The specific characteristics of maritime information systems

The — relative — misunderstanding between traditional cybersecurity vendors and users of maritime information systems generally stems from a lack of familiarity with the maritime environment and from the difficulty of adapting or integrating conventional systems with the constraints of this sector. In this article, I describe some of the characteristics of the maritime environment that explain why a specific approach is necessary when deploying off-the-shelf systems and software in this domain.

Among the constraints encountered, the first is connectivity. While modern vessels are increasingly connected to shore through satellite links and 4G networks, bandwidth — especially for ocean-going vessels — remains limited and expensive. In addition to these throughput limitations, the RTT (Round Trip Time) of a satellite link can be significant: several hundred milliseconds may separate the transmission of a message from its reception. This complicates shore-to-ship connectivity, particularly for remote support and control (e-maintenance, monitoring) of maritime information systems — although this is not always a bad thing.

This — relative — sense of isolation also has implications for cybersecurity. Crew members may feel somewhat “protected” from the cyber threats that are widespread on land.

Resilience and safety are constant priorities for seafarers. The digitalization of the maritime sector must never introduce unacceptable risks at sea: safety — of the environment, the crew, the cargo, and the vessel itself — must not be compromised, even in the event of the loss of a critical information system.

There is usually no full-time IT/OT/cybersecurity specialist on board a vessel at sea, at least on most civilian ships. Administration, maintenance, and security are largely outsourced and typically handled during port calls. On the other hand, ships often carry highly skilled experts in their physical systems, who understand their installations in great detail and can discuss their operation for hours. From what I have observed, except in certain cases, their expertise often stops at the interface where the underlying IT layer takes over.

Maritime information systems frequently consist of Commercial Off-The-Shelf (COTS) components that are integrated on board by subcontractors. As a result, the crew often has only limited visibility and control over the installation. This “black box” effect is reinforced by the fact that the protocols used — industrial systems, sometimes obscure proprietary protocols, and in many cases unsecured — are generally vendor-specific. This situation makes it difficult to securely configure and regularly update maritime information systems in order to defend against cyberattacks. The issue is even more critical given the particularly long lifecycle of ships and naval infrastructures (20 to 40 years), especially when compared with the much shorter lifecycle of consumer technologies.

Finally, one must not forget that ships operate most of the time in a hostile environment, whether coastal or deep-sea, and often in isolation. Reconfiguring or reinstalling a data center in sea state 7 is not exactly an easy option… To illustrate the point, here is a short video.