Autonomous Shipping – Cyber Hazards Ahead

If autonomous vessels are the future of maritime shipping, then cyber threats may be its Achilles heel.  

Congested shipping, restricted visibility, limited maneuverability, and intensive docking activities all contribute to port hazards – 42 percent of EU reported marine accidents (injury/death/damage to ships) took place in port areas and 44 percent of workboat fatalities occurred on Tugs. Autonomous shipping should provide numerous benefits including increased safety by relieving crewmembers of unsafe and repetitious tasks. Yet, with cyberattacks threatening every industry, this nascent technology is a large target. If autonomous vessels are the future of maritime shipping, then cyber threats may be its Achilles heel.

Rolls-Royce has demonstrated an automated tug. Systems provider Wärtsilä is testing automatic port arrival solutions. Cybersecurity is integral to both designs. Chris South, senior underwriter for insurance provider West of England P&I, states that four factors are driving maritime cybersecurity:

• Automation – machinery is increasingly controlled by software;
• Integration – multiple shipboard systems are connected together;
• Remote Monitoring – corporate land-based offices use ship-to-shore communication to continuously monitor shipboard equipment;
• All these systems are connected to the internet.

Considering Risk
This presents considerable risk to shipowners, port operators, and their underwriters in the event of failure or if cybersecurity is mismanaged. Risk, the potential for damage (in this case, from a cyberattack), exists not only in office environments, but can also affect physical assets marine companies use. Attacks against physical assets are not without precedence. In 2015, Russia purportedly attacked Ukraine’s electrical grid leaving 225,000 people without power. The cyberattack subverted the SCADA distribution management system used to monitor and control power substations. A marine cybersecurity attack could similarly exploit a ship’s monitored distributed control system (DCS) interacting with propulsion engines, a port’s automated cranes moving cargo, and other vulnerable systems.

The damage of an attack can affect a company’s reputation, its brand, interrupt business, physically injure employees, or have financial and legal consequences. When direct, indirect, and opportunity costs associated with cybercrime (criminal activity conducted on the IT infrastructure) are considered, consultancy Accenture states the average cost to an organization is $13 million.  An attack resulting in personnel injury or death could cost more.  

In considering risk, company management determines what could go wrong, the likelihood of such events occurring, the impact if they do occur, and actions to mitigate or minimize both the likelihood and the impact to an acceptable level. Unfortunately, there are too many cases where executives have been overconfident or misjudged their ability to mitigate threats. Because cybersecurity not done right causes enormous problems, risk averse and prudent companies typically hire outside cybersecurity experts to validate strategy or help determine a security target state. It is money well spent.  

Navigating Human Error
Human error is the leading cause for accidents at sea. Vessel maneuverability factors have a negative effect, but it’s not causal … people are mostly at fault. Unfortunately, accidents happen. And, yes, autonomous shipping can reduce the risk of human error. But consider a cyberattack on a vessel’s automation system to manipulate navigation, steering, or propulsion systems. The consequences would be grave – ship collisions, groundings, and plausibly instances rendering shipping channels impassable.  

Three navigation-critical systems involved autonomous shipping have proven to be vulnerable:

• Global Navigation Satellite System (GNSS) – provides exact vessel location, but can be manipulated to deceive the crew into changing course;
• Electronic Chart Display & Information System (ECDIS) – digital repository charts and routes, but if hacked and fed false information can cause the crew to plot the wrong course;
• Automatic Identification System (AIS) – monitors surrounding traffic for collision avoidance, but can be intercepted and fed false vessel information (location, movement or identity).

GNSS spoofing has gone main stream. It’s used to cheat at Pokemon Go, and dishonest for hire transport providers have used GNSS spoofing to appear nearby awaiting customers while parked at home, miles away. In 2013, a team of researchers from the University of Texas demonstrated that by using a $3,000 GPS spoofer, a small antenna and a laptop, an $80 million private yacht could be steered off course. The ship turned, but the chart display and the crew saw only a straight line.

Other systems are at risk as well. The International Chamber of Shipping lists these exploitable shipboard systems:

• Cargo management systems used to control cargo and may connect with port terminal systems;
• Bridge systems used in navigation and for propulsion maneuvering;
• Propulsion and machinery management and power control systems which monitor and control onboard machinery, propulsion and steering;
• Access control systems for ship and cargo physical safety, surveillance and alarm systems;
• Passenger servicing and management systems which may hold valuable passenger related data;
• Passenger facing public networks connected to the internet and used by passengers;
• Administrative and crew welfare systems for internet access and email;
• Communication systems for internet connectivity via satellite/wireless communication.

The danger occurs when systems are exposed to uncontrolled networks or have direct connectivity to the internet. Ships create vulnerabilities when they network both their IT systems and operational equipment and then connect both to the internet for shoreside monitoring. A hacker, who penetrates the IT perimeter, has full access to even the most critical onboard systems. Because Operational Technology (OT) interacts with critical and sensitive devices and processes, OT requires special security considerations.
Under no circumstances should OT have direct internet access. This includes systems used for autonomous control. There are specific 

cybersecurity guidelines dealing with OT systems such as NIST 800-82, a security framework for industrial control systems. Unfortunately, maritime companies have a legacy of low cyber awareness and cybersecurity capability. But, even being ‘average’ in terms of cyber security is not good enough. The danger is too great.

Cybersecurity experts all agree that layered defenses and multiple security defenses within the layers are best practices against intrusions and breaches. While nothing guarantees immunity, significantly lower risk is achievable with Zero Trust, which relies on the concept of ‘never trust and always verify a connection.’ Zero Trust employs micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access. Zero Trust might have minimized, perhaps prevented the well-publicized Maersk event.

The Regulator’s Role
Regulators are taking an activist role in cybersecurity. The EU’s General Data Protection Regulation (GDPR) gives regulators extra-territorial reach and the ability to levy fines up to 4% of annual global turnover or Euro 20 million – whichever is greater – for any company infringing on the data privacy of EU citizens. The International Maritime Organization, the United Nations agency with responsibility for the safety and security of shipping, is examining how to address autonomous shipping in its regulatory framework. A cyberattack against marine shipping could face the wrath of multiple regulators.

Some marine stakeholders are building cloud-based autonomous shipping platform. Many onshore industries are already in the Cloud, but a word of caution: the migration of applications to the Cloud adds new layers of complexity and threat surfaces.

An insecurely configured AWS Web Application Firewall (WAF) permitted an insider to steal 106 million personal records from a large bank. The devil is truly in the details. In cybersecurity, getting the details right is an absolute.

Cybersecurity is more than just a means for defense. It is a business enabler and reputation booster, enhancing the loyalty and trust of security-minded customers and partners. It can drive new business and be a competitive differentiator if cybersecurity is baked-in, part of the design. Forbes contributor William Saito said it well when he compared cybersecurity to the brakes of the very swift Japanese bullet train, that the brakes permit speed. “The brakes aren’t there to act as a drag on the bullet train’s performance – they allow it to travel faster than conventional trains because they put the train drivers in control of its speed. To go really fast, you need really good brakes.”

Mr. Jeffery Mayger provides cyber security advisory services at Concord, a consultancy for information technology integration and security services. His cybersecurity background includes Chief Information Security Officer (CISO) for global mining company Sibelco and information security services to upstream oil/gas customers. In addition to his B.S in Mechanical Engineering, Mr. Mayger also holds a Master of Business Administration (MBA) from the University of Texas. His Information Security background includes designations as Certified Information Security Professional (CISSP) and Certified SCADA Security Architect (CSSA). Mr. Mayger can be contacted at [email protected].

This article first appeared in the October print edition of MarineNews magazine.