A panel of maritime and cybersecurity experts on October 21 discussed the changing demands on the maritime industry to ensure the physical security of vessels and shore side infrastructure and operations as information technology (IT) and operational technology (OT) converge.
The convergence is opening up new attack surfaces that can impact the critical OT systems that underpin the operations and safety of vessels and maritime supply chains.
Energy and marine technologies and equipment manufacturer Wärtsilä hosted the webinar. Wärtsilä Cybersecurity GM Päivi Brunou opened the discussions by highlighting that cybersecurity risks would become more difficult to manage owing to growing complexity and a continuously evolving threat landscape, with more companies and solutions being connected, leading to more attack surfaces on technology systems.
"With all the people and goods on the oceans, there are myriad data and information that need to be protected. Three key trends over the next ten years include greater connectivity of all elements and systems, the convergence of IT and OT and the security of people.
"The new approach in the maritime industry is the need to counter the evolving technological complexity. Even in the IT industry, it often takes more than six months for companies to realise that their data has been breached and the maritime industry may not have the luxury of this length of time to detect and neutralise such breaches and attacks."
Some IT threats and attacks are beginning to impact on OT systems, including through mundane practices such as the charging of a smart device from an OT piece of equipment, allowing malware and even, in some circumstances, ransomware to infiltrate and affect OT systems.
This example illustrates not only some of the technological risks, but also the importance and relevance of ensuring crew and personnel understand the risks and their roles in ensuring the cyber-physical security of the vessel and people.
Norwegian Cruise Line VP of enterprise technology operations and CISO Georgias Mortakis advised that maritime companies and their supply chain partners conduct risk assessment not only on IT or OT systems, but on all these systems and their impact on each other.
This enables companies to determine the risks posed to, for example, OT systems in the event of a cyberattack or malware infection, as well as to implement practices and processes to appropriately mitigate these risks.
"IT and modernisation bring benefits, but introduce IT risks. Collaboration and coordination can help to mitigate these risks, but ship owners and companies must consider staffing requirements and the capabilities on board vessels and shore side.
"Some IT cybersecurity standards - in addition to maritime standards - can help to provide a framework for improving cyber-physical security, but not all of the systems and risks should be treated the same. The OT network must be taken into consideration, as it is sensitive and remains important at the end of the day because its loss can impact lives. Therefore, IT and OT cybersecurity frameworks cannot be completely isolated frameworks," he said.
Staff capabilities to respond to, contain and neutralise attacks or breaches are crucial and will be partly informed by risk management programmes. This will typically require more people with greater expertise on vessels or shore side operations.
However, Brunou emphasised that effective defence against cyberattacks also required that all crew and staff members understood their roles and what behaviours and practices were acceptable.
"Preventing fires on vessels is everyone's duty; the loss of OT systems can have similar consequences in terms of the safety of the vessel and people and, therefore, require that everyone - whether the IT team or operational crew - understand their role in preventing such events.
"A European Union Agency for Cybersecurity report showed that more than 70% of seafarers would share personal data to improve their career advancement and more than 50% would share personal data for free access to the Internet. Only about 15% have received cybersecurity training and more than 30% of vessels and organisations have a policy to change passwords used on vessels regularly," she said.
"Given that more than 84% of successful cyberattacks are based on some kind of social engineering, it highlights why it is important to train people on why they should not share data, even data that they think may be mundane or inconsequential, because this data can potentially be used in other attacks or to target other people."