In the film, “Tomorrow Never Dies”, terrorists divert a military ship from its course by manipulating the GPS signals. What was part of the fantasy world of British filmmakers in 1997 – the theatrical release date for the eighteenth James Bond movie – is a real threat a mere 20 years later. “GPS spoofing”, as it is known to the experts, is real, and researchers from the University of Texas provided impressive proof in 2013 when they diverted an $80 million dollar luxury yacht from its course without its crew noticing. What is wrong with IT security in the maritime industry? Ship builders, system integrators and shipping companies are enthusiastic about the new opportunities that Maritime 4.0 offers. To find out if the sector ready for this, and what still needs to be done, we spoke with Professor Karl-Heinz Niemann from the University of Hannover.
The device, which the Texas researchers used to trick the navigation system of a luxury yacht, was about as large as a briefcase. The 65-meter long yacht had two GPS receivers, and was still spoofed. The Texans simply generated a GPS signal and increased the signal strength until the receivers on board switched to the transmitter. What does this scenario mean for you as an expert in IT security?
"That there is much more work to be done. There is still a lot of ground to make up in IT security in automation. While everyone else is thinking ahead to Industry 4.0, we still have to do the homework assigned for Industry 3.0 – existing systems need to be toughened up."
You are talking about automation technology. In your opinion, is there a difference between industrial automation and the automation aboard ships?
"I think that the maritime sector is set up just as well, or poorly, as any other sector when it comes to IT security. Your example of the luxury yacht finds many parallels in other sectors. Off the cuff, I can think of a blast furnace, which was idled by a cyber attack. Blast furnaces are process technology systems that usually run for several years without any interruptions. The externally initiated stoppage ultimately caused a complete loss. The effects of cybercrime are serious everywhere they appear. To this end, I see no sector differences in the current level of implementation of IT security – there is also no difference in that it vital to deal with the topic and the risks that arise from it."
What can companies do to ensure IT security? What homework would you assign?
"It is imperative that operators prevent attackers from simply linking into a network. They should, however, consider that not all external connections are bad; they simply have to secure them correctly. In this context, it’s undoubtedly a question of settings."
What do you mean by that?
"There are always people who want to explain to you that their system has no connection to the rest of the world and that IT security thus has no relevance for them. Do not believe them. There is always a connection somewhere. The more comprehensive homework, which we have to complete in my opinion, is establishing a sensitivity for the relevance of IT security for different parties in the maritime industry. At what points in daily life do these professionals come into contact with security breaches, and which do they generate unintentionally."
Do you mean, for example, the common practice on container ships, where a cargo master enters his or her cargo data into the ship’s system using a flash drive written on land?
"That is the exacy type of case. Flash drives should never be used. Despite this, the practice is routine, even though it is an obvious weak point in security – at least if there is no quarantine area for imported data."
Is IT security a problem that only the ship’s crew should deal with? Who is responsible, in your opinion?
"The people in operations on board are, without doubt, potential weak points for any IT installed on board; unfortunately, they usually have no ability to recognize the sophisticated attacks on their systems. Therefore, it is important that shipping companies establish processes and methods, and then formulate a commitment to managing IT security. With regard to the container ship in your example, a protocol would be established for the next time that someone stands on the bridge with a flash drive in hand."
Then you see management as responsible.
"True. In terms of IT security, we deal less in terms of methods than with a corporate strategy which trickles down from management – and everyone has to be prepared to expend some effort on this. It is imperative to define authorizations, monitor accesses and establish emergency plans in the event of a complete data loss. It no longer suffices to lock switch cabinets against unauthorized access using a square key. What we need is defense in depth, like a knight’s castle. First, the fence protects the facility property, then there are access limitations on specific rooms, followed by regulations regarding specific cabinets."
A castle is, however, quite stationary. So you see the need for special measures regarding ships?
"Compared to land-based applications, there are indeed new challenges and points of threat for ships – particularly due to the additional electronics that are on board. These include, for example, navigation, tracking and collision warning systems. This is equipment that is necessary for the ship’s safety. In addition, no ship is an island, regardless of what anyone thinks. Indeed, many of these additional systems establish external connections and thus offer attack points for manipulation. Just like the scenario you described at the beginning of our discussion."
This sounds as if the advancing digitization on board is presenting a host of new problems for IT security.
"That is also true! Industry 4.0 is establishing additional communication links, because companies are configuring their data flows to be consistent. Due to the horizontal and vertical integration, extant isolation concepts as a component of indepth defense, are no longer sufficient. The new demand is for “IT Security by Design.” This is when functions of IT security are integrated from the start into the configuration of a layer-based security architecture in the controllers."
Does this path impact approvals for maritime technology? Do the classification agencies need to consider IT security in their certifications based on the explosive nature of the problems you have described?
"I am convinced that those agencies are already working on this topic – especially as there is a need to catch up with regard to IT security in the maritime sector. As I said, to create a functional defense in depth, we have to complete our 3.0 homework -- for me, this is a compelling prerequisite in order to implement the ideas that are under development for Maritime 4.0."
Professor Niemann, thank you for the conversation