Cyber security in the maritime sector is a hot topic which has only started to be taken seriously by the shipping industry in the last couple of years. This follows increased security concerns in other areas of transport, the most high-profile of which has been the automotive industry. The increase in both wired and wireless technologies which are being incorporated into connected and autonomous cars has motivated several high-profile demonstrations being carried out by security researchers investigating the impact of a remote attack on vehicles by hackers with some scary results.
Although not at the same level, there have also been a number of security researchers in recent years who have revealed technical vulnerabilities in maritime technologies. There have even been organised hackathons against maritime technologies, such as the US Navy’s HACKtheMACHINE event. When the maritime sector is analysed, it can clearly be seen that the attack surface (the sum of the points where an attacker can try to access a system) is large and increasing, as shown below
Some of these systems fall into the enterprise IT bracket, however, many others do not, especially those associated with wireless communications technologies, navigation systems and industrial control systems (ICS), which are arguably the most important systems due to their impact on the safety of the vessel and the crew.
The cyber security products and technologies that are used to monitor enterprise IT systems are reasonably mature. However, with the increased risk of attacks on the operational and navigation technologies, we have started to see companies trying to implement the same security products that have worked for enterprise systems onboard ships. At first glance, this seems like an obvious approach to take. However, this strategy is not able to provide the level of cyber security assurance required to protect such safety-critical systems.
There are broadly two approaches to monitoring for cyber security breaches: network-based and host-based.
With network-based monitoring, the network traffic between computers is monitored for signatures of known malicious attacks or behavioural changes, which are likely indicators of compromise.
The host-based approach involves installing small software components, or agents, on each computer that needs to be monitored. These agents then monitor the computer for indicators of compromise.
Unfortunately, neither of these approaches are appropriate on-board a ship:
- In a network-based monitoring scenario, the communications bandwidth required between the ship and shore-based security operations centre is just too expensive to make it a practical solution.
- In a host-based scenario, it is extremely challenging to install agents on the most critical systems, the navigation and industrial control systems, due to The International Convention for the Safety of Life at Sea (SOLAS) and type approval constraints. Once the systems have been type approved, they can no longer have additional software components added.
Ultimately, vessels are not the same as an enterprise environment. Security monitoring solutions, which are fine for IT office-based systems, are just not fit for purpose onboard a ship. So, what is the solution for maritime?
Rather than trying to solve the cyber security problem by installing devices, a more holistic approach is required. For example:
- Cyber security awareness training for all crew: Cyber security is not an IT issue. Instead, it is something that everyone needs to be aware of. Currently the biggest cyber security problem aboard ships is USB memory stick sharing, which often results in the malware infection of critical systems.
- Separation of systems and networks to provide a layered protection model: Systems that crew interact with regularly, such as Wi-Fi or email systems should be segregated from more operational systems to reduce the impact of a remote attack or malware infection.
- Security monitoring should be added by the marine electronics suppliers: Longer-term security monitoring will require the involvement of the marine electronics suppliers. This means that security monitoring and host-based agents can be designed in, and therefore included in, the type approval process.
As with other transport industries, to prepare for future threats, the maritime sector needs to be adopting a Secure Development Lifecycle (SDL) based approach, which considers cyber security at all stages in the lifecycle of products and systems.
Transport Assurance Practice Director, joined NCC Group in 2010 as Research Director. In his role as Transport Assurance Practice Director his team delivers a comprehensive suite of cyber security and assurance services to Automotive, Maritime, Rail and Aerospace sectors across the globe. Andy has more than 25 years’ experience in cyber security gained from working in various Government departments and high-profile roles in a range of security consulting firms.