- When will the IT Security industry move back to objectivity and rationality to treat such sensitive theme with a realistic view under consideration of existing technical solutions on board ships?
- When will the IT security industry stop to bind us big bears on the backs and constructing cyber threats which demonstrable have nothing to do with cyber threats in maritime shipping ?
- When the IT Security industry will understand that we are not interested in charlatan campaigns and battles to market positions?
We are interested in helpful advices, in reliable IT security solutions with realistic background with sustainability and we want trustful collaborate with competent IT security teams which are developing future concepts to warrant a safe work environment in internal and external networks. That's it.
It is not necessary that the slogan THREAT permanent must painted on walls .
The following arguments reflect the author's perspective and do not claim to be perfect. Nor are they the last word in wisdom. They may be perceived as provocative, but this is intended to open up a substantive and well-founded discussion on this topic. The technical basis of the author's position are decades-long seagoing experience as nautical officer and captain aboard various types of ships with different technical equipment levels and a sound engineering education to e-nautical systems and integrated ship guidance systems from different manufacturers.
Whom shall these IT stagings and inflated cyber threat scenarios in shipping give help? We should return to a well-versed risk analysis that takes into account all aspects of IT standards and technical equipment standards aboard ships including their redundant systems and let every exaggerated hysteria setting aside. Because it is detrimental to the actual concern and leads to head shaking, to dulling, to even deliberate rejection of experienced sailors who do not jump on every cyber threat train because their specialist and technical background knowledge comes to a different risk assessment at this field than IT security specialists without ignoring the dangers of cyber threats.
I can't resist the impression that IT security specialists want us seafarers to believe, that we, as the fools of the nations, do not understand about it and are still in the era of Columbus and James Cook hanging. Here should somethings for better understanding be put from head on the feets. I know many first class ship captains, nautical officers and marine engineers who are technically up to date and do not need to hide in the IT field. But they are not IT specialists, what is absolutely all right. They are very well familiar with the technic and technology entrusted on board. That's what they have IT specialists ahead. And it should not be forgotten. Also in the field of shipping, training courses are offered and carried out on an ongoing basis in order to meet the modern requirements and to meet the challenges of digitization. And that also has to be clarified here. The study courses at maritime universities for prospective officers and engineers are permanently adapted to the technical developments and the topic IT is given much space. This includes raising awareness of computer and network security issues.
It doesn't work otherwise too. Finally, the demands on new inaugurated digitized maritime technologies in shipping are constantly increasing. Of course, we also need to critically determine that just in maritime shipping very different levels of education on ship captains, nautical officers and marine engineers in technical knowledge will be find, in particular, due to the training profiles of the respective national maritime educational institutions, and by no means fully meeting today's requirements. Especially maritime educational institutions, which concentrate only on the STCW model course system, have considerable gaps. However, they can’t be blamed on educational institutions alone. They have to be seen in immediate context with the introduction of STCW 95 and Manila 2010 and the IMO have to put up with the question of how it may be that we have to record a rapid drop in training level since the introduction of STCW 95. Which itself is particularly in missing sound technical and electronical background knowledge in the model courses mirrored because it has been degraded to a minor matter. Only pure users will be trained today who should be able to operate with software programs and application programs, but neither operator with in-depth technical background knowledge of the technique entrusted to them. However this is absolutely necessary on order to sensitize the on-board ship captains, nautical officers and marine engineers to the technical understanding of realistic cyber-threats. But this requires knowledge where there are access points to internal networks that can be manipulated by external unwanted access. So technical background knowledge
To rely solely on manufacturers' service facilities and the standards defined by IMO and classification societies in cooperation with industry is too little. The knowledge must be on board during the operation at sea, where all these facilities are far away and the on-board personnel are on their own. And in the worst case, there are no external communication options.
