Cookies help us deliver the best experience on our website. By using our website, you agree to our use of cookies Dismiss

Suppliers not providing equipment with sufficient security, says Naval Dome CEO

“Most companies are operating critical systems that are protected, at best, by only the most basic security solution,” says Naval Dome’s Itai Sela “Most companies are operating critical systems that are protected, at best, by only the most basic security solution,” says Naval Dome’s Itai Sela

As the global shipping industry learns that the UK-flagged Stena Impero seized by Iranian forces in July was 'spoofed' and begins to accept the extent to which vessels unprepared for a cyber event can be affected, Itai Sela, CEO of cybersecurity pioneer Naval Dome, says that original equipment manufacturers are not doing enough to provide end users with the level of protection required to secure critical systems.

{mprestriction ids="1,2"} Speaking to delegates attending a conference today organised by the Maritime and Port Authority of Singapore (MPA), Mr Sela said: “There is no high-level cybersecurity on operational systems aboard ships, on offshore oil and gas platforms, or ports and terminals. Few OEMs and system providers are supplying equipment with level 4 security, resulting in end-users being unable to get a true picture of the integrity of their critical systems. It’s like driving with your eyes closed.”

Going on to explain that increasing reliance on connected systems and IoT technologies is leaving infrastructure vulnerable, he told attendees at Singapore’s annual International Safety@Sea Week that investing in equipment without the highest level of protection could result in financial loss, damage to assets, the environment, even loss of life.

“Today, the world is more interconnected than ever before and while this has considerable advantages, we become less secure, more vulnerable, with cyber events happening on a daily basis.

“So what do we do? Wait until January 2021 when IMO cybersecurity rules enter into force? The cyber hacker won’t wait until you have proper protection in place, so why should you?”

He explained that over the past decade, cybersecurity has not kept pace with the rapid development of autonomous, connected IoT-based systems that are now becoming commonplace across the sectors.

“We have visited companies operating across the industry – shipping companies, cruise lines, oil and gas contractors, ports and terminals – and what we find is alarming. Typically, most companies are operating critical systems that are protected, at best, by only the most basic security solution.”

According to DNV GL type approval criteria and IEC 62443 standards security Level (SL) 1, the most basic, provides protection against casual or coincidental violation. SL2 to SL4 cover increasing protection levels against intentional violation, depending on sophistication of means, and the likely level of resources, motivation and skills of potential offenders. SL4 protects against the highly motivated, highly sophisticated attack.

“The obvious thing to do,” said Mr Sela, “is to ask your system provider what level of cybersecurity each of their systems are provided with and, if not SL4, request they upgrade or replace them.”

Commenting on the rise in the number of GPS spoofing and jamming incidents, Mr Sela told shipping and port executives that Naval Dome analysts have noted an increase in the Persian Gulf, The Black Sea and SE Asia.

Spoofing, when the satellite signal is changed and manipulated once it has been received by a global positioning system (GPS), shifts the phase of the signal to present spurious positional data and information, placing the asset in a different position to that in which it is in reality. 

“Spoofing is more common as it is more sophisticated, more effective – but we know jamming is taking place in Syria and Lebanon,” he said. “Most spoofing is carried out by States, although in SE Asia and the Red Sea, pirates are using rudimentary spoofing systems bought on the internet to direct ships to danger areas.”

While there are some companies that claim to offer solutions that can prevent spoofing and jamming, a process that saturates the GPS so that no satellite signal or data can be received, Mr Sela said that these systems are either inordinately expensive or cheap and ineffective.

“We recommend that all critical systems have in place a cyber defence system capable of anomaly detection, which will alert operators to odd jumps/drifts in position based on previous and current positions, planned route and ship speed. This will provide an indication that the GPS may be compromised. 

“Once alerted to an anomalous event, crews need to cross check position with speed and other sensors, the Gyro compass, etc. AIS can also be used to detect other vessels in the area. However, if other vessel positions have jumped, then this can also indicate a problem with their GPS.”

Mr Sela went on to reveal that Naval Dome is seeing an increase in the number of spoofing incidents at ports, especially those where container handling equipment, such as ship-to-shore cranes, reach stackers and straddle carriers, relies on GPS to move and transfer containers to specific locations.

“Typically, positional data is dependent on signals from three or more satellites, but if just one is compromised, then it will give a false reading. Any interference to the GPS signal is likely to result in significant port congestion.” {/mprestriction}

Related items

  • New GTMaritime solution protects shipboard systems from cyber-threats before they emerge

    A new solution from GTMaritime counters a major cyber security weakness of ships at sea today by deploying critical software and security patches to protect shipboard systems before threats emerge. GTDeploy provides a software deployment platform to deliver security updates to ships wherever they are in the world ‘in the background’ without requiring intervention by IT staff or distracting crew.

  • Industry collaboration key in Cyber-SHIP Lab progression

    Experts in cybersecurity and maritime operations are forging ahead with the creation of a first-of-its-kind research facility at the University of Plymouth.

