Is the maritime industry slumbering when it comes to cyber security and the cyber threat?
Yes, like much of the industrial world, the security of SCADA and control networks on board ships is generally poor. Until recently though, ships had air-gaps around their networks. Now ships are becoming internet connected, and passengers and crew expect to have internet access. Combine that with legacy systems - most ships have a 30 year plus lifetime, and difficulty in updating software on a continuously moving target, and you have a perfect storm for security issues.
By contrast, would you agree that regulators have woken up to the threat and are going to introduce and botch legislation?
Whilst regulation can help improve security, it's not going to solve all problems. Ships last a long time, and regulation is unlikely to apply to both existing ships and newbuilds. That leaves older ships open to issues. Security is constantly evolving, and regulation can rarely keep up. Look at PCI (Payment Card Industry) regulation – by their very nature, written standards will always lag real world threats and best practice by some time.
Would you agree the biggest threat to a maritime company’s systems is not external, it’s the staff?
Certainly one of the biggest threats, whether they are malicious or simply victims. Phishing attacks, malware, ransomware etc could all hit a ship or shipping company hard. Consider a staff member bringing in a USB key, perhaps with the honourable intention of updating a system to the latest software version. That key contains some hidden malware. The ship control systems become infected…
Where are the greatest maritime cyber security vulnerabilities?
Hard to say, but fixing the root causes and providing defence-in-depth strategies means that you can protect against many threats, even ones you may not currently be aware of. Build in layers of defence and ensure you can spot a breach of the outermost layer quickly. Segregate your networks, making sure that systems only have the bare minimum of network (and internet) access explicitly required to function. Any extra connections increase the attack surface available to the hacker.
As always, people are going to be the biggest threat to any system.
When it comes to cyber security and the maritime industry, where is it all heading and why?
Ships present unique challenges. Long life in service, hundreds of complex interconnected systems, generally few dedicated IT staff on board, very rarely are ship control system experts on board either.
One of the first aspects will be convincing shipping companies that there is a real risk before anything bad happens.
Manufacturers need to integrate security from the design stage onwards. Systems need to be secure and stay secure - currently we're not very good at doing that with industrial systems. Many things we thought secure ten years ago no longer are.
Ken Munro of Pen Test Partners will be presenting at the Maritime Cyber Risk Management Summit, on 21 June, in London and in association with Norton Rose Fulbright. For further information, including sponsorship and exhibiting, please email firstname.lastname@example.org