Just similarly, the question arises as to why in increasing cases manufacturers, especially in the field of e-nautical equipment, only operating manuals deliver on board but technical manuals with detailed technical plans are sought in vain. The argument that there are maintenance contracts with service facilities on board is unfortunately completely inadequate. At sea, there is no service and the on-board personnel are overwhelmed often hopelessly to describe a certain error pattern and its effects, because their technical background is insufficient, they never learnt the principles of a sophisticated troubleshooting (from simple to complicate). And effective technical manuals with detailed descriptions of technical components and function principles are as technical guide not available.
The argument that the crew can’t read these plans anyway is groundless. Then the training of officers and engineers must be geared to be able read these plans. So a further in-depth technical training. Unfortunately STCW 95 and Manila 2010 are only partially suitable for this requirements. Even if that doesn't want hear nobody at IMO. The requirements are constantly growing with the introduction of new IT technologies in maritime shipping aboard the ships. STCW 95 and Manila 2010 must be extended and the new developments in technical taken into account and adapted and a technically deepened knowledge must be implemented in the model courses. Only existing technical knowledge of the officers and engineers on board creates the prerequisites for addressing the issue of cyber threats with due understanding and accompanying sensitization and to create effective countermeasures. In addition to the points I mentioned in my article "Cyber Threats on Ships - what is true, what is vision, what is fantasy?"
The current nonsensical pushed debate about the cyber-threat in shipping ignores many questions and does not only have positive effects. All in the broad public initiated roar of IT security industry does not seem to grasp that it invites hackers and criminal groups to demonstrate their in media published artificial scenarios in practice. Everything is published big and wide full of pride and pathos. It would be no problem at all, because good IT developers are not just in the IT security branch active. And as everyone knows, malware developers are always one step ahead of IT security developers.
It is incomprehensible why this sensitive issue for shipping not isn't discussed in the appropriate specialist committees, taking into account security aspects. No, it has to be widely publicized for the general public. Thus, the IT security industry contradicts itself in all their proclaimed security matters, ignores any caution and invites to imitation on a large scale. In fact, there seems to be some profiling neurosis in the IT security industry in order to secure market share and thus voluptuous profits.
There must also be allowed the legitimate question of who should have an interest in controlling a manned ship on the open sea, in coastal waters, in canals or at port approaches, manipulating internal ship networks, and making massive interventions in ongoing ship operations and the purpose of such an action.
Such manipulations make no sense in harbor and channel operations, as under normal circumstances, for reasons of safety, in order to be able to respond without delay to unexpected events, ships are navigated in a hands-on manner, according to good seamanship; i.e. manual rudder guidance. This also means that there is a direct connection between helm control station and gyrocompass that can’t be influenced by networks because it is not connected via networks. Even if all gyro-repeaters would fail due to the manipulation of repeater-boosters, there is a direct link between the gyro-compass and the manual rudder control station, which can’t be manipulated.
Permanent position check is done visually, by landmarks how the visibility permits it and by radar (e.g. heading mode). The recommended speed sensor in radar systems must be set directly on Log / Bottom Track and not on GPS. Echo sounders work independently without GPS. GPS is only used as a kind of backup. If required, the ME-Remote Control System can be immediately transferred to the control from ECR or local control station direct on ME, no network has access to it. Diesel generators can be manually started and monitored at any time. Bow thrusters can be manually started at any time without the need for a network. Valves, fuel pumps, separators, air systems can be taken under local control. It thus turns out that according to the recognized rules of the operation regime when underway in restricted waters, external manipulative interference via SAT-Com or GPS protocols into internal ship networks does not make sense. They have no effect.
And even on the high seas and in coastal waters, the sense is not apparent. Because even there ships are by no means defenseless against cyber threats. And again the question? Who should benefit from such manipulations? There will be no benefit, because the ideas of IT security "experts" are bring under no circumstances with the conditions on board today's ships in their imagination in cover. Maritime shipping, like aviation, is a transport medium in which redundant systems are the basic requirement for safe operation under all operating conditions. And that's just as well. There is too much at stake. Apart from Human Errors, which must always be considered as an element of erroneous decisions and negative consequences, based on primarily erroneous human decisions whose causes can be complex and have nothing to do with cyber-threat at all. In my view, the current overheated discussion on cyber threat in shipping is a huge test balloon that completely ignore the reality in technical opportunities at ships under the current conditions.
