The increased dependency of the global economy on maritime trade, coupled with a steady increase in the cyber-threat level emphasises that action is required to secure critical maritime systems against disruptions and service denial, and to plan the response to future incidents of this nature. This industry is increasingly dependent on technology to communicate, organize, streamline and digest information but many struggle to acknowledge that the immediacy of the internet, that they have become used to ashore, is not available at sea.
Marine information systems have a major impact on the safety and performance of engineering assets and shipping infrastructure, for example terminal operating systems, industrial control systems, business operating systems, access control and monitoring systems, navigation systems and platform management systems. Many systems such as test equipment, HF radios, platform management systems, photocopiers etc have a PC hiding inside (with a processor, operating system, memory and hard disk drive……”If it looks and smells like a PC……It IS a PC!!”). Such equipment is often overlooked when considering IT security and has the potential to further widen the “attack surface” via removable media used to transfer data.
Many commerce systems operate on a “just in time” delivery basis, with the effect of any failures being felt very quickly. For example, after the attack on the New York World Trade Centre the impact of closing ports and airports resulted in the automotive industry closing factories within 48 hours due to component shortages. Furthermore, the expansion of shipboard and shoreside autonomous systems is helping to minimise vessel turnaround times; whilst this may be commercially attractive, delays due to cyber-attack could very easily upset what is essentially a delicate operational balance.
The responsibility for preparedness and response lies squarely with owners, management companies, port/platform operators etc. but the lack of timely advice or direction from national government, the IMO and other maritime organisations has resulted in little progress so far in this area. The scope of the problem and identification of the types of organisation, personnel and critical equipment/systems involved needs to be defined as a first step. This should be followed by identification of the threats and subsequent mitigation and or response as a risk based approach.