Catherine: Based on your experiences at Posidonia, what are some of the major cybersecurity concerns in the maritime sector?
Martin: During the GVF Cyber Risk and Security Forum, Posidonia participants were focused on one objective: How maritime interests can most effectively collaborate with communications vendors to defend against escalating cyber threats across an increasingly diverse ecosystem of networks used to support satcom, navigation, tracking and other mission-critical services.
Today's maritime vessels – oil tankers, LNG carriers, dry bulk carriers, container ships, cruise liners, etc. – are more than just transportation platforms or pleasure craft. They are floating networks of interconnected communication, control and information devices covering a wide range of applications such as: switches, actuators and valves, propulsion and maneuvering systems, connected navigation and positioning equipment (like GPS, AIS, ECDIS), connectivity solutions delivering access to corporate/enterprise applications, crew welfare applications, and – in the case of cruise ships – passengers' online presence.
Further, the maritime sector's drive to reduce operational costs has resulted in larger ships and smaller crews. This puts a premium on automation and remote monitoring, which increases the number of devices upon which ship owners, managers and operators depend. Fortunately, during our discussions at Posidonia it became quite clear that equipment manufacturers, service providers and maritime stakeholders are working together at an unprecedented level to reinforce cyber-security.
Catherine: How is the growing use of cloud-based data storage and the IoT affecting the maritime industry? And what are some of the related security challenges that could potentially be impacted by satellite communications?
Martin: First the good news. Satellite-enabled IoT innovations and ship-to-shore cloud connectivity are transforming maritime operators' ability to efficiently track and manage fleets, cargo, and crew. By the way, we're seeing similar trends in other sectors, such as energy and mining, for example.
However, with the introduction of every new maritime system – whether it's for Automatic Identification Systems (AIS), Electronic Chart Display & Information Systems (ECDIS), Global Positioning Systems (GPS) or other tools – vendors and end users must coordinate to thwart attacks on those systems. This is compounded by growth in cloud-based applications and in the IoT. Of course, as with any business, the cloud brings significant business efficiencies, and enhanced operational cost effectiveness to a competitive and overheads-sensitive maritime sector. But weaknesses in onboard networks can arise, for example, where a bring your own device (BYOD) culture prevails, or where OEM-sourced equipment (such as a dry bulk carrier hold sensor device, for example) has inadequately updated security access codes.
With the IoT, a myriad of devices – some performing primary communications functions (crew member or passenger smartphones) and others performing functions that are not in the primary "ICT loop," are connected to the "network" (i.e., tank monitors aboard an LNG carrier) – operate together in an environment that is only partially controlled. The "history" and the security, of a passenger's tablet or smartphone must be addressed. Likewise, the history of a crew member's or a passenger's USB drive, or the accidental opening of a virus or worm infected email attachment.
The satellite networks upon which maritime communications are built can be, and are being, leveraged to give practical effect to a more firmly embedded "culture of cyber security." Maritime company IT staff not only need to attend to security protocols (firewall settings, etc.) of their IT equipment/networks, but they must consider how the security embedded within the communications platform – the satellite terminal and the satellite link – add to cyber defense.
Catherine: Based on the panel discussions at the event, were there any cybersecurity best practices proposed for the maritime community? What steps can maritime VSAT operators take to minimize cyber threats?
Martin: Best practices from the internet security community are now being applied to the delivery of maritime VSAT solutions. This is being facilitated at two levels:The GVF Product Security Baseline (GVF PSB)is designed for organizations that develop and produce VSAT hardware and software, such as VSAT modems and hub equipment used to support maritime connectivity; and theGVF Satellite Service Provider Security Specification (GVF SSPSec), whichwas developed for service providers selling satellite-based connectivity to the maritime community.
The two documents, which are continuously being enhanced, were designed to be complementary. The PSB is intended to guide how products (both hardware and software) are developed by the VSAT industry. This includes designing hardware or software product with security as a priority from the outset, providing for secure management and configuration, and establishing transparent methods facilitating the reporting of and response to potential security vulnerabilities in products.
The SSPSec then builds on the PSB by establishing how satellite service providers can protect networks and critical components of their infrastructure. This includes ensuring personnel have sufficient security training, that networks are instrumented to detect and enable an effective response to any potential attack, and to establish incident response procedures within the organization.
Catherine: What is the role of crew/personnel training and education for maritime cybersecurity? Will GVF be holding any additional cybersecurity forums or training/education sessions in 2016?
Martin: Training and education are central to the effort. GVF will continue to work with leading maritime groups such as InterManager, InterTanko, InterCargo, BIMCO, the IMO, and others. In addition to running cyber-security programs like Posidonia's, our outreach is being expanded throughthe GVF-Maritime Satcom Forum in collaboration with the Digital Ship events program – which has previously also included GVF support of conferences in Bergen, Singapore, and Hamburg – to cover programs at SMM 2016, Hamburg, 8thSeptember; Digital Ship Rotterdam 2016, 29thSeptember; and Digital Ship Singapore 2016, 13thOctober.
Further, GVF is planning to develop cybersecurity curricula for its existing catalog of more than 30 online courses. We have enrolled more than 12,000 technicians worldwide, and will be engaging with them, their employers, and their customers to build skills and heighten awareness of satellite cybersecurity solutions.
Catherine: Do you see any trends on the horizon – either threats or new technologies – that may affect maritime VSAT operators?
Martin: Yes. Nearly every industry innovation is going to be scrutinized by would-be attackers seeking to exploit any points of vulnerability. This is true throughout the entire communications world. Nonetheless, we are strongly encouraged that the satellite industry and its users – including maritime customers – are responding to those threats with technology and practices that take network integrity to a higher level.
For More Information:
The GVF has commissioned a Cyber Security Task Force comprising security experts and representatives from across the satellite industry. The goal of the task force is to create a set of vendor neutral specifications for the industry that enhance security without reducing the utility and performance of VSAT solutions. To learn more, contact firstname.lastname@example.org