[The excerpts below are from the book Maritime Cybersecurity: A Guide for Leaders and Managers, published in early September.]
[T]hreats must be put into context. The figure [below] shows the light configuration of a vessel that you do not want to see steaming towards you at night. Not only is this ship coming towards you head-on, it suggests that you are already in very dangerous waters, per Rule 27(f) in the Navigation Rules.
While this portrayal has a certain element of dark humor to it, it is also analogous to real life. When a ship is in a minefield, what is the real problem? Is it the threat of hitting a mine, or is it the vulnerability of the ship to the damage caused by the explosion? During the early days of the Battle in the Atlantic during World War II, Germany deployed magnetic mines against the British. The mines rose from the seafloor when they detected the small change in the Earth’s magnetic field that occurred when a steel-hulled vessel came within range. The British, upon discovering this mechanism, took countermeasures to effectively degauss their warships. This change eliminated the mine’s ability to exploit the ship’s magnetic field and, at least temporarily, obviated the threat. The vulnerability of the ship to a mine was not eliminated, but the exploit was defeated.
In cyberspace, we can’t control where the mines are, but we can control our susceptibility to getting hit by one and the subsequent damage that could result.
This leads to the following general truth about cybersecurity:
Vulnerabilities Trump Threats Maxim: If you know the vulnerabilities (weaknesses), you’ve got a shot at understanding the threats (the probability that the weaknesses will be exploited and by whom). Plus, you might even be OK if you get the threats all wrong. But if you focus mostly on the threats, you’re probably in trouble.
Threats are a danger from someone else that can cause harm or damage. We might or might not be able to identify a potential threat, but we cannot control them. Vulnerabilities are our own flaws or weaknesses that can be exploited by a threat actor. Indeed, not all vulnerabilities can be exploited. We are—or should be—able to identify our vulnerabilities and correct them.
While we cannot control the threats, we should be knowledgeable about the threat landscape and have an idea of threat actors who might wish to do us harm, but we should not obsess over the threats while planning a cyberdefense. Instead, we should look inward at our own systems, seek out the vulnerabilities, and plug the holes. New threats always emerge, but that doesn’t change the strategic importance of fixing our own vulnerabilities.
Ironically, there is a corollary to this maxim: “Identifying threats can help get you funding while identifying vulnerabilities probably won’t.” Almost all cybersecurity professionals have gone to management to seek funds for an emergency update to hardware or software, just to be told that fixing a vulnerable system can always wait until the next budget cycle. Conversely, when management sees a memo from IMO or USCG, or a warning from an ISAC/ISAO, that highlights a credible threat directed at that same hardware or software, it’s remarkable how quickly the funds become available.
A common but mistaken belief at the leadership level of many organizations, both within the maritime industry and beyond, is that the responsibility for protecting information assets lies within the technology ranks. To those who subscribe to that belief, let us share the following: Anyone who thinks that technology can solve their problems does not understand technology or their problems.
Cybersecurity—or, arguably more properly, information security—is not merely, or even primarily, the responsibility of the IT department. Everyone who comes in contact with information in any form has the responsibility to protect it and, further, to recognize when it is under attack—and take whatever action is required to defend it, including reporting suspected attacks to the appropriate defensive agencies within the organization. Ultimately, it is the responsibility of a designated Chief Information Security Officer (CISO) to manage the cybersecurity posture of an organization. That posture includes the creation of a sense of urgency and awareness around cyberthreats at every level of the organization.
It is also important to recognize that IT and cybersecurity professionals have different—albeit often overlapping—skill sets. IT professionals keep networks running and resilient, and provide services and application to the users; cybersecurity professionals defend these assets.
[We wrote this book for] the maritime manager, executive, or thought leader who understands their business and the maritime transportation system, but is not as familiar with issues and challenges related to cybersecurity. Our goal is to help prepare management to be thought and action leaders related to cybersecurity in the maritime domain. We assume that the reader knows their profession well, knowledge that will help to provide the insight into how cyber affects their profession and organization.
Chapter One (The Maritime Transportation System, MTS) provides a broad, high-level overview of the MTS, the various elements within it that we’re trying to secure, and the size and scope of the challenge. Chapter Two (Cybersecurity Basics) offers terms, concepts, and the vocabulary required to understand the articles that one reads and the meetings that one attends that discuss cybersecurity.
The next three chapters describe actual cyber incidents in various domains of the MTS and their impact on maritime operations. Chapters Three through Five address cyberattacks on shipping lines and other maritime companies, ports, and shipboard networks, respectively. Chapter Six (Navigation Systems) discusses issues relating to Global Navigation Satellite Systems (GNSS) and Automatic Identification System (AIS) spoofing and jamming, while Chapter Seven (Industrial Control and Autonomous Systems) presents cyber-related issues and the ever-increasing challenge of remote control, semi-autonomous, and fully-autonomous systems finding their way into the MTS.
Chapter Eight (Strategies for Maritime Cyberdefense) discusses practices that address cybersecurity operations in the MTS, including risk mitigation, training, the very real need for a framework of policies and procedures, and the development and implementation of a robust cybersecurity strategy. Chapter Nine offers final conclusions and a summary.
Author’s note: This book is intended to speak to all levels of members of the MTS, from executives, directors, and ship masters to managers, crew members, and administrative staff. Our hope is that it informs the reader to a higher level of awareness so that they can be more aware of the threats and be better prepared — at whatever level of their job — to protect their information assets.
