Maritime Cyber Security: Survival at Sea

What do we think of when we hear “Survival at Sea”? 
It usually brings up visions of a ship in a perilous situation confronting some extraordinary circumstances that might be life or death.  We are now faced with an even more harrowing scenario- broaching of maritime information including specific details that might encompass company proprietary data as well as details of vessel schedules and particulars.  Many of you have heard of recent cyber-attacks including Stuxnet that deliberately disrupted critical automation systems and the just released Flame computer virus disguised as a Microsoft-built program that has caused problems for Iran’s computer networks.  These cyber-attacks speak to the need for safe and secure information systems aboard maritime vessels and the requirements for a robust cyber defense system.  Counter terrorism experts indicate that future attacks are inevitable and that the US maybe in harm’s way of collateral damage if this is picked up by unfriendly adversaries.
Most people do not realize that a majority of activities in the maritime field rely on sophisticated electronic and communication systems, and that puts them in an extremely vulnerable position and exposes them to hacking similar to nuclear plants and other areas of national infrastructures.
A recent 2011 European Union (EU) Report on Maritime Cyber Security indicates that maritime cyber security awareness is currently low to non-existent.  This report covers many of the challenges facing mariners in the 21st century and highlights trends as well as examines current initiatives while offering recommendations to address these risks.  In the global world of 2012 this report proposes maritime cyber security as an important and timely next move in the global arena of Information and Communication Technology (ICT) infrastructure protection efforts.
Based on the high complexity of ICT aboard maritime vessels it is paramount to adequately support and maintain a proper maritime cyber defense system.  One of the basic concepts should be a design methodology that incorporates security in all major maritime ICT components.
Current maritime security principally deals with physical security and it now needs to be expanded to encompass cyber security and defense.
Much of the cruise industry currently has IT department onboard vessels and the new changes in the 2010 STCW Manila Amendments have even introduced an Electro Technical Officer (ETO) designation with approved training and Certificate of Competency (COC).  On board cruise and passenger vessels an ETO is immensely important as they have huge electrical requirements and unmanned technology handling them.  An ETO can be seen as a higher version of an electrical officer.  Some areas that an ETO is responsible for include radio communications, electronic navigation equipment, telephone and satellite communications and engine room electrical equipment. 
The 2010 STCW Manila Amendments have now been in force since January 1st, 2012 and although there is no specific requirement for the carrying of an ETO, IMO has created the position with core competencies and minimum mandatory requirements.  It is plausible to believe that future STCW Amendments will make this a mandatory position on certain type and size vessels.  Prudent vessel owners and operators would be wise to fully embrace this position and commence integrating it into their crew complement.
It is interesting to note that over 50% of international trade takes place via maritime shipping and within the European Union (EU) over 40% is via maritime commerce.  With these staggering numbers it should become readily apparent that the ICT infrastructure and backbone needs to be made more secure and tamper proof.  Measures that can be deployed include developing a holistic approach to cyber based risk management, building a framework for cyber incident response, enhancing information sharing to improve incident response capabilities and improving cyber security across all infrastructures.  Much of this can be framed around proper training for all crew members as well as implementing the ETO position and ensuring and performing systems audits on all equipment and systems to verify they have the latest security and software updates.
At sea some simple items that can be done to be more cyber secure and vigilant include whenever updating ECDIS charts to verify the source, request encrypted data and digital electronic signatures.  These are simple steps that can help alleviate someone maliciously sending you incorrect navigational data that could easily put your ship in jeopardy or peril for example by moving one buoy out of position in a channel.
Would it be beneficial for the maritime community to get together and form a maritime cyber security team that could establish strategy, policy and guidelines that would be beneficial in securing and protecting the maritime sector?  In today’s world now is the time to make this preventive move and on an individual basis all shipping companies should be self-evaluating their operations and infrastructure to ensure they are fully compliant with the latest security and protection systems to avoid future threats..


CDR Muccin, USMS is an Assistant Professor in Nautical Science/Marine Transportation at the United States Merchant Marine Academy.  The views here are her/his own and not those of the Academy, the Maritime Administration or any other branch of the United States government.

(Source: Maritime Reporter & Engineering News, July 2012 - www.marinelink.com)