A container ship sailing along the Ouessant rail, victim of a "cyber" attack on its navigation system, radars and engine room management system, is rerouted from its initial route, then its engines remotely stopped in the middle of the sea. It then becomes an absolute danger on this maritime route, where more than 150 ships carrying containers, hazardous materials (explosive or environmentally dangerous) and passengers are sailing at the same time. Does this scenario, worthy of a Hollywood disaster movie, seem improbable to you? Unfortunately, it is being seriously considered by maritime industry professionals.
In an increasingly interconnected world, where maritime transport accounts for 90% of goods traded around the globe, shipping companies, ships and ports cannot be spared from a criminal element that has undergone a technological transformation. From criminals of opportunity to organized crime groups , terrorist and/or state organizations, the use of new technologies for malicious purposes has become a common mode of action that has grown exponentially thanks to the simplification and availability of attack tools such as ransomware.
Added to this attractiveness is the fact that the maritime sector offers a significant attack surface. Indeed, to be efficient, i.e. to reduce delays and rationalize operating costs, the sector needs to bring together a plurality of players. The development of new interoperable technologies such as EMSW (European Maritime Single Window) has made it possible to interconnect this maritime world, while at the same time linking it to other transport players (air, rail, road) and to other sectors such as banks and energy operators.
As a result, the maritime transport system can become an attack vector through one of its sub-systems, or a target. In this case, as with security in general, vulnerability is measured in terms of the resilience of its weakest link. A large number of indirect (or rebound) attacks have been carried out through the compromise of a service provider with access privileges to the IT tools used.
The response from shipping professionals and public authorities has been implemented gradually and, as always, in reaction to the proliferation of attacks. At international level, for example, IMO Resolution MSC 428(98) of 2017, which comes into force in 2021, requires shipowners (vessels > 500 t) to integrate cybersecurity into their Safety Management Systems. In French ports, regulations relating to vital sectors, supplemented by the military programming law and its sector-specific application decrees, make designated operators responsible for securing their most sensitive systems. The ANSSI (Autorité Nationale de la Sécurité des Systèmes d'Information) plays a key role in this respect, providing state-of-the-art scientific and technical expertise. It is the reference body for defining the security standards required to protect data and systems. It also raises awareness among key players in the maritime sector.
On the whole, the response of professionals in the maritime sector is still too often in reaction to a security problem encountered, and is generally limited to a compliance approach, i.e., based on the implementation of best practices laid down by cybersecurity professionals and the enforcement of national or sector-specific regulatory obligations.
While this security foundation is certainly capable of protecting organizations against the risks of broad-spectrum and/or elaborate attacks, it does not provide effective barriers against advanced attacks. These are highly technical, enabling them to penetrate the information systems of advanced players by stealth, and persistent, i.e. they are capable of remaining in these systems for long periods and acting on or extracting information from them without being detected.
The increasing interconnection of IT (Information Technology) and OT (Operational Technology) is conducive to this type of scenario.
In fact, there are many IoT systems in ports: RTG and STS cranes, ship control systems, cargo transit management, safety and security systems. In practice, the difficulty is that these IoT systems are not subject to systematic, up-to-date cybersurveillance, so malicious actions take much longer to detect. To combat this type of threat, the scenario-based approach must complement the compliance approach. It involves identifying sources of risk and the objectives they target, mapping critical stakeholders in the ecosystem and defining possible attack paths. The definition of relevant countermeasures based on a defense-in-depth strategy can then be implemented within the framework of a regularly assessed security management system.
Cybersecurity is not just a technical issue, but also one of organization, training and practice. It begins with the physical protection of facilities, and is therefore closely linked to ISPS in the maritime sector. We need to move away from a silo approach and open up the field of study to a truly multi-disciplinary approach (sociology of organizations, criminology, etc.) in order to gain a global vision of risks. Last but not least, the human factor, as in other areas of anti-malicious activity, is central to system efficiency.
To find out more, take a look at our cybersecurity training course.