At the Autonomous Ship Technology conference in Amsterdam, Joseph Beel, the strategic programs manager at Cisco, spoke on how advancements in the domains of Internet of Things (IoT), artificial intelligence (AI) and mobility systems are disrupting the way the maritime industry operates – while subsequently putting vessels under cybersecurity risks arising from the considerable increase in attack avenues.
“If you look at a ship from an engineering perspective, it actually is a network of systems. The control systems were securely built in from the perspective that access was limited, and assumed that anybody that had access to the engineering room was authorized to be there,” said Beel. “People didn’t build in a lot of cybersecurity controls and typically had different protocols within the vessel that weren’t really connected.”
However, with regard to an autonomous ship, it is critical that all these protocols are interconnected, as several data streams are being updated in real-time and also since a well-networked system will make operations more streamlined and efficient.
Beel contended that vessels of the future, be it manned or unmanned, will have a significant amount of connectedness and interdependence between systems – for instance, engineering systems conversing with navigation and collision avoidance systems.
In the context of understanding how autonomous ships need to be engineered, Beel pointed out that the industry can gain by drawing parallels to the way buildings are designed today. “If you are designing a smart building, you decide what you’re going to connect, who’s going to have access to it, when they get access, and how you protect your data as it can do a lot of damage if in the wrong hands – just as it can to an autonomous vessel,” he said.
The idea is to converge information technology with operational technology across the network, because security is not just a physical security question but rather a cybersecurity question as well. Beel explained that cyber resilience is critical as the industry was a target of precision attacks by cyber hackers who are persistent and determined to go after businesses at all costs.
Faced with a potentially perilous scenario, it serves to have zero trust in people or devices – to assume that everything is bad, until it can be verified otherwise. “Trust is temporal, as it only lasts for a certain period and can change with time and location. The more context we apply to trust, the more secure we can make the system,” said Beel.
“The access to data is critical. When data is aggregated, it becomes even more important to have trust tied to the data. The interconnectivity and interdependence demand that it be automated, particularly if you’re talking autonomous vessels, you’re going to have to act very quickly to maintain safety and efficiency,” Beel continued. Automation must be pervasive, he stated, mentioning that data needs to go from a device in the vessel, through the network to a data center, and finally be pushed to the cloud.
Having a focus on susceptibility helps to minimize the potential damage that may result from a cyber attack. An approach that fuses intelligence-based, threat-centric security and trust-based security can address resilience issues, fight through an attack, and help the business to get back into an operational state in quick time.
To improve resilience, Beel suggested compartmentalizing systems by restricting access to critical architecture based on the device and application. This can help reduce the impact of a cyber attack, even in the case of it being successful.
“The nice thing about software-defined access is it’s driven by centralized policy orchestrators that will let you change the characteristics of the entire system very rapidly,” said Beel. “If you have an autonomous vessel that you detect is being attacked, you can implement different information technology policies and then manage how that network operates – very quickly and pervasively across the entire system.”