Home | Contact ST  
Follow ST


2018:  JAN | FEB

Defining the Future of Maritime Cybersecurity
John Jorgensen
Cybersecurity is one of the most critical business issues of today, posing multiple, overlapping and evolving threats to our ability to operate and communicate safely and securely. Defining the challenge is prone to oversimplification of a vast and complex subject, but in our view it essentially boils down to a handful of key elements.

These are: having an understanding of what your systems are and making conscious decisions about the engineering, care and maintenance of those systems. A third element is perhaps the least understood: an appreciation of shared risk.

When it comes to the future of cybersafety and cybersecurity in shipping, realizing this for the industry is going to require much more effort to understand the design, engineering and operation of our systems.

Unconsciously we tend to trust people to do the right thing for us, especially if we’re paying them. However, having a contract with a company to provide technical or IT services does not mean that we know that company. When we hire them to work on our networks we take for granted that they are going to do their best to deliver a quality product.

If we want to understand the safety and security of our own systems, we have to acquire the information necessary from the companies with which we contract to understand their characteristics as well as their functional success and failure paths. This is something we frequently neglect because it requires more time to develop this understanding than the period companies are used to spending on documentation and testing.

This is why ABS designed the suite of guides in its CyberSafety Program, http://bit.ly/2kkIMMh, so that these challenges can be addressed in pieces and companies can do what is necessary to provide a defensible set of capabilities across their organizations at an acceptable level of expenditure. The user simply has to apply the necessary human and time resources. Even so, some companies are likely to object, either because they believe they don’t have the people to manage it, or the time available to do it. But this neglect has consequences.

An example of the kind of new understanding needed would be to ask an organization if it can afford the unknown risks that could negatively affect its business. The answer is, in most cases, probably not. But companies often hope for the best, instead of working to manage the risks to their operations.

But hope is not a method. Hope is something that you hold in your heart—it’s not something that we bank on in engineering; we need to see all the components in the big picture.

Companies must take the action necessary to safeguard their systems and keep them from behaving in ways that they don’t expect. In the maritime and offshore sectors that increasingly means understanding the interconnectedness of systems and equipment onboard ship, as well as their connection to shore and the digital hinterland.

Unlike success, integration does not have many parents. It is an orphan, requiring focus on and specific knowledge of systems in order to understand the implications. Only once that interconnectivity is understood can companies draw firm conclusions about extrapolated decisions and conditions.

Too few companies consciously define their interoperability position; they only know when data are flowing or not. They don’t understand what the data are, what can affect data or how machines communicate without humans. The temptation is to think: It works, and my engineers keep it working, so I’m happy. But when something doesn’t work, because of a problem with interoperability or system integration, then they will suddenly start paying attention. And by then, it will be too late.

If systems are completely static and never updated or changed, then an owner might be able to keep his assets moving. But if he lets third parties and OEMs perform software updates without a risk management process, then he is playing with fire.

To date, recorded malicious maritime cyberattacks have been few. The problems ship and asset operators encounter are largely software related. But, in either case, the risk is far greater than generally understood.

ABS is helping asset owners understand how their risk will affect others, tracking the inheritance of risk from one organization or one system of systems into higher levels that go from a ship to a port and a region.

Where a company has a risk that it finds hard to quantify, there is a strong likelihood that it might affect not just its operations but also those of its neighbors and anyone it does business with. It is essential to re-emphasize solid engineering and systems understanding among personnel across an organization. Without this, there is no way to grasp fully the unquantifiable and unacceptable risks to operations.

Getting a handle on cybersecurity is daunting enough for many organizations, but they have to go beyond themselves and consider their business partners’ security. For many companies, it is going to take some kind of an event—hopefully not a fatal one in which people are hurt or the environment damaged—for them to wake up and realize they need to do something.

The best way forward is for companies to be proactive. Taking action long before you are forced to means that you will be able to manage the risk before the threat is on your doorstep or inside your organization.

John Jorgensen directs cybersecurity and software life cycle engineering and assessment activities at ABS. Having come up as a combat systems engineer in the U.S. Navy, he approaches cyber and software as problems requiring systems engineering solutions. Following Navy and government work, he directed operational security for ABS CISO before moving to enterprise cybersecurity development.

2018:  JAN | FEB

-back to top-

Sea Technology is read worldwide in more than 110 countries by management, engineers, scientists and technical personnel working in industry, government and educational research institutions. Readers are involved with oceanographic research, fisheries management, offshore oil and gas exploration and production, undersea defense including antisubmarine warfare, ocean mining and commercial diving.