Cyber Security In Shipping & Offshore Ops
Global shipping and offshore oil and gas operations are increasingly dependent on integrated networks, based on various software and data transfer solutions. Systems and equipment onboard are interconnected, monitored and controlled through an onboard automation network. Onboard systems are increasingly also connected ashore to the owners’ or technology providers’ control centers. Equipment manufacturers want to remotely upgrade the software of their systems and monitor their use to be able to optimize operations and to scheduled needed maintenance service. Shipowners and oil companies develop their integrated energy management systems. The risks for data security violations are increasing, requiring focused countermeasures including actions by all parties. Potential cyber security threats for shipping and offshore oil and gas installations follow to a large extent those of onshore industries and companies, including also the element of satellite communications.
Major Developments in SatCom
With the increasing sea-shore traffic the future availability of satellite communication capacity was discussed at a conference on future unmanned vessel operations arranged by NorShipping, in Oslo, Norway, June 2015. In that context, security was also touched on by Ronald Spithout, President, Inmarsat Maritime. Inmarsat plc is a leading provider of global maritime satellite communications, and Spithout said that a cluster of satellite cells for communications is currently being built around the world, providing security and redundancy, based on beams and cells, “where each beam will have up to 89 little cells which are all in relation to each other so you get a truly global coverage and also, at each given time the satellite disk is looking at the next cell as well. The connection gets more secure, it gets more back-up, and the security itself is of highest priority when it comes to designing the new network.” The new network was scheduled for launch towards the end of 2015, after Inmarsat having achieved global coverage by adding a third satellite providing a completely new way of dealing with traffic signals increasing security. “In the future there will be more than one satellite connection link with the vessel providing reliability and redundancy.”
He described how, together with Cisco Systems Inc., a software layer is being developed around the Inmarsat satellite network.
“It is an enormous project which will see the light in 2016. The ownership of the terminal will be separated from the ownership of the traffic, where the ownership of traffic can be defined based on the type of application or the type of sensors or the destination of the traffic and then the application providers will deal with the traffic and the costs of it so that they can provide flat fees of their applications towards the vessel.”
He said there might be hundreds (of applications) which will see the light in a year or two. Inmarsat reported in November that the I-5 F3 (the third satellite mentioned above) had been successfully launched, in August, ‘putting Global Xpress (GX) on track for the introduction of global commercial service by the end of the year.’ Inmarsat will also launch Fleet Xpress, its maritime service based on Global Xpress which will be the world’s first hybrid Ka/L-band mobile satellite system.
‘Class’ Intensifies its Work
The maritime and offshore Oil and Gas industry has seen cyber events such as manipulation of AIS, ECDIS and GPS data and as hacks on port IT systems and breaches in the bunkering community, such as the cyber attack that was reported to cost World Fuel Services (INT) an estimated $18 million.
According to DNV GL just in year 2014 more than 50 cyber security incidents were detected in the Norwegian energy and oil and gas sector. The maritime industry with related authorities, such as the USCG in the United States and ENISA in Europe, as well as classification societies have their full focus on cyber security matters.
Classification societies such as ABS Group and DNV GL provide advice, consultation, services and updated regulations aiming at minimizing the threat of malicious attacks.
ABS provides a range of cyber security services including the identification of a company’s Security Baseline and level of potential risk to an attack, examining and assessing the physical and logical security of the industrial control systems against well-known standards and best practices. Using a combination of software failure mode knowledge and offshore industrial control system experience solutions required to reduce the risk of downtime or safety incident are assessed, for complex, high consequence vessels such as semi-submersibles, drillships and FPSOs. Reference standards mentioned by ABS include ISO-IEC 62443, NIST 800-53&82, WIB, and other Industrial Control System specific cybersecurity standards.
At DNV GL, Tor E. Svensen, CEO of the Maritime sector, said that high-speed ship to shore data communication will offer the opportunity for malicious attacks, and attempts to actually control or damage ships or property. The area of cyber security will see a lot more attention in the years to come, addressed in the rules and procedures. Earlier in the year he summarized that “in theory, all programmable components may be exposed to cyber threats, be it machinery, navigation or communication systems.”
He recommends self-assessments and also third party audits, such as those offered by DNV GL’s own Marine Cybernetics unit. Through combining so called Hardware In-the-Loop (HIL) testing with cybersecurity testing, typical threats such as network storms and penetrations, password attacks, disconnections and communication failures can be addressed. The Integrated Software Dependent Systems (ISDS) standard, originally developed for the offshore industry look aim at ensuring reliable and safe operation of the vessel’s integrated and stand-alone control-systems. “If you have already taken care of software integrity, installed data protection and assessed the risks e.g. with HIL testing or ISDS, you are in a good position to take the next step in improving cybersecurity,” Svensen said.
Classification companies have much to contribute when defining cyber security requirements and in establishing rules, class notations, recommended practices and guidelines, and also in supporting companies with industry protocols such as ICCP, UCA and DNP. Also the U.S. Coast Guard works with DNV GL on building a regulatory framework and providing comments to the USCG “Guidance on Maritime Cybersecurity Standards.”
USCG Guidance on Cybersecurity
After a year-long development process the U.S. Coast Guard launched its cybersecurity guidance initiative on January 15 this year, through hosting an interagency public meeting on the subject ‘Guidance on Maritime Cybersecurity Standards.’ It has its original background in the Maritime Transportation Security Act law enacted after September 11, 2001, and in more recent set governmental requirements which also base on the Cybersecurity Framework of the National Institute of Standards and Technology. Through the initiative the Coast Guard looks for the industry and public to participate to help develop policy and the most effective cybersecurity regulations for the maritime industry. In this process, the Coast Guard asked for feedback or questions on various cybersecurity issues through a dedicated website, to be considered when developing their relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure. In the process USCG stressed the importance of full transparency and cooperation with its interagency partners and the maritime community.
(As published in the January 2016 edition of Maritime Reporter & Engineering News - http://magazines.marinelink.com/Magazines/MaritimeReporter)