Maritime and port cybersecurity.

Update of March 19, 2018.

The BBC reports that Russia is suspected of having jammed the global GPS positioning system during a major NATO exercise called Trident Juncture. This is not particularly surprising, as it is a known Russian capability and has already been suspected of being used on several occasions. The area affected would have included Lapland and territories close to the Russian border in northern Norway.

At the end of the article, the BBC also mentions the accident involving the Norwegian frigate Helge Ingstad, which collided with an oil tanker in southern Norway, although it stops short of drawing any direct link between the two events.

The South Korean manufacturer Hyundai Heavy Industries has announced that it obtained a cybersecurity certification from the American Bureau of Shipping (ABS) for a Very Large Crude Carrier (VLCC) scheduled to be delivered to a European client in November 2018 (possibly the Greek company Okeanis?).

There are few details available, but the certification reportedly reflects work carried out on the security of the vessel’s industrial control systems.

I suggest reading this short article, which reports on a partnership between KPMG, the audit and consulting firm, and the Norwegian manufacturer Kongsberg, which designs systems for the oil and gas industries as well as the maritime sector.

There are not many details available, but it is nonetheless interesting to see manufacturers finally paying closer attention to the cybersecurity of their systems and turning to external audit and consulting firms for support. Let us hope they will find at least part of the solution there—bearing in mind that the problem, as always, is far from simple.

I recommend reading this article from The Register about the challenges of updating systems aboard Royal Navy vessels (and the 129 comments that follow it…).

The article reveals that the Royal Navy is still using obsolete versions of Windows, namely Windows ME and Windows XP. How did they find out? Quite simply: the journalist… asked the question while embarked aboard HMS Enterprise.

Crew members confirmed that, since the vessel was built in 2003, most of its information systems date from that period. To be fair, the ship is an experimental vessel. Here it is:

The — relative — misunderstanding between traditional cybersecurity vendors and users of maritime information systems generally stems from a lack of familiarity with the maritime environment and from the difficulty of adapting or integrating conventional systems with the constraints of this sector. In this article, I describe some of the characteristics of the maritime environment that explain why a specific approach is necessary when deploying off-the-shelf systems and software in this domain.

In this article, I explain in more detail what a maritime information system is, attempting to classify them as clearly as possible.

Maritime information systems can refer to different types of infrastructure:

• ships:
  • merchant vessels
  • warships
  • recreational vessels
  • fishing vessels
  • scientific / hydro-oceanographic / fisheries research vessels
  • barges
• ports and naval infrastructures:
  • container loading/unloading systems, smartports, logistics systems
  • Port and Cargo Community Systems
  • cranes and gantries
  • dock and basin management systems
  • locks
  • pipelines
• other onshore facilities:
  • maritime informatics of signal stations, MRCC (Maritime Rescue Coordination Centers), ship command and management centers
• offshore installations:
  • drilling platforms
  • Marine Renewable Energies (MRE): wind turbines, tidal turbines…

Next, to make things easier to understand, I tend to divide systems into two major families: “IT” systems (Information Technology), which are fairly similar to what can be found in other sectors, and “OT” systems (Operational Technology), which, to simplify, could be described as “operational systems”, more specific to the maritime information domain.