Glance through the headlines on any given day and it’s easy to conclude that cyber security is mostly a city problem—high densities of people and their data create a virtual environment that’s rich with opportunity for criminals seeking to exploit financial systems and the Internet of Things. On the high seas, in the world’s ports and at the margins of every coastline, cyber security in the maritime domain is just as complex.
Fixed and mobile assets cross multiple zones of jurisdiction and territory. Legacy infrastructures and communications systems with poor or no encryption are open to attack. With 90% of the world’s cargo transiting by sea, there’s a huge part of the global economy that we don’t regularly “see” but is vital to the national critical infrastructure of most countries.
Cyber security incidents in the maritime sector, as on land, include deliberate attacks on infrastructure and vessels, accidental security breaches, and exploits. The total attack surface can be viewed in terms of mobile assets (vessels, containers, offshore oil and gas platforms, unmanned undersea vehicles, drones), fixed assets (port infrastructure, navigation aids, undersea cables and pipelines), and communications systems (onshore, ship-to-shore, and satellite). Ship-to-shore communications and port industrial control systems (ICS) are particularly vulnerable; with no in-built signal encryption or authentication, AIS is a soft target (a feature that is exploited in the industry to transmit false location data). The data holdings of shipping firms and their service providers are a rich source of operational and financial information, crew and passenger data, and location and asset capabilities. Advances in unmanned vessels, drones, and remotely controlled systems increase the number of connected assets. The total cost of cyber attacks in the maritime sector is unknown, but annual costs to the oil and gas sector are indicative.
In the past year, the maritime sector has conspicuously picked up the pace in the cyber security challenge. 2016 saw guidelines from the IMO (MSC.1/Circ. 1526), BIMCO, Lloyd’s Register, and the US Coast Guard (among others). Conferences dedicated to maritime cyber security are well attended by the world’s navies, CIOs, and lawyers—for example, NATO’s first conference on maritime cyber security in October 2016 and the first major maritime cyber security conference in the US in March 2015. Shipping companies, offshore operators, and transportation companies are advised to adopt a cyber risk management approach, such as that advocated by the USCG.
Cyber security in the maritime domain is currently considered in the national security strategies of the UK and USA, among others, but strategy does not automatically generate solutions; maritime cyber, like other sectors, relies on a supply chain of risk managers, IT consultancies, and third-party providers all operating among flag states of varying security posture and quality. Companies and port authorities are advised to assess their particular circumstances. In the US, Executive Order 13636 (February 2013) concluded that the USCG has regulatory authority on cyber security. The US Bureau of Safety and Environmental Enforcement (BSEE) may soon follow, affecting offshore operators and all 360 ports around the US coastline. US legislation on maritime cyber security is likely to take form in 2017.
International laws and conventions on maritime cyber security are more challenging. ICS views international regulation as unnecessary. Security of crew, passengers, and vessels on the high seas has a long history of international convention and protocol, with 180 flag states assuming responsibility for the physical security of crew and vessels sailing under their name. In 2004, the International Maritime Organization (IMO) further amended SOLAS to include port and ship security, while IMO III (requiring audit of safety compliance) entered into force in 2016. However, as is also the case in the US, IMO relies on voluntary reporting of cyber security incidents from among its member states.
Achieving a reasonable standard of cyber security in the maritime sector in as short a timeframe as possible calls upon an armada manned with expertise from: (i) critical infrastructure protection (particularly in the energy sector), (ii) supply chain risk analysis, and (iii) international law (particularly concerning UNCLOS).
Even acknowledging differences of opinion on the legal frameworks that enable freedom of navigation on the high seas, the founding principle is more than 400 years old and will likely hold good. The world’s energy and cargo supply chains can’t (yet) operate without it. Defending access to sea lanes is a jurisdictional minefield negotiated on dry land. But with rapidly advancing cyber capabilities offshore, the threat landscape has fundamentally changed.
In July 2016, NATO affirmed cyberspace as a domain of operations in which international law applies. Arguably, preemptive cyber attack as an offensive defense strategy is already in play. It has yet to be tested at sea, but the opportunity may soon arise. Consider China’s defense infrastructure on seven newly constructed artificial islands in the Bohai Sea—in firing range of one of the world’s busiest sea lanes—and the response to the discovery of an underwater drone measuring salinity in the South China Seas.
In a different kind of warfare, maritime security, among the oldest traditions of all nations that have prospered on the high seas, has entered a new era.
Sally Daultrey is an OpsLens contributor and geopolitical analyst based in London, UK.