The globalisation of trade and commerce as well as increasing liberalisation has resulted in interlinking of economies of nations towards the end of the last century. Development of newer technologies in communications and transportation has also enhanced trade across the world. The fact that bulk of the trade takes place via maritime routes has raised the relevance of maritime domain and the 21st century is often spoken of as the century of the seas. Maritime trading system, which has always been in the vanguard of economic development from ancient times, has also faced multiple challenges over the centuries. However, it has always emerged as adept at tackling such challenges. Today, enhanced technologies have digitalised the entire maritime industry, creating a digital ecosystem of goods and services. The increasing reliance of the shipping industry on digital solutions for the completion of everyday tasks has brought into focus the importance of preparedness to ensure cyber security. The shipping industry’s cyber vulnerability assessment, security policies as well as measures needed to safeguard against cyber-attacks are, therefore, issues needing analysis.
Technological Advances in the Maritime World
The United Nations Conference on Trade and Development (UNCTAD) Review of Maritime Transport of 2017 opined that new technologies are transforming the maritime transport industry and providing opportunities to improve economic efficiency, optimise logistics management systems and operations as well as expand connectivity, including digital connectivity. Technological advances include advanced analytics, on-board sensors, communications technology, port-call optimisation, block chains, big data and autonomous ships and vehicles. Enhanced technologies have also redefined the ways in which ships, ports and their hinterland connections deliver cargo and services. Apart from resolving delays in documentation, better Information Technology (IT) systems would also provide enhanced data or information security. Technological innovation is also raising the prospect of automated crewless vessels or Maritime Autonomous Surface Ships (MASS). Through adoption and implementation of new technologies, the maritime transportation sector has evolved into a highly sophisticated, digital machine. From ship to shore, much of the movement of goods is controlled and operated by cyber-connected systems. Looming gantry cranes use Global Positioning Systems (GPS) to locate and select containers for precise movements to and from their vessels. Radio Frequency Identification Devices (RFID) allow the real-time tracking of products placed on trucks or rail cars as they move throughout ports.
It would be apparent that just as the age of globalisation and containerisation brought the maritime world closer, the current digital age is doing the same through cyberspace. Digitalisation and automation are transforming operation of maritime business and the very modus operandi of shipping. While, this has exponentially increased the overall efficiency of maritime trading system, reliance on this technology has also exposed the industry to its malevolent use. Every section of the maritime industry – be it port management, cargo and container handling and distribution, operation of ship machinery and navigation systems, and even global navigation aids, have all become technology intensive, in turn making them potential targets for cyber attacks. The entire maritime industry and infrastructure is, therefore, faced with the challenge of ensuring cyber security due to the ever-increasing use of cyber connectivity. So, even as Cyberspace has become the new frontier, the use of internet-connected technology has emerged as a major threat facing the maritime domain.
Cyber Risk Awareness in Maritime Arena
The International Maritime Organisation (IMO) views maritime cyber risk as a measure of the extent to which a technology asset could be threatened by a potential circumstance or event which may result in shipping-related operational, safety or security failures due to information or systems being corrupted, lost or compromised. It further talks of cyber risk management as the process of identifying, analysing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level, considering costs and benefits to stakeholders. The overall aim is to ensure safe and secure shipping and related activities, which are operationally resilient to cyber risks.
It is well known that safety related issues have always played a major role in the maritime sector as even a minor accident apart from financial losses, might cause serious harm to people and environment, due to the large cargo volumes involved which often include hazardous materials. The vulnerabilities in the maritime sector focus especially on various types of operational risks and accidents, mishandling of hazardous cargo, labour strikes and security violations. Digitalisation has resulted in ports being involved in complex information flows that depend on different Information and Communication Technology (ICT) systems interacting with each other. It also means that there exists a potential threat for a possible entry point for unauthorised access. Cyber threat can occur basically in every piece of data that is exchanged and saved in the existing ICT systems.
