With the recent wide range of high-profile breaches, the issue of cybersecurity has moved to the top of the agenda in many industries. For the maritime and offshore sectors, and the advanced remote operations they entail, the need for robust and resilient systems is even more pressing - with its advanced simulation and testing tools, Marine Cybernetics can help ensure you're protected.
As control systems have incorporated remote operations, there has been an increase in the number of cybersecurity incidents. Maritime control systems are equally exposed to cybersecurity threats as drilling or process control systems.
Holes in cybersecurity have reportedly resulted in incidents such as tilting an oilrig, or complete standstill of systems during relocation of a rig due to malware infections. Changing a vessel's direction via GPS spoofing was demonstrated. Serious flaws in the electronic chart display and information system were documented that might lead to incidents such as the grounding of USS Guardian. Exposure of weaknesses in the automatic identification system that can shut down communication between a ship and the port authority is possible using a $100 off-the-shelf radio kit.
While it is possible to detect spoofing attacks, it will probably take some time for regulations to catch up. Enterprises are lacking the necessary awareness of their own vulnerabilities. While commercial security products are widely used, they are only capable of handling vulnerabilities known beforehand. As a remedy, third-party testing can strengthen cybersecurity of industrial communication systems.
Testing of control system software has been proven to improve safety of offshore operations and reduce downtime. Hardware-in-the-loop (HIL) testing can be applied to verify functional correctness, failure-handling capabilities and robustness. Independent third-party HIL testing is a proven methodology applied in the automotive, avionics and space industries, originally introduced by NASA for testing mission-critical software.
Marine Cybernetics has been applying HIL testing for advanced marine control systems, such as dynamic positioning, power management, steering propulsion and thrusters, blow-out prevention and drilling systems, since 2002. This successful approach can be complemented with the verification of cybersecurity, to treat safety and security together, and provide integrity of control systems.
Testing systems that provide services in the telecommunication networks (web servers and backbone routers, for example) for vulnerabilities has a long history in cybersecurity research. However, testing the communication networks serving human-machine interface (HMI) systems and control systems often requires custom tools due to proprietary solutions.
Although, solutions exist targeting known vulnerabilities of communication systems, such as malware and virus scanners, vulnerability scanners, and intrusion detection systems, they are severely dependent on updates. Therefore, it is important to test communication systems' general robustness to find previously unknown vulnerabilities.
One general method to test robustness of industrial control systems is 'network storm' simulation (NSS). During an NSS, switches, HMI devices or controllers are flooded with network traffic and their capability of handling the overload is tested.
A cybersecurity audit can facilitate a more detailed overview of the systems and likely leads to more thorough testing. Furthermore, scanning of the networks as means to verify that the documentation of topology corresponds to the implementation is a base requirement. Appropriate network segregation is key in order to properly seal off the control network from less critical networks, such as an office network. A penetration test can evaluate the security of remote login solutions and whether there is proper network segregation.
Today, an integrated approach for handling software and software updates is essential. Combining HIL and cybersecurity testing increases safety and security in the maritime and offshore industry. As threats to cybersecurity are always increasing in number and appear from unexpected new angles, a novel methodology is required to secure safe operations at sea. Not all tests can, however, be integrated into tools and be automated; the experience of a tester is still necessary to discover and investigate specific holes in cyberdefences.
