Whereas cybersecurity has become a top priority for sectors such as financial services and healthcare – in part, down to well-publicised breaches – it still remains under the radar when it comes to the maritime industry.
Shipping is not immune to cybercrime. In June 2017, Maersk was infamously the target of a ransomware attack, NotPetya, which shut down all of its IT systems, costing the Danish shipping company up to £300m in lost revenue.
Reflecting on the incident shortly afterwards in an interview with the Financial Times, CEO Søren Skou said: “Most business problems, you will have an intuitive idea on what to do. But with this and my skills, I had no intuitive idea on how to move forward.”
Skou’s admission is telling. In spite of the vital role shipping plays in the world of global trade and logistics, its response to the digital revolution – and the challenges that have come with it – has been relatively slow.
If the global maritime sector, or “blue economy”, is to reach its true potential – analysts believe it might be worth as much as $3tn by 2030 – it can no longer afford to sweep cybersecurity under the rug.
In the UK, cyber-attacks are listed as a top-tier threat to national security. Yet, as lamented by Professor Kevin Jones, executive dean for science and engineering at the University of Plymouth, its maritime sector “is not well protected against cyber-attacks and incidents.”
In November, Jones was appointed as principal investigator for a new project which aims to create a national research centre in maritime cybersecurity. Funded by Research England, the £3m Cyber-SHIP Lab is set to bring together experts from the worlds of cybersecurity and IT alongside equipment manufacturers and shipping operators to tackle the matter at hand.
The facility will house the latest systems found in maritime technology, including radar equipment; a voyage data recorder (VDR); an electronic chart display and information system (EDCIS); an automatic identification system (AIS); and communication devices. These will feature alongside the university’s existing maritime facilities, which include a training simulator and lab.
Below, Jones explains how, in helping to train shipping industry professionals to become better versed in cybersecurity, its upcoming launch – pencilled in for July – could not be timelier.
Ross Davies: When did you start looking into the Cyber-SHIP lab and what were some of the driving factors behind its inception?
Kevin Jones: We started looking at maritime cyber threats around three years ago. It was at that time that we realised it was a growing problem in the industry, but there really wasn’t much focussed research around it.
The early work we did was on things like appropriate risk modelling, because a lot of what was out there just didn’t really fit with the peculiarities of the maritime sector. That entailed a lot of work in terms of simulation, and playing with malware, but not much insofar as looking at the full ecosystem onboard real vessels.
We realised that what was missing was a real-world lab, where you could experiment with actual devices rather than simulated devices. So we put together a proposal to set up a lab environment, equipped with an actual ship’s bridge set-up with combinations of actual devices.
RD: It sounds like the purpose of the lab is for it to be grounded in reality as much possible.
KJ: Exactly. The idea is to get a real-world grounding in real-world cyber scenarios, and then to develop mitigations. You can’t reveal these types of vulnerabilities using only simulated scenarios and set-ups.
RD: What kind of training will you be offering at the facility?
KJ: A couple of different levels. The first one we’re expecting to put together is a CPD [continuing professional development] package to help crews equip themselves for cyber threats.
That’s because while crews are pretty well trained when it comes to resilience in the event of a piece of onboard kit failing, they tend to struggle with cyber events because they are not so blatant.
They often provide misdirection. They are deliberate attempts to give misinformation to the crew, who are not well trained to respond accordingly.
We want to be able to train them up to recognise when they shouldn’t trust a particular instrument if it’s acting strangely. For those kinds of scenarios, we will be able to offer specific training, on top of the more general cyber awareness stuff.
RD: What are some of the specific cyber incident scenarios you will be looking to test?
KJ: We’ve already run a couple of experiments where the AIS has been glitched with ghost ships – a fair indicator that something isn’t right. Generally speaking, crews still don’t know how to deal with that kind of scenario. They’ll often see it as a just a glitch in the system rather than it being indicative of something more serious.
We’re also looking at things like GPS spoofing and misdirection, which can be responsible for failures in channel separation.
These are the kinds of holes found in current training – when the GPS is telling you one thing, the radar something else, and the AIS doesn’t give you the information you need.
RD: I understand the lab is being developed in partnership with shipping companies, port operators and equipment manufacturers – how’s that collaboration going?
KJ: There are various levels of involvement and commitment. Ship operators are, naturally, interested most in the output of what we can do, whereas equipment operators are more interested in being part of the lab environment.
Long-term, we are interested in developing what you might call a validation suite. That means if a ship operator is interested in a new configuration they haven’t run before, we can set it up in our lab, run a test suite across it and be able to say, to some level of surety, whether something is safe or not in the cyber domain.
That’s the kind of thing we’re working towards. We expect the lab to be used for genuine research work, with the output being classic research papers. We also expect some of our partners to be using the lab to do confidential work, working with their clients, customers and equipment. There’s a wide range of different modes of involvement.
RD: The lab is due to open in July – what’s next after that?
KJ: The lab that opens in July will be its first version – so, including a bridge set-up with real devices. We are already working with a variety of partners on this – some of whom are providing kit, others technical advice.
As for the fully configured, all-singing, all-dancing tools for testing and intrusion detection – that’s probably a couple of years down the road. We expect this to be an ongoing refinement as we get more and more people involved.