However, based on several indicators, it emerges that in the maritime industry, cyber security has not received the same level of attention that other sectors have, even though the industry has been a victim of attacks that have brought supply chains to a halt. A survey conducted in 2014 involving fifty of the world’s most prominent shipping companies discovered that thirty-seven of them were unprotected and vulnerable to the simplest of attempts at penetration. Even though the IMO issued Guidelines in 2017 that provide high-level recommendations for maritime cyber risk management, the industry was still observed not ready to tackle cyber threats in a 2020 Maritime Cyber Security survey. While nearly 77 per cent of the respondents classified cyber-attacks as high or medium risk to their organisations, few appeared to be prepared for the aftermath of such an attack. Even as 64 per cent of respondents claimed that they had a plan in place to follow in the event of a cyber incident, only 24 per cent claimed it was tested every three months. Less than 50 per cent of the respondents said that their organisation protects vessels from Operational Technology (OT) cyber threats. As hackers become even more sophisticated in their tactics, it is inevitable that cyber attacks against OT on ships would become the norm rather than the exception.
Cyber Security and Management in Maritime Arena
Cyber technologies have become essential to the operation and management of numerous systems critical to the safety and security of shipping and protection of the marine environment. Vulnerable systems broadly cover, communication systems; cargo handling and management systems; bridge, propulsion and machinery management including power control systems; access control systems; passenger servicing and other administrative systems. The distinction between information technology and operational technology is that information technology systems focus on the use of data as information. Operational technology systems are focused on data to control or monitor physical processes. While these technologies and systems provide significant efficiency gains for the maritime industry, they also present risks to critical systems and processes linked to the operation of systems integral to shipping. While some risks may be due to vulnerabilities from inadequate integration, maintenance or design of cyber-related systems, others would be from intentional cyber-attacks.
It is also for consideration that these days, the ship’s crew as well as passengers embarking, often travel with multiple personal IT devices such as mobile phones, laptops and tablets that are often connected to a variety of networks for their regular activities such as office work or communicating with family and friends. Once onboard, connecting these systems to the vessel’s network may introduce malware into the environment, even if it is simply connected to charge the device. Even when seafarers engage in good cyber security practices, many may be dependent on operating systems that have not been properly secured or updated. Use of such systems, including the use of mobile storage devices, provides a path for malware to access the ship’s critical systems and through them, to ports during exchange of information or connected systems.
Cyber security is not just about preventing hackers from gaining access to systems and information. It is also about protecting digital assets and data, ensuring business continuity and making the maritime industry resilient to external and internal threats. It is crucial to keep the ship’s systems safe from physical attacks and to ensure the integrity of the supporting systems. The complexities associated with various types of merchant vessels and more so, vessels carrying high value cargo, make them vulnerable to high-impact attacks. An attacker gaining access to a ship’s OT network could manipulate and attack its navigation systems, open/close critical valves, manipulate propulsion, rudder or ballast controls, install malware or even gain full administrative control. Cyber incidents can last for hours, days or weeks. When one ship is impacted, it can often spread malware to other vessels via the port network or even the network of the company managing or owning the vessel. Furthermore, if a ship gets grounded or stranded due to an attack on its control systems in the port shipping channel, it could impact the entire port operations as all vessel movements would be affected.
Cyber security management essentially is the process of identifying, analysing, assessing, and communicating a cyber-related risk and accepting, avoiding, or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders. Basic elements that support effective cyber risk management, calls for Identification of risks and implementing risk control processes and measures and contingency planning to protect against a cyber-event and ensure continuity of shipping operations. This calls for developing and implementing activities necessary to detect a cyber-event in a timely manner and responding to it to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event. One also needs measures to back-up systems necessary for shipping operations impacted by a cyber-event. IMO Guidelines of 2021 provide high-level recommendations for maritime cyber risk management.
