The following post introduces a series that will educate readers about the nature of cyber risk in the maritime industry. SDI partners with leading maritime services provider Hudson Analytix to provide cybersecurity support to members of the maritime industry.
Although thousands of years old, even today the maritime industry sustains more than 90% of the global economy. Every vessel and port terminal operator in the world creates, utilizes, stores, manages, and exchanges digital data, along with the financial information, via internal and external networks. To this end, maritime companies are rapidly adopting and integrating a broad range of operational technologies and systems, both wired and wireless, which facilitate faster, more efficient and streamlined operations.
The more network enabled devices are deployed and used, however, the more dependent the maritime industry overall will become and, thus, it will become more vulnerable to cyber threats. While networks need to provide high availability, we must also demand high integrity—they will need to be safe. To this end, unlike a standard database or router, a hacked [container] terminal management system could result in a massive number of misdirected assignments or a compromised GPS system could incrementally misdirect vessels outside of channels and into dangerous areas before a compromise is discovered, let alone corrected. Such scenarios could result in costly business disruption, property loss, or environmental damage.
Like Stuxnet 7 demonstrated in 2010 with the successful attack on Iran’s nuclear enrichment capabilities and Shamoon’s disruption of Qatar’s Ras Gas and Saudi Aramco’s computer systems, the expanded utilization and connectivity of highly integrated, networked SCADA and ICS equipment have outpaced the cybersecurity controls needed to secure such critical systems from cyber attack. Unfortunately, automated maritime systems are typically not managed to standard IT best practices. Instead, they are relegated to the traditional physical security practices stipulated by the ISPS and ISM regulations and have yet to be updated to address emergent cyber threats.
Cyber risks span the entirety of an organization—from C-suite executives susceptible to targeted social engineering attacks, to unsuspecting employees (the itinerant seafarer included!) falling prey to a spear-phishing attack and third party contractors accessing your company’s network. Addressing the challenge demands a top down enterprise approach.
By Max Bobys, vice president, Global Services, Hudson Analytix
February 16, 2016