Because the field is so fast moving, we also have a Web site — www.MaritimeCybersecurityBook.com — where we will post additional information.
Gary C. Kessler is a Professor of Cybersecurity in the Department of Security Studies & International Affairs at Embry-Riddle Aeronautical University. He is also the president of Gary Kessler Associates, a training, research, and consulting company in Ormond Beach, Florida.
Steven D. Shepard is the founder of Shepard Communications Group in Williston, Vermont, co-founder of the Executive Crash Course Company, and founder of Shepard Images.
A massive fire broke out at the Port of Beirut on Thursday, incinerating a warehouse full of tires and oil within the port’s free zone. The same area was heavily damaged in the ammonium nitrate explosion that leveled the central port area and the adjacent waterfront on August 4. According to Lebanon’s civil defense agency, […]
Over the course of the past five days, the Australian Maritime Safety Authority arranged a medical intervention for an injured aboard a freighter in the Indian Ocean. On Saturday evening, the Spliethoff tweendecker Dolfijngracht called for assistance while under way about 1,000 nauical miles off the coast of Western Australia. A crewmember had sustained serious […]
The UK government’s new post-Brexit tariff regime will result in both winners and losers. The new regime is set to replace the European Union’s Common External Tariff from the end of the Brexit Transition Period on December 31, 2020. The UK’s commitment to the ongoing Brexit process and ending the UK’s transition from EU membership […]
The U-Freight Group (UFL), with its considerable involvement in eCommerce logistics, says that the latest statistics showing that global e-commerce sales hit $25.6 trillion in 2018 are a further vindication of its decision to enter this sector of the international freight market several years ago. The latest available estimates, up 8% from 2017, were recently […]
The First DP2, Twin-Hulled SOV in the World, NB72 Groene Wind met the Sea on September 29. 2020 in Yalova, Turkey. The Groene Wind will be directly chartered to Siemens Gamesa Renewable Energy for the maintenance of the Rentel and Mermaid & Seastar (known as SeaMade) offshore wind farms in Belgium. This is the first DP2, […]
DSV Belgium has solid experience in the transport of pharmaceutical products for different customers. With a pharma hub based at Brussels Airport a lot of experience and know-how has been built up over the years. Last weekend, the forwarder handled one hundred million mouth masks, an important milestone for its Belgian organisation that has put […]
Astral Aviation has increased its intra-African network with cargo freighters during the pandemic. While there has been a reduction in capacity to, from, and within Africa, which has been caused by a stoppage of passenger flights and limited frequencies on freighter aircraft, Astral Aviation continues to operate cargo freighters from its Nairobi hub to 13 destinations […]
The naval forces of the US and Bahrain recently staged a joint force training exercise which showcased the interoperability between coalition warships operating I the Arabian Gulf. Coalition Task Force Sentinel executed combined exercise Sentinel Shield supporting Sentry and Sentinel patrols in the coalition’s area of operations. The guided-missile destroyer USS John Paul Jones and […]
Emirates SkyCargo has expanded its weekly scheduled cargo flight operations to cover 75 destinations across six continents. Through its wider reach, Emirates SkyCargo is able to transport essential commodities and other urgently needed cargo more rapidly across the world, allowing exporters and importers across markets to benefit from direct access to widebody cargo capacity. Some […]
With close to 100 daily cargo flights operated to a destination network spanning more than 65 cities across six continents, Emirates SkyCargo is delivering essential supplies and commodities to people around the world. The air cargo carrier is currently operating 11 Boeing 777 freighter aircraft, each with a capacity to transport about 100 tonnes of […]
Best known as a leading passenger airport serving Germany’s most populated federal state North Rhine-Westphalia, Düsseldorf has become transformed into a vital distribution point, during the COVID 19 pandemic, for medical equipment and other life-saving goods, mostly from China. Gerton Hulsman, managing director of cargo operations, reports that the handling teams are working hard to […]
The National Transportation Safety Board (NTSB) has released a Marine Accident Brief about an accident that occurred on April 15, 2019, involving the towing vessel DeJeanne Maria which struck the end of a submerged dredge pipeline while pushing two spud barges to the Gulf of Mexico. The incident occurred on the Mississippi River in Pass […]
Operators can continue to use pilots and other crew members who have unable to comply with certain training, recent experience, testing, and checking requirements due to the COVID-19 outbreak in support of essential operations. Additionally, this Special Federal Aviation Regulation (SFAR) provides regulatory relief to certain persons and pilot schools unable to meet duration and […]
Global commercial aviation charter company Albion Aviation Group is reporting that it is seeing a considerable uptake in its professional cargo broker training courses from the current global pandemic crisis and surge in charter demand. “We have completed a number webinar courses for a whole of host of companies, looking to manage their own cargo […]
Callan Marine is serving as the prime contractor to the Texas Department of Transportation for a maintenance dredging project located at the Bolivar Ferry Terminal, in Galveston, Texas. Work began in May and is estimated to be complete in late July 2020. The project consists of the removal of 600,000 cubic yards of material and […]
Network Airline Management and TAAG Angola Airlines are pleased to announce the renewal of their long-term freighter aircraft contract by an additional 12 months, sealing an ongoing partnership for the foreseeable future. Operating a regular weekly scheduled service from Liege, Belgium, to the capital of Angola, Luanda, Network Airline Management provides a Boeing 747-400F aircraft […]