Seeking cyber resilience for the emerging technology waves
SHIPS are no longer just massive metal structures made to float safely. They are also massive digital systems of systems, often loaded with more data than the cargo they carry.
This shift in the maritime landscape created by the fourth industrial revolution has transformed how we do things, what skills we need, and also made it more complex to manage cyber security risks — and this is just the beginning of shipping’s digital voyage.
As we move more and more towards adopting newer and greener technologies, the complexity of the ‘threat’ landscape of these interconnected ecosystems will only grow more complex, also increasing the amount of data and systems to be protected.
Even today, as advanced sensors, industrial internet of things, cloud, and various degrees of autonomous operations become synonymous with modern ships, cyber security has become critical to everyday activities such as voyage planning, navigation, situational awareness, route and fuel optimisation, port calls, and even aiding safe docking and undocking.
These technological improvements invariably need cyber-resilient systems with cyber security controls fit for purpose, and maritime needs to start preparing for not only what is happening today but what is going to happen in the next decade. However, there are challenges.
The goal of maritime cyber risk management is to ensure safe and secure shipping: Understanding how different software systems, hardware solutions and network connections contribute to maritime operations and improving the resilience and robustness of these systems is essential.
At present, however, the technology, cyber regulations and legal instruments and insurance offering related to maritime operations are all evolving at different speeds, requiring us to navigate a constantly changing maze of risks and requirements. There are also barriers and inertia within the somewhat conservative maritime industry.
On the other hand, data-driven operations are shaping shipping’s next phase of efficiency. As the industry increasingly uses remote activities like type approvals and class inspections, and gathers big data to improve the efficiency of systems, solutions are breaking traditional cyber security barriers on the vessel.
So, where do we go from here?
The above challenges create opportunities. As the internet of things, cloud and data-driven technologies become increasingly relevant for this intertwined digital landscape of ‘systems of systems’, we are beginning to see better collaboration, push for certifications, and standardisation practices among stakeholders, to keep the resilience of systems at all fronts.
Resilience for both products and business
The IMO’s Resolution on Maritime Cyber Risk Management Resolution, which came into effect in January 2021, has catapulted the conversation on cyber security to higher levels. We are increasingly seeing existing fleets, as well as newbuildings, being surveyed by third-party to give vessel owners an understanding of the cyber security posture of their vessel.
While cyber security is increasingly becoming part of contracts and tender processes, such security is not static, so we cannot just focus on ticking boxes. Resilience needs to be ‘built into’ both products and businesses.
That means information security management system controls and capabilities for corporate infrastructure, systems, and networks; making business continuity the focal point in audits and simulations; strengthening collaboration with strategic suppliers; and considering a Third-Party Risk Management programme to address cyber risks in the supply chain — collaborate at a level beyond contractual relationships and obligations.
Role-based training is crucial, given that 84% of all cyber attacks rely on social engineering and human behaviour, and people must have the required cyber-related skills that match their job profile.
On product, maritime has already recognised the need to better understand the various threat vectors and their impact on vessel systems and maritime operations. Traditionally, a lot of effort has been put into protecting the assets. This has meant building perimeter defences and leveraging a plethora of expensive tools.
The shift now needed will help answer such questions as: Do we know our critical assets? Do we know what data to secure? And do we have visibility of these systems? In response, the industry must work together, to prioritise and concentrate on the right actions throughout the ecosystem.
An ‘all hands on deck’ approach
Innovation in maritime systems is driving the industry to leverage new technologies on multiple fronts, so no single approach, activity, technology, tool, or process can address all things that cyber resilience demands.
Industry collaboration is required to ensure safety and cyber security in both IT and OT (operational technology) environments as they converge. Everyone has a role to play.
Vessel operators need to be more risk-aware and conduct frequent cyber audits, train the crew, and increase system knowledge. Also, use technological means to reduce risks such as having a layered approach to cyber security, frequent system and OT updates and having fallback (redundancy) options that the crew is aware of.
Vendors, on the other hand, need to ensure secure development and provide support to maintain cyber resiliency and security throughout the product lifecycle.
As a maritime community, we need to become more inclusive, which not only involves leveraging public and private partnerships but also academia, various flag states and even intergovernmental organisations. Maritime needs to leverage its existing architecture and evolve its information exchange policies. We need to conduct broad-reaching exercises to fully understand the cyber impact on the supply chain, throughout the ecosystem and wherever we sail in the world.
We are under way, but still need to turn a few more knots.