Industry Day on Maritime Cybersecurity, 2023: Summary of Event

March 31, 2023

Introduction

The Canadian Coast Guard (CCG) organized on February 2, 2022 the first Industry Day on Maritime Cybersecurity (IDMCS), a virtual event bringing together various players from government, industry and academia to discuss issues related to cybersecurity in the maritime domain. This report summarizes the key points and discussions that ensued during the second annual IDMCS occurring on March 9, 2023 in person and virtually.

Agenda of the event

The event agenda included the following presentations:

• Introductory Remarks: Mr. Marc Mes, Director General Fleet and Maritime Services, opened the event and introduced Mr. Kevin Brosseau, Associate Deputy Minister of Fisheries and Oceans, the ministry responsible for the CCG.
• Keynote Address: Delivered jointly by Dr. Guy Kessler and Mr. William Loomis from the Atlantic Council, who gave an overview of where cyber threats and risks exist within the marine transportation sector as a whole, while outlining potential approaches for improvement in terms of cybersecurity.
• Panel 1 on Cybersecurity Governance: The panel was led by Dr. Jose M. Fernandez, from Bastionnage Consulting, and included Mr. Kevin Fenech from Public Safety Canada (PSC), Mr. Aiden Ryan from Transport Canada (TC), and Mr. Matthew Parker from the United Kingdom (UK) Department for Transport (DfT). Mr. Fenech delivered a presentation on Bill C-26, “An Act Respecting Cyber Security”, that was introduced to Parliament on June 14, 2022. Mr. Ryan presented ongoing and future efforts of TC towards ensuring cyber security in the maritime domain. Finally, Mr. Parker described policy and strategic efforts for maritime cybersecurity in the UK. The presentation was followed by a question and discussion period.
• Panel 2 on Raising Awareness in Cyber Security of Aids to Navigation/ Vessel Traffic Management Services / Shipping: This panel, also led by Dr. Fernandez, included the following panelists: Dr. Guy Kessler, Mr. Robert Quinn from Macdonald Dettwiler & Associates (MDA), Mr. Brian Lachine from the Royal Military College (RMC) Kingston, and Mr. Ernest Batty from International Maritime Information System Global. This panel aimed to present the audience with the cyber threats and potential countermeasures specific to Aids to Navigation (AtoN), Vessel Traffic Management Systems (VTMS) and shipping in general.
• Panel 3 on Training: This panel addressed the overall issue of training and retaining a workforce that is effective in countering the cyber threat to the maritime domain. This included: first, individual cyber training for non-cyber personnel involved in the maritime domain; second, individual maritime-specific training for cyber personnel; third and lastly, collective training on cyber preparedness and response for all of the above. The participants were William Loomis from the Atlantic Council, Jaime Brennan from the CCG, Robert Pitcher from PSC, Peter Hay from Simspace, Chris Macdonald from Price Waterhouse Cooper (PWC) and Sean Heusser from the Canadian Steamship Lines (CSL) Group.
• Closing Remarks: Mr. Chris Henderson, Deputy Commissioner of the CCG addressed the audience, summarizing the key points of the event and reiterating the CCG’s intention to continue with organizing such efforts.

What was heard

The following is a list of the main ideas and recurrent themes that came up during presentations and discussions during the event, in no particular order:

• The size and impact of cyber threat against maritime;
• Technology evolution and related threats: Maritime Information Services, S-100, increased digitalization, and AI;
• Current and future maritime cyber security governance;
• AIS security problem and potential solutions;
• Cyber attacks against ships – a reality check;
• People as a resource, not as a vulnerability;
• Individual training; and
• Collective training.

We now describe these points in more detail:

The seriousness of the cyber threat against the maritime domain

Some presenters provided gripping statistics underlying the importance of maritime merchant traffic to our overall economy and how even minor disruptions caused by cyber attacks could have tremendous economical consequences. One presenter described how the interconnectivity and inherent complexity of the maritime sector, to be understood as a “system of systems” makes it very hard to predict the outcome of even minor disruptions of on a single of its components. Due to this connectedness, while critical components may be better secured against cyber attacks, they could be equally affected by cyber attacks on less well protected facilities and ancillary systems and that they rely on, or equivalently on other ships sharing access to the same facilities and shipping lanes.

Changes in technology and evolving threats

The digitalization of maritime systems and maritime information is about to enter a new more intense phase due to the advent of new technologies and initiatives such as international web-based Maritime Information Services (MIS) and Maritime Single Window (MSW), and unified information formatting and transmission standards such as S-100. The potential gains afforded by the wide-spread adoption of such technologies are offset by the larger attack surface that they provide to cyber attackers. In addition, it was discussed how the use of Artificial Intelligence might help attackers find vulnerabilities and optimize strategies to maximize disruption.

Current and future maritime cyber security governance

The various presentations introduced and discussed the current regulatory and standardisation framework regarding maritime cyber security. This includes non-mandatory guidelines by international organizations (e.g. International Maritime Organization, Baltic and International Maritime Council, and so forth ), national maritime security laws and regulations, and national cyber security policy framework and regulations. Presentations covered such national frameworks for the UK, the United States (US) and Canada. The overall conclusion is that while many national and international organizations have made cyber security a priority, regulation of maritime cyber security is very much in its infancy. While policy and high-level objectives are being defined and in certain cases enforced, there is still relatively little guidance in terms of mandatory or recommended standards and procedures. While it was recognized that this will change in the near future, it was mentioned on several occasions that the regulation-making process will require industry-wide dialogue and support.

