Making cyber security part of the newbuilding process
The Naval Architect: July/Aug 2018
Maritime cyber security is primarily thought of as one of the day-to-day responsibilities of the shipowner and their crew. Much like correctly functioning equipment, cyber security is an essential part of vessel operation, which will quickly be compromised if either of these fails in some way.
The focus on the cyber security of operational vessels is understandable given that cyber-attacks whilst at sea can have serious consequences for the vessel, the environment, the crew and the shipowner. As such, cyber security guidance typically promotes best practice with regard to seafarer cyber awareness (sometimes referred to as ‘the human element’), training, and updating software to stay protected in an ever-changing threat landscape
However, certain quarters of the industry are looking to take a step backwards by thinking about cyber security as part of newbuilding. The idea suggests that cyber security should be considered as much a part of a vessel’s design as its engine or its hull form – a fundamental component to be fully integrated, tested and verified as part of the newbuild process. The logic behind promoting cyber security in newbuildings is that a vessel can be designed to be ‘inherently secure’, with every system assessed and optimised before commissioning.
The most significant project so far to develop this idea is IACS’ plan to release 12 recommended practices relating to cyber security and resilience in newbuildings, which the Association will present to the IMO in December at MSC 100. Designed to complement the operational focus of BIMCO’s ‘The Guidelines on Cyber Security Onboard Ships’ and the IMO’s ‘Guidelines on maritime cyber risk management’ adopted in 2017, the recommendations will be released sequentially and focus on identifying and protecting newbuildings’ myriad “attack surfaces,” as described by IACS Chairman Knut Ørbeck-Nilssen. As ships become increasingly digitalised and connected both to the shore and other vessels, protecting these “surfaces” from the outset has become essential.
DNV GL, of which Ørbeck-Nilssen is CEO, is another frontrunner in developing cyber security services for newbuildings. At the Posidonia exhibition in June, the class society announced that a set of cyber security notations – Cyber Secure Basic, Cyber Secure Advanced, and Cyber Secure (+) – would be released on the 1st July. ‘Basic’ is intended for ships in operation, ‘(+)’ for additional systems beyond power generation, navigation, propulsion and steering, and ‘Advanced’ specifically for newbuildings, with requirements for owners, yards, and manufacturers.
To understand the role of these stakeholders in installing cyber security in newbuildings, The Naval Architect spoke with Patrick Rossi, DNV GL’s principal cyber security service manager in their maritime division. Rossi leads a team which outlines vessels’ cyber security requirements, verifies the systems put in place to meet them, and monitors them. These processes make up what Rossi calls ‘cyber risk life cycle management,’ which has its foundation at the newbuilding stage.
For Rossi, it is essential in newbuilding projects for all stakeholders to discuss, understand and agree on the vessel’s particular cyber requirements. As he notes: “If you pick a yard and look at a vessel that they’ve already built hundreds of before, you’re basically copying and pasting the design, the software, and possibly using the same vendors and so forth. You’ve already worked out all the problems. But when you’re [building] new, complex vessels, you can encounter a new yard, new teams and new cyber functionalities”.
The combination of unique design requirements, new stakeholders who may have never worked together before, and the presence of multiple vendors and subcontractors sets a learning curve for the newbuilding project, so discussions on cyber security requirements from the get-go help to create mutual understanding. Rossi says: “DNV GL put people in a room together and we start drawing up a threat picture so everybody understands. You have the owner/operator, the vendors, the yard around the same table, and they exchange their view of the threats. This is very helpful for our industry, as typically these people do not all sit down together to discuss these things.”
Besides helping to create a mutually-agreed cyber security plan moving forwards, Rossi suggets that these discussions also help streamline relationships between different suppliers: “If I’m making a system and you’re making a system, and our two systems need to talk, it’s in my interest that your system doesn’t get infected.” This, he explains, helps to expedite the long and often bureaucratic contracting process that takes place in every newbuilding project: “The fact that they all have a common enemy helps transgress layers of contracts.”
Defence in depth
Although every newbuilding will have different cyber requirements and software systems, one common principle that such discussions attempt to uphold is ‘defence in depth’. Rossi explains that this means multiple layers of protection intended to put off hackers and cyber criminals; while they may be able to compromise one or even multiple layers, the effort required to completely break through acts as a deterrent. These layers can either be digital – for example a firewall or two-step verification – or physical, such as a secure lock on a cabling cabinet.
