From back to front: achieving cyber security on the bridge
You can’t move for industry debate and conversation about cyber security, something that reflects a growing maturity of thinking, as well as increased levels of knowledge and expectation among ship operators over the last five years.
Some are still further ahead than others; much can depend on the sector in which they operate – but according to Simon Cooke, Technical Manager for Northrop Grumman Sperry Marine, more and more ship operators are seeking advice on how to secure the bridge environment against cyber threats.
“In part, this is because the IMO has published Guidelines on Maritime Risk Management in MSC-FAL.1/Circ 3, while the incorporation of cyber into the ISM Code has created pressure to do something,” he says. “As manufacturers, our view is that cyber security is best achieved by a defence in depth approach. The thought process requires using a Security Development Lifecycle (SDLC) that incorporates cyber requirements and processes to build technical defences into our equipment, resulting in a hardened system.”
He accepts that no operator is likely to achieve 100% cyber security, partly because new vulnerabilities are continually uncovered. The best strategy is for operators to adopt a risk management approach rather than just conform to a single, prescribed standard says Cooke. “The thinking should be: what contribution am I making to that defence in depth?”
This challenge brought together Sperry Marine and GNS specialists in front and back-of-bridge systems, both of whom recognised that the issue of moving data between one and the other required a new perspective on security.
Bridge teams regularly receive data – mainly routes, charts and weather – which have arrived on the ship’s IT network for transfer to the front of the bridge. Traditionally, the navigation systems have been air-gapped from the ship’s main IT network so, the perception is that users feel they are protected, explains Cooke.
“The problem is how they are bridging that gap. Very often it’s by using a USB stick which is a potential attack vector in itself. Owners have realised they need a more robust solution, an integrated system that has the right level of cyber security.”
The concept developed by Sperry Marine, for delivery in partnership with GNS, is a Secure Maritime Gateway which uses multiple firewalls and a ‘demilitarised zone’ as a staging post to ensure there is no direct connection between the navigation systems and the ship’s network.
The gateway is a key part of the technical defences available to ship operators and can be certified to the IEC’s 61162-460 standard for networking where additional safety and security is needed. Sperry Marine is also contributing to the new cyber standard IEC 62923 which covers a wide array of maritime equipment in order to demonstrate the level of applied cyber security, with publication scheduled for 2021. Other technical measures include work by CIRM to develop a cyber risk code of practice that manufacturers and service providers can sign up to.
Beyond the application of some technical rigour, the need for security rests chiefly on people. As regular industry surveys point out, crew may well be unaware of the risks and many still need training to follow the appropriate processes to achieve an appropriate degree of cyber hygiene.
Despite the challenges, the direction of travel appears to be set; more connectivity, not less; and greater dependence on networked solutions. The ever-more connected bridge and the convergence of hardware and software – with multi-function workstations and network connections to VDRs, AIS and GPS units – creates further complexity in terms of cyber security. The critical issue is identifying and managing the associated risks.
As proven for decades, a ‘fit and forget’ approach to ECDIS is never appropriate since new vulnerabilities are likely to emerge over time, requiring that operators ensure that software is updated to the latest patches.
Regulated bridge equipment remains somewhat separated and has tended to be interfaced using serial rather than Ethernet connections. Its embedded systems have fewer attack vectors partly because software cannot be as easily modified as that on a PC-based system, Cooke explains.
“Some products present a different risk profile than others but all regulated equipment goes through rigorous Type Approval. This includes ensuring operators cannot modify the product in a way that would interfere with its ability to meet the minimum performance standard. That level of security itself acts as one defence against cyber-attack.”
Standards alone do not prove an owner is fully secure, but he adds that they are a way of articulating the cyber-hardening activity that’s taken place. “Using a tool like the Secure Maritime Gateway shouldn’t be any more complex for the user; in fact it should be should be less onerous and more efficient, especially compared to carrying around USB sticks.”
“My reading is that operators are definitely more concerned about the need to improve cyber hygiene on the bridge and improve usability too, it’s why they are asking us to develop these types of solutions.”