Automatic Identification System security problem and potential solutions

The lack of authentication in the Automatic Identification System (AIS) protocol used by ships to self-report their position was described as a serious threat to maritime safety. The ease with which attackers could send spoofed AIS signal with cheap and readily available hardware and software makes it possible to mount cyber attacks with significant consequences on maritime traffic, as was described by one presenter. While several proposals have been made to replace AIS with a more secure version, the difficulty and length of time required to have such a replacement internationally approved and deployed requires the adoption of immediate solutions to mitigate this threat. Two different technological approaches that can help detect such spoofed transmissions were presented: first, fusion of different satellite remote-sensing data sources; and second, software-based detection methods based on modelling of real-world ship movements. Nonetheless, it was underlined that even the road would be long, efforts to find a secure replacement for AIS should start immediately.

Cyber attacks against ships: A reality check

There was some discussion on whether cyber attack scenarios leading to severe or extreme safety impacts (such as beaching or running aground) were realistic. While such scenarios are theoretically possible it was argued that the far more likely scenarios are subtle attacks, affecting only a few key systems for short periods of time. Ultimately the goals of the attacker must be kept in mind. If the aim is to create economic disruption through interruption or delays in maritime traffic, the most effective cyber attacks, may not necessarily the most spectacular ones.

People as a resource, not as a vulnerability

The cybersecurity problem is not only about technology. It is about humans. Many vulnerabilities and attack scenarios require action by humans. Humans are part of the vulnerabilities, however, they are also the greatest asset of an organization, not only in terms of detection, but also in terms of prevention and response to cyber attacks, provided they are well trained, aware and motivated.

Individual training on maritime cybersecurity

Several presenters and panelists discussed the issue of individual training of personnel. The first aspect is the training of personnel working in the maritime domain to achieve a minimum level of cyber-security awareness. Some presenters described ongoing efforts within their organization to achieve such awareness through recurring individual training, cyber awareness campaigns (e.g. pseudo-phishing campaigns) and internal communications (e.g. newsletters). Beyond such generic information technology (IT) cyber security training, it was identified that mariners need to be trained on cyber security to higher level and imparting them with knowledge specifically adapted to the systems they work with, be they IT specific to the maritime domain or operational technology (OT).

The second aspect is the training of generic cybersecurity personnel on maritime-specific systems and cyber security. Currently there are no formal maritime cybersecurity training programmes and certifications in Canada. It was discussed whether this was a gap that needed to be addressed in priority. The answer from participants seemed to be that this was not the priority: the real priority is the lack of cybersecurity personnel per se. That is the problem that should addressed in priority as a sector and as a country. Transforming trained cyber security personnel into maritime cybersecurity personnel is the “easier” part (i.e. something that can be done with time, within any cyber mature maritime organization), or alternatively by upskilling the personnel working with cyber third parties such as Managed Security Service Providers (MSSP).

Collective training on maritime cybersecurity

Several presenters described various types of efforts within their organization to collectively train maritime personnel on cyber security threats through various forms of exercises. Cyber exercises were described as falling in three categories:

1. Table-top exercises involving key technology and operational players, with the aim to “test” response and recovery procedures, enhance communications and improve mutual understanding between departments, etc.
2. Cyber range exercises involving mostly technology players, with the aim to test detection, response and recovery procedures at the systems level.
3. Management-oriented table-top exercises, where top-level management is confronted with high-level description of cyber attack scenarios with the aim increase awareness and readiness to manage risk and deal with such crisis.

The first two type of exercises are the most common. In the US, both types have been conducted for years at the national level, with many incorporating some aspects of the maritime domain and some being specific to the maritime domain outright. In Canada, the first type of exercise is most common having been conducted nation-wide, but not necessarily for specific domains. Some maritime organizations have been conducted them or will be conducting them soon.

It was described that conducting table-top exercises requires significant amounts of preparation time and resources, requiring them to be planned several months to years in advance. In addition, there are several important challenges in organizing them such as recruiting and retaining participants and subject-matter experts, as well as “meta-training” exercise support personnel in exercise preparation and conduction. Nonetheless, the value added of these exercises to organizations in terms of crisis readiness is tremendous. Despite the significant efforts, they provide unique collective training opportunities to “train as you fight” and to implement and test a “combined arms approach” where both operational and technical personnel can interact and work together in a non-crisis situation, ahead of potential crises. Cyber-range exercises have different objectives (training of cybersecurity personnel) and require important technical resources. In both cases, making them domain-specific would require significant scenario development efforts and in the latter case also technical development efforts.

The question was raised as to whether a Canada-wide maritime-specific cyber attack table-top exercise would be beneficial. All agreed that it would be. However, it was cautioned that the significant effort involved would rather warrant a gradual approach towards that goal. For example, by starting with one-day or half-day exercise scenarios involving only a single or a few organizations and less technical “realism”, and gradually building up towards sectorial exercises with a higher degree of technical realism and integration with cybersecurity personnel and organizations.

Conclusion

In summary, the event provided a forum for discussion on a wide variety of topics in maritime cyber security. The panel format allowed for lively debate that allowed the identification of important topics and what seemed to be a general agreement on common objectives and priorities to allow the Canadian maritime sector to move forward on maritime cybersecurity: increased opportunities for dialogue between the private and public sector, in order to support ongoing regulation making efforts and future collective and individual training opportunities.