Risks with Old and Outdated Digital Systems, Plus a New Maritime Cybersecurity Organization

Image: Gorodenkoff /Shutterstock.

The maritime industry has been busy during May and June relative to cybersecurity. I recently came across an interesting opinion article on csoonline.com entitled “Legacy Systems are the Achilles heel of critical infrastructure cybersecurity” by Christopher Burgess.

As I read the article and pondered the headline, I immediately thought that “legacy systems” are also an Achilles heel in both shipboard and seaport digital environments. So, the first section of this commentary is an expansion of this thought.

Secondly, in June, there was an announcement about a new maritime cybersecurity group called the International Maritime Cyber Security Organization (IMCSO). I’ll tell you more about what I’ve discovered about IMCSO at the end of this article.

But first, let’s talk about the vulnerabilities caused by old and outdated equipment and software.

Legacy systems (aka “old” and “outdated” systems and components) are a significant vulnerability affecting shipboard critical infrastructure cybersecurity. These outdated systems, often running on obsolete and/or out-of-date software and hardware, pose substantial risk to the safety and operational integrity of maritime vessels and seaports.

The reliance on legacy systems in the maritime industry is not unique and creates numerous challenges, including increased susceptibility to cyberattacks, difficulties in maintenance and integration concerns with modern technologies.

ISSUE: Multiple Attack Points for Cyberattacks

Many of the common cybersecurity challenges that affect the maritime industry parallel those in other industries dealing with IT and Operational Technology (OT) networks. These include:

  • 24/7 remote access granted to third-party operating equipment manufacturers (OEMs).
  • Inadvertently or advertently connected IT and OT networks.
  • Lack of cybersecurity awareness among the crew, employees and contractors.
  • Lack of real-time monitoring or segmentation of the OT network.
  • Lack of visibility into third-party OEM networks (aka black box).
  • No clear understanding of all systems and devices on the OT network across a fleet, ship or seaport.
  • Poor physical security controls.
  • Use of unsecured wireless networks.

Most of all, legacy systems are a very weak link on the operating vessel or seaport and the perfect attack point for a cyberattack.

ISSUE: Increased Susceptibility to Cyberattacks

Legacy systems are particularly vulnerable to cyberattacks due to their outdated software and lack of modern security features. For instance, many older shipboard systems run on unsupported operating systems (e.g., Windows NT, Windows 95, Windows 10, etc.), making them easy targets for cyber criminals and nation-state attackers.

A notable example is the use of outdated SCADA (Supervisory Control and Data Acquisition) systems in maritime operations, which have been exploited in past cyber incidents. These systems often lack the necessary patches and updates, exposing known vulnerabilities.

ISSUE: Maintenance and Support Challenges

Maintaining and supporting legacy systems is a daunting—and possibly impossible—task. As these systems age, finding parts, software patches and expertise to keep them operational becomes increasingly difficult.

This was evident in the case of the Ivanti Pulse Connect box, which contained components up to 23 years old, highlighting the challenges of maintaining end-of-life systems without manufacturer support.

The maritime industry faces similar issues, where outdated systems on ships and in seaport environments require constant attention and specialized knowledge to ensure they function correctly and are secure.

This issue is increasingly difficult because operating ships are out at sea and not necessarily in a position to be updated or to essentially download the necessary patches. You don’t want to “tip over” a ship’s critical cyber system while underway.

To learn more about supporting a maritime fleet from ashore, I would suggest you read the article “Defend critical infrastructure from cyber threats like the U.S. Navy protects ships,” [https://bit.ly/3Wg3XUz] by Tracy Gregorio, CEO of G2 Ops.

“The U.S. Navy creates digital twins of their ships and land-based systems through Model-Based Systems Engineering (MBSE),” according to Gregorio. “This approach enables the Navy to simulate, analyze and optimize the performance and maintenance of their systems before and after they are built or modified, ensuring that potential performance or vulnerability issues can be identified and proactively addressed.”

She also observed that the Navy is improving cyber protection by connecting system-wide MBSE models with real-time threat databases.

ISSUE: Integration Issues with Modern Technologies

The integration of legacy systems with modern technologies is another significant challenge. As ships become more digitized and connected, the need for seamless integration between old and new systems becomes critical.

However, legacy systems often use proprietary protocols and outdated interfaces and APIs, making it difficult to integrate them with contemporary IT and Operational Technology (OT) systems.

