www.maritimeindustries.org


Collaborating across the supply chain to deliver cyber‐secure maritime systems


Daniel Ng CyberOwl


The convergence of cyber and physical risks in maritime is becoming increasingly evident. Port operators are already suffering the consequences of cyber‐physical attacks. In ships, the risk is more subtle, but vulnerabilities are repeatedly proven to be easily exploitable. These are complex assets with complex supply chains. To have a fighting chance, we must leverage the UK’s leading maritime supply chain and collaborate on security.


For three weeks in June 2019, the airspace around Tel Aviv’s Ben Gurion Airport experienced recurring unexplained GNSS disruptions that impacted aircraft landings and takeoffs. To date, no related incident has been traced directly to maritime systems. Yet the experience serves as a strong reminder that GNSS attacks have a direct implication on maritime positioning and navigation, nevermind the impact on certain vessel and shoreside systems that rely on precision timing. Separately, at a different point in time and across the European continent in Antwerp, drug traffickers mounted a two‐year campaign to gain physical access,


infiltrate staff computers and compromise cargo‐tracking systems to aid the import of drugs hidden in containers. These attacks are a bellwether of an escalating trend in maritime security – the convergence of cyber and physical risks.


CyberOwl has engaged with over 50 shipping and port owners, operators and equipment manufacturers in the last 12 months. In all our interactions, we rarely came across an organisation that is well‐prepared for this converging risk. Physical security is reasonably mature, but still treated entirely separately to cyber security. Assuming cyber security controls even exist, it is still very much “an IT manager’s problem”. The assumption is that a threat actor still thinks of physical and cyber vectors separately.


The fact is digitalisation, connectivity and automation is already present on the bridge, the engine room, the yard, the gate and all the way across the supply chain. There are already a range of ways to deliver a cyber‐attack to vessel or shoreside systems. This is true whether or not you have fully embraced IoT. As long as you are providing internet access to crew, collecting performance data on your vessel systems, tracking your cargo or maintaining an IT‐ based physical access system, there is already a way for a hacker to disrupt your operations.


Vessels and ports are complex systems. They involve the union of hardware and software components from different suppliers to achieve a collective infrastructure. Each component tends to be main‐ tained by their respective suppliers, but the network and services function across those boundaries to achieve a collective goal of delivering the critical maritime services. For security to be effective, it also needs to be designed and maintained across the whole system, across those boundaries. However, operational technology (OT) systems are generally still installed as “black box” systems. Vulnerabilities are guarded jealously, if well understood. This leaves the operator, who has to suffer the consequences of a cyber‐at‐ tack, with limited understanding of how to mitigate the risks and very little power to do anything about it.


Ben Gurion Airport 28 Society of Maritime Industries Annual Review 2019


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36