And not only that: IT Security "Experts" and insurers try everything imaginable to completely exaggerate cyber threats. Without sense and reason. The best example of this is the case of General Cargo Vessel "Ruyter" of October 2017, which self-proclaimed cyber threat "experts" portray as their prime example of cyber threat as the cause of the marine casualty. In an article by the maritime publication "Fairplay": "Shipping sector must move from default cyber settings", from 09 July 2018 by Jon Guy, Marine Insurance, unfortunately it is not clear for which insurance he works, is the manager for security solutions of the software specialist "Synopsys", Adam Brown, quoted, who actually stated that this accident was caused by cyber threat.
In fact, this maritime accident had absolutely nothing to do with cyber threat:
In the "MAIB investigation report 11-2018: Ruyter", from the British investigation authority, is nothing written from that cyber threat is the cause of the accident. It is explicitly pointed out that Bridge Resource Management (BRM) was not followed and the Bridge Navigational Watch Alarm System (BNWAS) was not activated according to the IMO guidelines. The ship's captain, acting as bridge watch officer, was under the influence of alcohol, had left the bridge and left her unattended for a long time. Due to the non-activated BNWAS, it was therefore not possible for the watch alarm to be triggered in the cabin of the CO and as a result he was unable to intervene and prevent the marine casualty.
How to summon cyber threat as the cause can’t be deduced. Here were misconduct under the influence of alcohol, non-compliance with existing guidelines and gross negligence the triggers of the accident. So very analogous factors. If the BNWAS had been activated, the accident could have been prevented.
Adam Brown's conclusions are far-fetched, proving that neither Jon Guy nor Adam Brown know what BNWAS is. But they shake as first the Cyber Threat out of its sleeve without any credible evidence for such an assertion. That's how the IT security industry turns out to be untrustworthy. I am grateful to Lars H. Bergqvist for engaging and clarifying the truth in this case and posting on LinkedIn.
The IT security industry should be aware that there are outstanding maritime specialists in shipping, who know, how to easily distinguish nonsense from sensible reasoning and technically sound knowledge in their investigation. It's not about comprimising. The point is, not to over-inflate the cyber-threat problem, to assess it correctly and to be realistic about the aspects that exist in today's shipping industry and their effective ways of dealing with cyber threats through their redundant systems. We all know that this problem should by no means be trivialized. It exists and it becomes even more important in its meaning, if MASS should be introduced in the shipping industry. The aim must be that all parties, including IMO, classification societies, shipping companies, shipyards, manufacturers, IT specialists, ship crews, logistics companies are find again each other in this subject matter in a factual, goal-oriented and results-oriented cooperation in order to prepared be for future challenges in this area. Always from the point of view that economically manageable costs, easy understandability and easy-to-use tools as well as technological solutions must be found, which optimally combines all the components mentioned.
Developers should always include the existing redundant systems aboard ships in their development work. I think a closing word what contributes that the provoking meaning from cyber threat will be in present and future maritime shipping right classifies .
Let's objectify future discussions to prevent over-saturation and, therefore, diminishing interest due to excessive hysterical attention rituals by some IT security companies. It is in the interest of all.
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
Above article has been initially published in Capt. Gunter Schütze LinkedIn account and is reproduced here with author's kind permission
Written by Capt. Gunter Schütze ,
Capt. Gunter Schütze holds a Master Degree of Engineering in Ship Guidance. He currently serves as a freelancer author, while he also contributed in follow-up and completion work on study about the crisis in the German and international shipping, until its publication as e-book in German book trade. He further serves as an active captain aboard of large container vessels.