Cybersecurity and Automated Shipping

It seems pretty clear that automated shipping, in some form, is on the way. Driven by costs and industry, there is little doubt that regulators, already significantly in “catch-up” mode will be put in a position to find a way to make it work. The question still needs to be asked as to what form this is going to take.

Shipping, as this audience is well aware, is one that is both highly regulated and faces a heavy administrative burden. Anyone who has had the opportunity to work on ship-board systems understands the expectations that are placed on work—that it will closely follow exacting performance and engineering standards. My education in this began some 25 years ago when I suggested that one might simply run a cable through a watertight bulkhead. I was fortunate in that the engineer took the approach of educating the new person rather than any number of a host of other unpleasant options.

The question of security across cyber systems in the maritime domain has been one that has been largely shelved in the past. In 2004, when the ISPS Code came into force, Part B was very clear that those conducting assessments were supposed to have knowledge of communications and computer network equipment on board vessels. Vulnerabilities found in these systems flow, like any other vulnerability, onto the security plan. This was mirrored on the port side (land side) of operations as well. What we did not see are very many credible assessments and today, almost 15 years later, we are still grappling with how to bring this into being.

Recent surveys done by vulnerability testers and IT researchers have shown that the level of cyber security may not have kept pace with that of physical security. Revelations of critical communications systems using default usernames and passwords (those supplied by the vendor and available online to those that know where to look), basic password controls, gaps in perimeter security, architectures that allow systems to be susceptible to a range of attacks continue to be found on a fairly regular basis.

The scenario is oddly and disturbingly reminiscent of the conditions that immediately followed 9-11. There is certainly a threat—ranging from state actors through various forms of criminality to the traditional script kiddies and others seeking notoriety. The challenge here is that certain elements within the industry are currently putting the whole system in a position where it is forced to respond to very aggressive timelines and have actually made statements that they will push things through.

Obviously, this would be the time for the regulators and others preoccupied with maritime safety and security to put up their hands and advise that industry that public safety issues fall under the authority of the regulator and that they will not be dictated to by a limited commercial interest.

For those in the maritime industry, however, there is a need to be cautious. It is apparent that at the operational level, there is significant work to be done in addressing cultural issues with respect to IT Security. The factors are also present that point towards yet another instance where the requirements are developed quickly and without having a clear understanding of the costs involved—both in infrastructure but also in terms of the adjustments in terms of competitiveness and technology.

Around 2004, the security industry reacted to events and applied layers upon layers of security on just about all aspects of life. We continue to feel the impacts of those controls in terms of human rights, competition, and economic position. We should not recreate the same conditions for the sake of rolling out new technology before we have a significant understanding of its impacts. The industry may want to start to put pressure on their regulating bodies to ensure that the issue is addressed thoughtfully and that the requirements, including the public safety goals, are based in facts and science, not in supposition and speculation.

Allan McDougall BA BMASc PCIP CMAS CISSP CPP PSP CMSP is the chief learning officer of the IAMSP and an executive vice president of Knowledge Advancement Solutions based in Ottawa, Canada. In addition to his military experience, he has served as a security advisor with Canada’s Coast Guard, Department of Fisheries and Oceans and Canada Border Services Agency. He was also previously a senior inspector with Transport Canada’s Marine Security Operations and has coauthored several works associated with infrastructure protection and emergency preparedness.