This lack of integration can lead to operational inefficiencies and increased cybersecurity risks when maintaining the mission readiness of ships and seaports with complex IT and OT systems.

Case Studies, Real-World Examples

Several real-world examples illustrate the risks posed by legacy systems in the maritime industry.

For instance, the increasing digitization of maritime vessels has led to more frequent cyberattacks, with hackers targeting critical systems such as bridge controls, propulsion systems and navigation systems.

These incidents underscore the urgent need to address the vulnerabilities associated with legacy systems.

Conclusion

Legacy systems are indeed the Achilles’ heel of shipboard critical infrastructure cybersecurity. Their outdated nature, combined with maintenance challenges and integration issues, makes them prime targets for cyberattacks.

To mitigate these risks, the maritime industry must prioritize the update and modernization of legacy systems, implement robust cybersecurity measures and ensure continuous monitoring and updating of all critical digital systems.

Only through such proactive measures can the industry safeguard its vessels and ensure the safety and security of maritime operations.

A question to the reader is: who do you have in charge of cybersecurity on your ship and in your seaport?

A New Organization: IMCSO

On June 18, most of the maritime news sites I monitor proclaimed the launch of the International Maritime Cyber Security Organization, aka IMCSO. About 22 different maritime publications included headlines in June regarding IMCSO’s establishment.

Most of the information gathered about IMCSO is primarily from its website, www.imcso.org. 

IMCSO’s goal is to improve cybersecurity risk assessment across the global maritime industry. It was established in response to increased cyber risks in the maritime sector and aims to accelerate and improve cybersecurity measures aboard vessels.

However, there does not appear to be any official mandate from the International Maritime Organization (IMO) or other classification societies to establish the organization.

According to the IMCSO website, the IMCSO is not for profit and exists solely to drive supplier standards across the maritime cyber industry.

Also from the IMCSO website:

“The IMCSO mission is to be the standard in the maritime cyber security industry, a collective voice, working towards alignment and standardization. By setting frameworks for effective, universally adoptable methodology and innovating for future developments. Be transparent, reliable, deliver cyber security by design towards digitalization, green technology and autonomous shipping.”

IMCSO has been established to provide training and support in four distinct domains, described on its website as:

  • Maritime cyber certification – The IMCSO has devised a certification program for security consultants and a professional register helping shipping organizations confidently select experienced personnel. Alongside this, the IMCSO would also validate report outputs to ensure consistency with those reports held in a central database and made accessible to the authorities and third parties that need to determine the risk status of a vessel.
  • Certified supplier registry – The organization maintains a register of approved maritime cyber resource suppliers as well as individual certifications within those supplier companies. This aims to ensure that the marketplace can easily identify suitably qualified cyber providers.
  • IMCSO report standardization – The IMCSO drives the standardization of report output such that the relevant consumers of this information, including port authorities and insurance companies, will have the ambiguity of interpretation removed, allowing them to reduce time and overhead when considering the cyber risk a vessel presents.
  • Centralized cyber risk registry – The organization maintains a database of results from ships that relevant parties may access to view the cyber-risk profile of any given vessel quickly and cost effectively without the need for the risky transfer of security reports via email or otherwise. The data would be used to inform the IMO, ship builders and management companies of trends in cybersecurity.
  • IMCSO’s website indicates that it’s chartered in the United Kingdom and partners with six European cybersecurity entities. There doesn’t appear to be any connection to the U.S. West Coast maritime industry based on its website.

A final perspective about IMCSO comes from Singapore Shipping Association President Caroline Yang.

“The independent validation of cybersecurity professionals offered by the IMCSO will help our members to select cybersecurity testers in a much more efficient way, ensuring they allow personnel onboard with the requisite experience,” she observed. “It will make it much easier to comply with the IMO mandate and will prove an invaluable resource.”  

For more information on IMCSO, reach out to info@imcso.org.

Ernie Hayden’s background includes management and technical roles focused on cyber and physical security since the 9/11 attacks. He was previously a U.S. Navy Nuclear and Surface Warfare Officer and has published a book, Critical Infrastructure Risk Assessment—The Definitive Threat Identification and Threat Reduction Handbook, that was named the 2021 ASIS Security Book of the Year. Please send your questions or suggested article ideas to enhayden1321@gmail.com.