As the maritime sector increasingly looks towards automation and digitalisation as a means of reducing costs, increasing efficiency and scaling services, so cyber threats from both individual opportunists and state-sponsored teams have increased.
According to Forbes, cyberattacks on maritime systems increased 900% in the past three years alone, which coincides with the cyber-security market, which is estimated at $146.30bn in 2022, and is anticipated to reach $366.10 billion by 2028 (12% CAGR). According to a recent Cyber Owls report, 44% of industry professionals reported that their organisation has been the subject of a cyber attack in the last three years. Of those, 3% resulted in a ransom being paid by the victim to the attacker, at an average cost of US$3.1 million.
From the NotPetya ransomware attack on Maersk to the hacks of the ports of Barcelona and San Diego, cybercriminals are increasingly targeting the maritime industry, with one estimate stating that a single cyberattack on a major Asia-Pacific port could cost up to $110 billion.
For the vast majority of sophisticated attacks, financial exploitation is the main objective - with criminals selling extracted data or extorting ransoms from shipping firms. But in a world of increased geopolitical tension, more targeted attacks to disrupt supply chains and cause economic, logistical and even military damage is on the rise.
The risk of cyberattacks is particularly acute when you consider autonomous systems which present three separate but related challenges:
Disruption and harm to business and operations
Disruption to command and control systems
Risks to data security and information integrity
Maritime Autonomous Surface Ships (MASS) rely on a diverse and complex array of onboard components for navigation, fuel management, and other functional operations. Externally, MASS vessels must communicate with operators to coordinate movement and send or receive critical mission parameters. As the sector digitalises more of its processes and operations, more nodes are opened up that could be exploited, including those with capabilities to mount sophisticated attacks on critical infrastructure. A secure, reliable, and efficient communication infrastructure underpins all MASS operations, which in itself presents an attractive target for attackers seeking to steal data, inject false commands or disable the vessels. As such, the confidentiality and integrity of MASS communications must be protected against current and future threats, including attacks from quantum computers.
A cyberattack or security breach can mean something as dramatic as a vessel losing control, or as small as a minor change in the vessel's GPS position that's not immediately obvious to the ROC team. Cyberattacks have the potential to damage not only a vessel’s software but also onboard equipment and hardware, including the loss or manipulation of external sensor data.
Developers and governments are aware of these threats, and the need to build infrastructure and invest in maritime cybersecurity. The UK government set out its ambitions under the Maritime 2050 Strategy, section 6.3 as a world leader in autonomous solutions and cyber-security:
“The UK will be a world leader in the design, manufacture, uptake, and use of maritime autonomy and other innovative ship-board technologies. Having led the development of an international regulatory framework, UK companies will capture the benefits offered through the export, use, and commercialisation of maritime autonomous and innovative technologies. These technologies will be ‘secure by design, with vessels displaying resilience towards cyber-security threats.”
This vigilance across the board is part of the reason that the maritime digital products and services market is estimated to grow to $345bn by 2030. Meanwhile, Allied Market Research estimated the size of the autonomous vessel market alone to stand at USD 85.84 billion in 2020, and this figure is expected to grow by USD 165.61 billion by 2030.
Cybersecurity is not only a fundamental aspect of the development of autonomous shipping technology but also a necessary condition for the shipping industry to adapt to increasing vessel connectivity or automated operations. With 90% of the world's economic output being transported on ships every day, the value of a criminal or terrorist attack is too great for the threat to disappear. The only way to reduce the threat is to develop better defence and countermeasures and make cybercrime less rewarding.
The future looks set to be one where algorithms will fight algorithms on the battlegrounds, including corporate networks. Recent research in the field of explainable AI involves knowledge graphs that represent complex networks, and assured autonomy centred around building systems with strong performance and safety guarantees every time, in all conditions. This essentially means that this AI is capable of learning what is normal and abnormal on an evolving basis, with negligible reliance on prior knowledge of threats.
There was a time when security measures consisted primarily of "detect and recover", but this failed model is long outdated. To be secure in the future, the model must be "detect and deflect”. To this end, we need both smart systems onboard our vessels, as well as smart human/ robotics interfaces that reduce the risk of unintentional cyber breaches by employees and operators.
According to data from CyberOwl, over 95% of the cyber incidents on vessels it monitored during 2021 could be linked back to the unintentional insider. To this end, as a startup ACUA has an advantage - there is no legacy software, no out of date policies and procedures. Instead, we are building a business on industry and technical expertise and over-engineered systems designed to put safety and system integrity first at every step.
ACUA Ocean achieves ISO27001
In November 2020, ACUA Ocean completed the government's baseline Cyber Essentials certification and achieved ISO 27001 accreditation in April 2022. At the heart of the ISO 27001 Standard is a robust system of policies and procedures which establish the means to identify, treat and learn from security threats in an internationally recognised manner. This system of policies allows us to protect our data and keep our vessels sailing.
We went through the process of ISO accreditation early in our journey to ensure that our processes are robustly engineered and that our vessels are modelled around security, as opposed to security being an add-on or an afterthought. However, we remain aware of the possibility of undetected gaps in our security, and that’s why, as part of our cybersecurity process, we have created a suite of policies which are designed to scale and evolve as our business does.
In addition, March 2022 saw ACUA completing the testing of its prototype vessel systems and the digital simulation of the vessel control in a synthetic environment. As we move towards commercial prototyping later in the year we will double down on cyber threats, seeking to identify risks and failure points between in-house and third-party systems, to continually test and iterate best in class cyber-defence.
To learn more about ACUA and our approach to cyber security and autonomous systems join our CTO Dr Puneet Chhabra at Defence Disrupted in London this May.