Cyber security in particular for critical infrastructure such as VTS
What started out as manually operated stand-alone lighthouses has now turned into an interdisciplinary field of engineering; modern vessel traffic services rely on highly complex distributed systems and a number of different technologies. On the one hand, this offers new chances and possibilities for ensuring a safe, smoothly flowing and therefore economically efficient shipping traffic. On the other hand, it also introduces new attack vectors that can be exploited. Barely a day goes by without a new cybersecurity incident or a vulnerability in software or systems making the news. Vessel traffic services are often part of critical infrastructure and thus need to be reliable as possible, as security incidents can have disastrous effects.
Protecting distributed systems is a complex matter in any environment. Vessel traffic services are no exception to that, instead they can be even harder to protect for a variety of reasons.
First of all, the soft- and hardware that are utilized are often tailored to satisfy specific demands and expectations of the VTS centres. Commercial off-the-shelf solutions are rare, in some areas non-existent. Best practices mostly exist for standard solutions and need to be adapted for custom soft- and hardware and the specific environment in which they are used.
Furthermore, the VTS systems have a much longer lifespan than ordinary office systems and contain specialized components. Some of those components may rely on functions of certain software versions, e. g. a specific operating system or library. As the required functions may change or disappear over time, even simple best practices such as regular updates can prove difficult, leaving the system open to attacks. Adding security measures for applications that were not designed to be extendable can be near impossible. New systems therefore need to be designed with a focus on cyber security, using principles such as security by design and security by default, assuming updates and patches to be ordinary events in the natural life cycle of a system and including intrusion detection and prevention systems alongside classic digital perimeter protection such as firewalls.
A further layer of complexity is added by the interdisciplinary nature of vessel traffic services. Both developers and users of the systems are experts in a variety of engineering disciplines or nautical science but do not necessarily have a deeper knowledge of cyber security. Regular cyber security awareness trainings are necessary to both enable them to recognise possible security incidents or pitfalls and generate a basic level of acceptance for security measures. Any security measures that are not accepted will be ignored – passwords on post-its, door stops for doors that should be closed, staying signed in when leaving the desk are typical cases of security measures being ignored.
In an ever more interconnected world, addressing cyber security risks is not merely optional but mandatory for well-working systems. A building without smoke detectors is not an option and neither is a server without a properly configured firewall. An information security management system implemented and operated by cyber security experts can support engineers and nautical staff alike, improving the reliability of the VTS and thus ensuring the safe and reliable operation of VTS centres. Information security is a holistic approach that encompasses not only perimeter protection and protection against nature but also organisational aspects and of course the digital measures that improve the likelihood of withstanding attacks – firewalls, malware detection, encryption etc. The overall goal is to protect the availability, integrity and confidentiality of all kinds of information needed. Combining the knowledge and experience of engineers, nautical experts and cyber security experts is the best and most likely only chance we have to build usable, reliable and well-functioning systems that withstand not only natural disasters but can also mitigate risks from software vulnerabilities and planned attacks from all kinds of threat actors.
Author: Laura Louisa Barker
Rapporteur: Paul Ridgway