A key enabler of ‘defence in depth’ is the deliberate segregation of different networks on board the vessel, so gaining access to one does not mean access to all. This is especially important for so-called ‘safety-critical systems’, such as the fire detection system, which must be operational even if another system or network is compromised. Segregation can be achieved by making sure that networks do not interact unnecessarily, isolating segments, restricting traffic and physically ensuring wires are not crossing at any point.
Also important is what Rossi calls a “hardening of systems”. This involves locking down workstations by identifying easy ways in, such as admin rights that don’t belong, or default manufacturer passwords and credentials for equipment (many of which can be found in a quick online search) and stamping them out. The use of obsolete software such as Windows XP is also discouraged, as it is vulnerable and rarely patched. It is surprisingly common in the maritime industry for equipment and systems manufacturers to use outdated operating systems, offering a boon to cyber criminals.
In order to verify the numerous barriers agreed upon and set up at the newbuilding stage, DNV GL carry out a programme of penetration testing using certified ethical hackers like Rossi himself. This testing, which replicates real, malicious attacks, attempts to identify weaknesses in each barrier and fix them to solidify the layers of redundancy and resilience before the vessel leaves the yard.
As Rossi points out, thinking like a hacker while designing a system is a somewhat contradictory process: “You’re building something and trying to break it at the same time.” In order to achieve improvements, it must first be imagined how systems can be compromised and made to fail, and at a later stage undergo hacking to see if the barriers are holding. This isn’t unique to cyber security; known as FMECA (failure mode, effects, and criticality analysis) it is a common procedure in system and product design.
Shipyards and cyber security
Rossi notes that shipyards have not generally taken an in-depth role in the cyber security of vessels, seeing it as outside of their remit: “The yards normally translate what the owner is asking for, and add their experience. They typically are not the ones that manufacture software, and cyber security is an offspring of this software. It is seen as something that is done by the vendors, and so the yard says that’s not my scope – I make sure the system does what it’s supposed to do.” In other words, whilst the yard will confirm that systems are up and running, they will not look at how each system relates to another and the impacts this might have on cyber security.
However, DNV GL use the analogy of purchasing a car with a fault to argue why yards might take a greater role in cyber security during newbuilding projects. As Rossi explains, if you bought a car from a dealer and noticed the CD player wasn’t working shortly after driving away, the dealer would not tell you that it is Sony’s problem; they understand that they are the system integrator, and it is therefore ultimately their responsibility.
In the same way, yards have a responsibility to optimise, or at least understand, a vessel’s RAMS (Reliability, Availability, Maintainability and Safety/Security) provisions. This is especially pertinent given that IT and OT (operational technology) are being brought ever closer by big data and the internet of things, which enable practices such as the remote monitoring of engines and propulsion systems. Machinery and equipment, where yards’ expertise typically applies, are now being implicated in a vessel’s cyber security; as such, they must consider both the engineering and digital sides of vessel design and construction to ensure newbuildings are optimised and safe.
The active participation of a yard in building-in effective cyber security is also important given that cyber criminals often seek out vulnerabilities early on, in order to attack later. Rossi says: “[A hacker] is either planting a back door during newbuilding, or [the yard] could be designing a ship with an open door that will allow someone to plant a back door during operation.” For DNV GL, the purpose of their testing and verification is to find these doors and secure or remove them before they can be exploited, requiring the yard’s co-operation as the system integrator. Ensuring that the yard’s own systems are secure, too, is essential; the wide range of third parties and subcontractors working on each project means that malware or ransomware can easily be introduced by a corrupted device.
By involving all parties in cyber security from the beginning in newbuilding projects, DNV GL hope to certify a new generation of safer vessels for which cyber security is an essential part of their design and construction. With the voluntary Cyber Security Advanced notation, shipowners can demonstrate a commitment to protecting their vessels’ systems – and by extension their clients’ data and cargo – which is likely to have a positive business impact in an increasingly security-conscious age. Pre-release, DNV GL have quoted interest from over 10 vessels, and a high number of enquiries.
Although cyber risk life cycle management by no means ends at commissioning, instilling robust systems at newbuilding prioritises prevention over cure. Owing to its reliance on outdated systems and lack of cyber awareness, the maritime industry is a soft target in a world where many industries have learned hard lessons. However, by going back to drawing board, effective cyber security can be designed-in to prove that maritime is not to be taken advantage of.