There are usually two instances where the volume of vulnerabilities in systems outweigh the effectiveness of remediation controls: poor programming and planning in the development stage and the use of end-of-life technology that is no longer supported. The shipping industry is a culprit of both.
A heavily regulated and function-focused technology consumer, the maritime sector has been slow to adopt digital transformation. Most shipborne and onshore systems use legacy hardware and software as system advancement requires rigorous assessment. The very nature of this cautious approach to safety and reliability creates a dependency on systems that are well past their use by date. In my own experiences, many training and simulation networks are still using unsupported Microsoft Windows versions to keep applications running, which contain an abundance of vulnerabilities and lack the usability of sophisticated security controls.
The most critical of these systems are the Global Positioning System (GPS), Automatic Identification System (AIS) and the Electronic Chart Display and Information System (ECDIS). Various reports have arisen in the past few years of the ability to access these systems remotely and change variables to disrupt output. Poor authentication architecture, limited access control and the absence of defensive security controls only compound the issues.
As well as the issue of legacy devices, many classes of Ship maintain a zero-downtime philosophy to keep operations and production at its zenith. A small window of opportunity for system updates and patching, often performed by CD-ROM or USB during a maintenance period, leads to a higher-risk threat vector for cyber-attack. The dynamic change-out of staffing also provides a vacuum of system owner knowledge, which in turn prolongs both the use of legacy networks and cycles of updates.
The Industrial Internet-of-Things (IoT) adoption for shipborne systems has sought to improve production and reduce delivery schedules and cost, however connecting critical operations machinery to the internet has increased the cyber threat. The emergence of data analysis and big data solutions has driven this demand for a higher level of connectivity. Overwhelmingly, equipment that was designed with functionality and cost as the measure always sacrifices security to achieve its aims. You would be surprised at how many raspberry pi computer devices power CCTV, engineering monitoring systems and HVAC equipment.
The advent of unmanned shipping will pose even greater consequences if systems are not designed, built and tested with security as a lead system requirement. A few solutions that have began to take shape include;
· Designing modular systems that can be replaced/improved in sections. Introduce threat modelling and penetration testing in the design, build and test phases of all maritime safety equipment connected to IP networks.
· Mandate cyber security audits including both vulnerability assessment and external threat assessments using the latest cyber threat intelligence should be considered in the Safety and Security Management of ships and onshore support facilities.
· Redefine the requirements for onshore support systems to be certified under stringent security frameworks, such as NIST and ISO 270001. This will ensure that ports, supply chain companies, support organisations can’t be the launch pads for larger attacks against the shipping fleet.