  • Almi Tankers receives ISO 27001 certification from LR

    Almi Tankers S.A. has become one of the first maritime companies in Greece to be awarded ISO 27001 certification by global certification and assurance company Lloyd’s Register (LR).

    Almi Tankers has been awarded ISO 27001 certification for its Information Security Management System (ISMS), demonstrating that the company has reached the high quality demanded from this internationally recognised Standard.

    The certificate was presented by y Philippa Charlton, BA & IS marketing director at LR to Almi Tanker’s CEO Capt. Stylianos Dimouleas at a ceremony at the company’s headquarters in Athens.

    CEO Capt. Stylianos Dimouleas thanked his team for this success and commented: “We are all affected by ISO 27001 requirements on a daily basis. We took a major step to ensure that a robust Information Management System and Cyber Security System are in place and in line with EU GDPR Directives.”

    LR’s marketing director, Philippa Charlton said: “ISO 27001 is a certification of best practice for ISMS. An organisation that is certified has been through a rigorous independent audit process and demonstrated its ability to meet the stringent requirements of this standard. We’re delighted for Almi Tankers S.A.”

  • DCSA publishes implementation guide for IMO cybersecurity mandate

    The Digital Container Shipping Association (DCSA), a neutral, non-profit group established to further digitalisation of container shipping through technology standards, in conjunction with its nine member carriers, has published the DCSA cybersecurity implementation guide. The guide aims to facilitate vessel readiness for the IMO Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems.

    The best practices outlined by DCSA provide all shipping companies with a common language and a manageable, task-based approach for meeting the IMO’s January 2021 implementation timeframe.

    The DCSA cybersecurity guide, DCSA Implementation Guide for Cyber Security on Vessels, can be freely downloaded from the DCSA website. The guide aligns with existing BIMCO and NIST (US National Institute of Standards and Technology) cyber risk management frameworks, enabling shipowners to effectively incorporate cyber risk management into their existing Safety Management Systems (SMS). The DCSA guide gives shipowners the tools they need to help designated technical crew members mitigate the risk of cyber attack, or contain damage (fail safe) and recover in the event of an attack.

    “As shipping catches up with other industries such as banking and telco in terms of digitisation, the need for cyber risk management becomes an imperative,” said Thomas Bagge, CEO, DCSA. “Due to the global economic dependence on shipping and the complex interconnectedness of shipping logistics, cyber attacks such as malware, denial of service, and system hacks can not only disrupt one carrier’s revenue stream, they can have a significant impact on the global economy. As a neutral digital standards organisation, DCSA is uniquely positioned to help vessel owners mitigate the increasing risk of cyberattack on their ships, and in turn, on the industry at large.”

    The DCSA cybersecurity implementation guide breaks down the BIMCO framework into themes and maps these themes to the controls that underpin the NIST functional elements: Identify, Protect, Detect, Respond, Recover. DCSA provides non-technical explanations and specific actions to be taken to address each NIST element in accordance with a company’s level of cyber maturity within each BIMCO theme. Following DCSA guidance will provide vessel owners with a catalogue of cyber security safeguards aligned with each vulnerability identified during risk assessment, together with notes explaining any residual risk.

    Jakob Larsen, head of maritime safety & security for BIMCO said, “The DCSA implementation guidance provides a thorough and refreshing deep dive into the challenge of how to implement cyber risk management in a shipowner company. Initially thought of as a tool for container carriers, the guidance can also inspire the thinking in other shipping sectors as well as the ongoing update of the major shipping associations’ benchmark document ‘Guidelines on Cyber Risk Management Onboard Ships’.”

  • ClassNK Consulting launches cybersecurity e-learning

    ClassNK Consulting Service has announced the launch of a cybersecurity training service (e-learning), developed in cooperation with KDDI Corporation (KDDI) and KDDI Digital Security (KDS).

    Main features include:

    • The program is focusing on the maritime industries.
    • The program supports Japanese and English and provides a certificate of completion after a comprehension test. This certificate can be used for an education record of Cybersecurity Management System.
    • The program is available anywhere and anytime via smart device and PC.
    • The program is certified by ClassNK in compliance with the Guidelines on Cybersecurity Onboard Ships Version 3, produced and supported by BIMCO (The Baltic and International Maritime Council).

    In a statement released by ClassNK, the classification society says that the increasing use of many solutions utilising “Big Data” and IoT technologies has brought benefits to the industry but it has also introduced cyber risks among maritime industries. Under these circumstances, it’s an important first step towards cyber safety for those who are engaged in ship operation and other related industries to gain proper knowledge. NKCS, KDDI and KDS offer a training program combining the companies’ expertise in offshore and onshore. 

Joomla SEF URLs by Artio

Login/Register

Register or Login to view even more of our content. Basic registration is free.

Register now

Digital Ship magazine provides the latest information about maritime satellite communications technology, software systems, navigation technology, computer networks, data management and TMSA. It is published ten times a year.

 

Address:
Digital Ship Ltd
Digital Ship - Digital Energy Journal
39-41 North Road
London
N7 9DP
United Kingdom

Copyright © 2019 Digital Ship Ltd. All rights reserved           Cookie Policy         Privacy Policy