the various network connections to and from the ships and to distribute the bandwidth optimally, and thus improve the QoS.
Taking cybersecurity with you from the start
Cybersecurity is increasingly high on the agenda of the shipping industry. Certainly because -in view of the enormous legacy that is still present within the sector- this needs to be speeded up quickly. Therefore it is a good thing that more and more initiatives are emerging for the shipping sector, both in the field of (international) policy and with actual technological measures, and that actual action is also being taken. The emergence of SDWAN may well help in this respect, as well as the separation of the networks for communication from those for more operational services within ships.
It goes without saying that the human factor must not be forgotten either, and employees must be properly trained and made aware of cybersecurity in order to be able to keep this often weakest link to a minimum.
But the most important thing is that all this is done in a hurry. The incidents that may occur can cause a great deal of damage not only to the shipping branch but possibly also to the global economy as a whole. It is therefore absolutely advisable to include cybersecurity in new maritime projects from the outset, whether this is the construction of a cargo ship, drilling platform or a superyacht. Because to be honest: Windows XP on board is just embarrassing, isn’t it?