SUPPLIERS ARE NOT PROVIDING EQUIPMENT WITH THE LEVEL OF SECURITY NEEDED TO PROTECT CRITICAL SYSTEMS
As the global shipping industry learns that the UK-flagged Stena Impero seized by Iranian forces in July was ‘spoofed’ and begins to accept the extent to which vessels unprepared for a cyber event can be affected, Itai Sela, CEO of cyber security pioneer Naval Dome, says that original equipment manufacturers are not doing enough to provide end users with the level of protection required to secure critical systems.
Speaking to delegates attending a conference today organised by the Maritime and Port Authority of Singapore (MPA), Sela said: “There is no high-level cyber security on operational systems aboard ships, on offshore oil and gas platforms, or ports and terminals. Few OEMs and system providers are supplying equipment with level 4 security, resulting in end-users being unable to get a true picture of the integrity of their critical systems. It’s like driving with your eyes closed.”
Going on to explain that increasing reliance on connected systems and IoT technologies is leaving infrastructure vulnerable, he told attendees at Singapore’s annual International Safety@Sea Week that investing in equipment without the highest level of protection could result in financial loss, damage to assets, the environment, even loss of life.
“Today, the world is more interconnected than ever before and while this has considerable advantages, we become less secure, more vulnerable, with cyber events happening on a daily basis.
“So what do we do? Wait until January 2021 when IMO cyber security rules enter into force? The cyber hacker won’t wait until you have proper protection in place, so why should you?”
He explained that over the past decade, cyber security has not kept pace with the rapid development of autonomous, connected IoT-based systems that are now becoming commonplace across the sectors.
“We have visited companies operating across the industry – shipping companies, cruise lines, oil and gas contractors, ports and terminals – and what we find is alarming. Typically, most companies are operating critical systems that are protected, at best, by only the most basic security solution.”
According to DNV GL type approval criteria and IEC 62443 standards security Level (SL) 1, the most basic, provides protection against casual or coincidental violation. SL2 to SL4 cover increasing protection levels against intentional violation, depending on sophistication of means, and the likely level of resources, motivation and skills of potential offenders. SL4 protects against the highly motivated, highly sophisticated attack.
“The obvious thing to do,” said Sela, “is to ask your system provider what level of cyber security each of their systems are provided with and, if not SL4, request they upgrade or replace them.”
Commenting on the rise in the number of GPS spoofing and jamming incidents, Sela told shipping and port executives that Naval Dome analysts have noted an increase in the Persian Gulf, The Black Sea and SE Asia.
Spoofing, when the satellite signal is changed and manipulated once it has been received by a global positioning system (GPS), shifts the phase of the signal to present spurious positional data and information, placing the asset in a different position to that in which it is in reality.
“Spoofing is more common as it is more sophisticated, more effective – but we know jamming is taking place in Syria and Lebanon,” he said. “Most spoofing is carried out by States, although in SE Asia and the Red Sea, pirates are using rudimentary spoofing systems bought on the internet to direct ships to danger areas.”
While there are some companies that claim to offer solutions that can prevent spoofing and jamming, a process that saturates the GPS so that no satellite signal or data can be received, Sela said that these systems are either inordinately expensive or cheap and ineffective.
“We recommend that all critical systems have in place a cyber defence system capable of anomaly detection, which will alert operators to odd jumps/drifts in position based on previous and current positions, planned route and ship speed. This will provide an indication that the GPS may be compromised.
“Once alerted to an anomalous event, crews need to cross check position with speed and other sensors, the Gyro compass, etc. AIS can also be used to detect other vessels in the area. However, if other vessel positions have jumped, then this can also indicate a problem with their GPS.”
Sela went on to reveal that Naval Dome is seeing an increase in the number of spoofing incidents at ports, especially those where container handling equipment, such as ship-to-shore cranes, reach stackers and straddle carriers, relies on GPS to move and transfer containers to specific locations.
“Typically, positional data is dependent on signals from three or more satellites, but if just one is compromised, then it will give a false reading. Any interference to the GPS signal is likely to result in significant port congestion.”