This post is a guest post by Daniel Lewis, an subject matter expert on industrial cyber security, industry 4.0 and smart cities, written specifically for ACUA Ocean/ Blue Ocean Autonomy.
Let’s talk about cyber risks. Specifically cyber threats within transportation in general, and maritime in particular.
What is a cyber risk?
It surprises me every time when someone asks me “what is cyber security?” Before I go any further, I want to say that there is no shame in asking that question and there are no stupid questions. In fact, “what is cyber security?” and its related question “what is cyber risk?” are very valid questions with interesting answers.
The way that I like to describe cyber security is as the topic of ensuring the security and safety of people and operations within the context of digital technology. Cyber security is not wholly about technical solutions to technical problems, in fact, in many cases the solutions and the problems are human driven - and that is still classed as cyber security.
We also talk about cyber risk, which is, from the person or organisation perspective, the probability of an attack/incident occurring and the impact of such an attack/occurring. Consider physical security for a moment, the probability of your house being burgled is potentially very low, but the impact of that happening could be quite high depending on the value of what might be stolen. This is the same within cyber security - for example, a ransomware attack might take a computer down causing disruption to our normal operations, the impact could potentially be large, and the probability is dependent on many factors including the human awareness of such threats.
What are we including within “transportation”?
Transportation usually includes all kinds of road, rail, air and water transport - for any kind of reason, such as personal, business or logistical. It includes the vehicles/vessels/craft themselves, as well as the infrastructure which enables them.
This does also include Maritime Transportation, which is of particular interest to ACUA Ocean who make Uncrewed Surface Vessels, also known as Maritime Autonomous Surface Ships (MASS).
Why might a cyber attack happen in the transportation sector?
If the transportation of goods or people from one place to another is disrupted, it could cause all kinds of negative effects - potentially in a cascade or butterfly effect. Cyber attackers want to make the greatest impact using whichever vulnerabilities that they can find.
Supply chain attacks are a good way to do that, and so the transportation of goods or people is often a target considered by attackers. Attackers will look at who and what is moving from A to B, and what methods of travel are involved, and how to maximise disruption and potential economic loss.
However, it is not just the supply chain that is at risk. Transportation in general should be considered, we can think about newer forms of things that transport - such as drones in the air and sea. Maritime Autonomous Surface Ships (MASS) are indeed at risk of cyber attack, and the risk could be quite high based on what these vessels are doing, or what data they might contain or communicate.
One thing to highlight here is that transportation, like other critical infrastructure and industrial sectors, is made up of what are known as “Cyber-Physical Systems” or “Operational Technologies” - these are the digitally-powered systems which have an interaction with their physical environments. The digital security of these devices, if compromised, could cross the bridge into having a negative impact in the real world. Within critical infrastructure Stuxnet (a cyber attack on a nuclear enrichment facility) and Triton (a cyber attack on a petrochemical plant) are both examples of cyber attacks which crossed the boundary into the physical, causing risk to human health & safety.
What cyber attacks have happened within transportation?
EKANS was a ransomware based attack in 2020 which specifically attempted to terminate processes within Operational Technology (OT) software systems. It was successful at disrupting automotive manufacturing processes within Honda in Japan. It did not directly interact with OT hardware itself, but the workstations which ran OT software - in effect, those systems which monitor and control the plant.
In 2022 on the Isle of Wight in the UK, three EV charging points were cyber attacked to display an explicit adult website rather than the EV network administration website. The vulnerability of many EV charging systems is high, because many of them were made quickly without any form of security-by-design but by using default settings within off-the-shelf hardware such as Raspberry Pi devices.
In 2023, a low-tech vulnerability enabled cyber attackers on board to hijack the tannoy system on an Austrian train just outside of Vienna - causing reputational harm but also creating a physical safety risk in the event of an emergency.
There have been a number of cyber attacks on drones (UAVs), as well as drones being used as a way to get close to a target to deliver a cyber attack to another system. Once again, drones are quite often built quickly without cyber security-by-design, and the communication to/from these devices can be susceptible to being read or manipulated. It also does not require much processing power onboard a drone to enable it to be used as an attack vector.
Is the maritime sector doing enough to tackle cyber threats?
In short, No. Which is why ACUA and MicroSec have partnered together to take on these cyber risks facing the transport and maritime industry to deliver an innovative cybersecurity solution that not only protects OT environments from those aforementioned types of malicious attacks, and overcomes those vulnerabilities, but also is future-focused designed to resist quantum-based attacks.
To put this in perspective, a classical computer would take billions of years to break an AES-256 encryption, but an optimised quantum computer would take less than a day. Post-Quantum Cryptography (PQC) leverages concepts like Public Key Infrastructure by creating quantum-resistant certificates that would encrypt and authenticate networks and devices end-to-end so they stay protected from virtually any type of attack, including quantum-based attacks, protecting transport vessels and maritime devices from the inside-out and across their network.
This post is a guest post by Daniel Lewis, a subject matter expert on industrial cyber security, industry 4.0 and smart cities, written specifically for ACUA Ocean/ Blue Ocean Autonomy.