Brendan Saunders of NCC Group discusses the numerous cyber security challenges facing the maritime industry, on the ship, shore and throughout the logistics chain.
MR: This is Greg Trauthwein. I’m the editor of Maritime Reporter and Engineering News. We’re here with Maritime Reporter TV at the SHIPPINGInsight 2016. We’re with Brendan Saunders of NCC Group. Brendan, thanks very much for joining us.
Brendan Saunders: Thank you for letting me join and talk to you.
MR: Absolutely. Brendan, we just had a brief discussion on NCC Group. Could you share with our viewers just a little background on who NCC Group is?
Brendan Saunders: Sure. NCC Group is the world’s largest cyber security consultancy — head office in the U.K. in Manchester. I work out of our London office. We’ve got sites all across the world from the U.K., the U.S., Australia, Singapore — unrivaled global reach. We have the largest cyber security consulting team on the planet: 600-plus consultants covering a range of expertise from penetration testing through to other assurance activities, risk management in governance, PCI, ISO 27001, which gives us an opportunity to really make a difference amongst businesses and help them to secure themselves from a range of different angles.
MR: I believe you have some maritime experience, as well. Can you give me your personal maritime experience?
Brendan Saunders: Of course. I’m actually a reserve officer in the Royal Navy in the U.K, so I’ve got quite a lot of experience working with vessel operators, looking at how to secure themselves from a range of different threats, not just cyber security but counter piracy maritime, security, as well. And that’s something that I do on a regular basis.
MR: Well, as you know, the maritime industry is a unique industry. And I would imagine that it is so from the cyber security aspect, as well. Can you tell us some differences — or key differences — you see in the maritime world versus land-based cyber security?
Brendan Saunders: I think, from my perspective, the key thing that’s made the real difference with maritime cyber security is that everything is an awfully long way behind what we’ve seen in most other industries around the world. And that comes because ships have only recently started to become these floating, connected platforms in the way that we’re starting to see today. If you go back five years or so, you didn’t really see the connectivity of ships in the way that we have now. Now with fleet broadband, with V-SAT, you’re getting 5 and 10 megabit download speeds to ships that’s always connected. It’s no longer this once a day or just alongside connectivity. And so really, with this raft of new technology, you’ve not seen the implementation of cyber security that we’ve seen across the board in a lot of other industries, because ships are not really seen as branch offices, which, ostensibly, is what they’re really become today. They’ve become branch offices. And I think, also, the life cycle of ships is something that people — particularly in the cyber industry — really don’t appreciate in that ships last for 20, 30 years, in some cases, and they weren’t designed to have these integrated systems. They’re things that are put together piecemeal. They’re not put in, in a lot of cases, unless they’re a new build, not put in as this one piece fit. So new bits of technology are added that, plugged in, it’s all very ad hoc, from different manufacturers and there’s very rarely this single overview of the technology on board the ship and how it should be separated and secured.
MR: That’s excellent. We talk about attitudes in the maritime industry quite often, and in many different respects. And I would assume, since this technology is still relative- or technology and connectivity on ships are still relatively new. The attitudes toward cyber security are, shall we say, evolving, as well. Can you just give us a brief on the attitudes you see in the maritime industry toward cyber security, and particularly, any areas that might need some change?
Brendan Saunders: I think the attitude’s already starting to change. I think when you look at a lot of people who’ve been working the maritime industry for a long time, ships masters are not people who come in as ships masters — they’re people who have trained from, and in a lot of cases a very young age, and they’ve achieved their position through doing so. But in a lot of cases, technologies like the Internet, like email, like this kind of always-on instant access, are new to them. They’re not technologies they’ve used day to day — if they’ve been at sea for 20 or 30 years, actually they’ve not been using this technology day-to-day. So they’ve sometimes missed out on some of that evolution, and they don’t necessarily understand the threats. And so a lot of what we’re trying to do at the moment is about education. And people see the threat, but they’re not being given a really easy way to resolve things. And I think the industry likes solutions — they don’t want to just hear about the problems. They want a really clear set of guidance on how to move forward.
MR: Okay. And I would assume your participation here in Stamford at SHIPPINGInsight is part of the plank to spread the word, shall we say. Obviously, you’re here to discuss cyber security in Stamford at SHIPPINGInsight, and you’d indicated that you want to just give two clear takeaways. Can you share with us what those takeaways would be?
Brendan Saunders: Absolutely. I think from our point of view, the problem really needs to be solved by two key sets of people: it’s the vessel operators and the OEMs, the original equipment manufacturers. What I really want to give as a takeaway to the vessel operators is about network segregation: it’s about understanding what kit you have on your bridge, what kit you have over the rest of your ship. And my research really gives us four key zones on a ship in terms of technology. Your red, which is your industrial systems like engine and cooling and gearing and steering. You’ve got your blue systems — your AIS, your ECDIS, your GMDSS systems. You’ve got your black, which is your uncontrolled crew Internet, crew Wi-Fi, and then your green which is your back office. And if you can just categorize all of your systems into one of those, into those big handfuls, and then work on ways to separate those out. And the technology there is-, it’s quite simple to do that. That’s not hard stuff to do. It’s what people do in their offices. And most of the shipping companies who are getting this wrong on ships are getting it right in their offices. It’s about moving that implementation and just seeing your ship as a branch office. For the OEMs, it’s about product assurance. It is the responsibility of people making the technology that goes on ships to make sure that they’re getting external validation for their products. And we’ve got this great responsibility divide that I talk about quite a lot in my blogs, and on stage I’ll talk about that again today, that actually OEMs say it’s the vessel operator’s problem to deal with cyber security. Vessel operators say they expect to buy safe, secure technology from the OEMs, so it’s their problem. And in the middle, we’ve got this chasm that needs to be filled and both parties need to approach it. And that’s why I’m giving one key takeaway to each of those parties today.
MR: Well, if you blog, we have Maritime Logistics Professional and you need to blog for us because we’re always looking for good content. Again, this is Greg Trauthwein with Maritime Reporter TV. Brendan, thank you very much for your time.
Maritime Reporter and Engineering News’ first edition was published in New York City in 1883 and became our flagship publication in 1939.
It is the world’s largest audited circulation magazine serving the global maritime industry, delivering more insightful editorial and news to more industry decision makers than any other source.