This post is a guest post by Daniel Lewis, a subject matter expert on industrial cyber security, industry 4.0 and smart cities, written specifically for ACUA Ocean.
Let’s discuss Remote Operation Centres in the Age of Autonomy. We will also touch lightly in this post on the potential associated risks - focusing on cyber risks!
What is a Remote Operation Centre?
A Remote Operation Centre (ROC), also known as a Remote Control Centre (RCC), is a centralised environment where a person or a team can command, control and monitor some thing or things remotely. Within the context of the maritime sector, this will include Maritime Autonomous Surface Ships (MASS), or Uncrewed Surface Vessels (USV), such as those developed by ACUA Ocean.
What is the Age of Autonomy?
The Age of Autonomy is an era brought about through advances in topics such as Artificial Intelligence (AI), Robotics and the Internet of Things (IoT).
IoT is essentially hyper-connected devices enabling easy access to processing, usually via sensor input. Robotics involves sensors, processing and actuators (manipulation of the real world).
AI is very definitely in the news at the moment - with chatbots like ChatGPT, Google Bard and Microsoft Bing Chat receiving media attention - but in reality it has existed for many years. The goal with AI is to essentially emulate biological intelligence (it doesn’t need to be human intelligence!)This can be done in a logical way (e.g. deduction or induction on knowledge-bases, or associated rule mining, or pathfinding algorithms, etc) or a biological or physics inspired way (e.g. neural networks, genetic algorithms or simulated annealing), or some hybrid of the two strands. The most useful forms of AI are those which optimise processes - finding solutions/answers more efficiently, safer, more securely and/or more accurately than a human (or humans) can.
What are autonomous platforms?
When it comes to autonomous platforms, it’ll be easy for those of us in the software/digital sectors to think about software systems which help automate. That would be incorrect though! An autonomous platform is an encapsulated robotic system, or control system, which is capable of acting autonomously.
A good example of an autonomous platform would be the Uncrewed Surface Vessels by ACUA Ocean, which has flexible payload capability enabling all kinds of use-cases from Marine Observation through to maritime security and subsea surveying, and more.
Are there cyber vulnerabilities in the link between Remote Operation Centres and Autonomous Systems?
Of course, Remote Operation Centres are used to monitor and ultimately control autonomous systems (including autonomous platforms). So, there is connectivity there whether that be Wi-Fi; 3, 4 or 5G; satellite connectivity; or something else.
Whenever there is connectivity like this, there is an increase in vulnerability. We rely on the security of data being transmitted through the air (or another medium), and therefore the availability of that data to be read and potentially manipulated by a third party is high. It is a risk which we must handle. Some organisations will choose to ignore the risk, some might even accept it, some might transfer the risk into insurance, but ideally we need to mitigate it by ensuring that the equipment being used is well thought through in terms of security (e.g. authentication & authorisation, firewalls, and perhaps anti-virus and intrusion detection systems installed if applicable), and is also updated with security patches swiftly. Importantly data should be encrypted in storage (“at rest”) and during communications (“in transit”), to increase the confidentiality and integrity of the data.
Why might these systems be a target? Where are the human factors?
The way that I see this question is really “why would anyone ever want to target autonomous systems?” and the answer is that we, as humans living in an environment, are beginning to rely on the safe and secure operations of these autonomous systems. A hacker group, or the party funding the hacker group, has the objective of causing disruption in one way or another - and vulnerable systems which we rely on are a very easy target which can be exploited in order to achieve their objective.
We need to essentially think like a hacker. We need to think about “what are the potential effects of this system being vulnerable?” This should include:
Can I get access to sensitive or confidential information?
Where might the easiest points be to access?
What are the most important parts of the system for operations, and how might they be connected with other parts of the network?
What people and processes are involved in the operations of such a system - are they vulnerable (in a non-technical way)?
On the surface cyber security is a technical subject. Under the hood, however, is a subject which oozes with elements which have human factors. It is well documented that the most vulnerable parts of a system or organisation are humans. Humans are susceptible to clicking on links to phishing sites, or accidentally installing software which turns out to be ransomware. Humans are also the ones which sponsor attacks, and build malware - and are the ones which pay a ransom to have their data released. On the flip side, through adequate awareness and activism, humans can also be a major part of reducing cyber risk.
Cyber attackers will not only use technology vulnerabilities they will use human vulnerabilities too. To highlight the human element here I like to use JOAN as an acronym to describe cyber attackers, they need to have/be:
Just enough technical expertise
Opportunistic
Acting skills
iNquisitive
In an increasingly digital and automated world; cyber security should be just as important and just as at the forefront of the mind as physical security and personal safety. It should be as easy as locking the front door when you leave the house or putting fresh food in the fridge to keep it safe to eat. Cyber security is just as important.
With that in mind designers and operators of Remote Operating Centres need to take a proactive approach to cyber threats - both physical vulnerabilities inside the command centre but also digital risks. These should include (but are not limited too):
Individual user accounts, where possible, and logging of access to critical systems - both physical and digital
Understand what assets are owned and managed, and how data and users flow through operational processes
Established cyber security processes, with regular training and audits - throughout an entire organisation from board level down
No external recording, transmitting or storage devices allowed in the ROC
No photography/videography inside of the ROC whilst operational
Hiring a third party to undertake a penetration test - not only digital, but physical too. Taking particular care of social engineering.
Preparing for an incident, perhaps playing through a mock scenario to make sure that all bases are covered
This post is a guest post by Daniel Lewis, a subject matter expert on industrial cyber security, industry 4.0 and smart cities, written specifically for ACUA Ocean.