The cyber security standards and frameworks are usually very large and complex to implement fully. One needs to select and implement frameworks and guidelines suitable for their domain and specific systems. In this regard, some major public industries/sectors such as banking and finance, energy and public health, have initiated major steps on cyber security matters over the past decade, mainly because of the cyber incidents across the world in these sectors. The maritime industry can learn from the cyber security practices of such sectors. It would be apparent that even as enhanced digitisation in the maritime industry has positively increased efficiency and safety, it has also brought in various forms of new cyber risks which need constant monitoring.
Cyber Threat Training
Cyber threat awareness level and skills of the individuals can be improved by hands-on training with realistic cyber exercise scenarios. Training needs to be imparted on technical and procedural measures needed to protect against a cyber incident and on how to respond to cyber incidents to avoid disruption of operations. Hence, training is needed not only for professionals handling cyber matters but also for regular users of technical systems onboard ships and in ports and associated sectors. An important aspect in cyber training is that the scenarios should be based on routine or day-to-day operations undertaken. The exercises would need to be periodically updated based on cyber threats/incidents reported from time to time. It is important to make the users aware of the possible ways a cyber threat can materialise and to be alert to any unusual indications. Conducting realistic exercises in the actual environment may be difficult, as the systems are in use on a continuous basis. Hence, simulators which enable as realistic depictions as possible are needed. Planning of such exercises should be based on the roles and responsibilities of users and identification of the systems and capabilities, which if disrupted, could pose risks to operations and safety.
Indian Initiatives to Enhance Maritime Cyber Security
India has been endeavouring to forge closer cooperation on maritime and security matters across the Indo Pacific region through the Indo Pacific Oceans Initiative (IPOI), proposed by her at the East Asia Summit at Bangkok in November 2019. India, Sri Lanka and the Maldives have initiated steps to enhance cyber security cooperation among them. In a meeting of the Colombo Security Conclave at the level of Deputy National Security Advisers hosted by Sri Lanka in August 2021, a pillar for cyber security cooperation amongst the three nations was forged. The first workshop devoted specifically to cyber security was held in January 2022. It was hosted virtually by the National Security Council Secretariat (NSCS) of India, in association with the National Forensic Science University in Gandhinagar (Gujarat) and the Secretariat of the Colombo Security Conclave. The meeting addressed challenges such as the deep web and dark net investigation and challenges, digital forensics, cyber threat intelligence and defensive operations in the cyber domain. The initiative could be expanded further by adding more nations along the Indo Pacific rim, as Maritime Security as well as Technology and Academic Cooperation are elements of the IPOI.
The future trends in the maritime industry indicate that next-generation smart shipping is rapidly embracing advanced technologies such as autonomously operating systems, machine learning and artificial intelligence, that perform decision making without human intervention and indeed can operate systems faster and possibly more efficiently than humans do. Maritime industry consisting of multiple sectors such as shipping, ports and logistics hubs, and associated infrastructure are critical for economies of nations. Disruption even in one of its sectors, may have severe consequences on national health, security and safety, economy, and could even threaten the everyday life of citizens. It would also be evident that sheer transportation volumes involved in the maritime logistics, give it a vital role linking the global economies together. This makes the maritime trading system an attractive target for state as well as non-state actors inimical to a nation or even an association of nations trading together.
Cyber awareness, readiness and risk management in the maritime sector is an area that needs enhanced attention and preparedness. While cyber security is starting to generate the attention it deserves, there is still some way to go to mitigate cyber risks in the maritime sector. A major step in this direction would be increasing cyber awareness through regular training and exercises on cyber security. That would enhance the awareness of the users in multiple sectors and improve the overall cyber security preparedness of the industry as such. The IMO guidelines of 2021 provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities as well as include functional elements that support effective cyber risk management. The industry will need to incorporate the same into their system to improve overall cyber security. Further, IMO member states and maritime industry leaders need to collaborate to develop uniform cyber security standards for port facilities as port facilities play a vital role in global trade and today rely heavily on technology in its operations. Enhanced cooperation by nations across the Indo Pacific in the initiative taken by India, Sri Lanka and Maldives would give added thrust to enhance cyber security across the region.