Cyberattacks are making waves in the maritime industry as modern navigation and communication tools increasingly connect vessels to the internet. To address this growing threat, the International Association of Classification Societies (IACS) has issued a critical mandate: by July 1, 2024, all new ships must be cyber-compliant to set sail.
Cybersecurity firm Athena Dynamics, which specialises in protecting mission-critical infrastructure, has recognised the unique cybersecurity needs of the maritime sector and worked closely with key stakeholders to address these challenges. Ken Soh, the company’s Chief Executive Officer, spoke with Frontier Enterprise to outline the company’s tech strategy.
“Implementing cybersecurity in the maritime industry presents unique challenges, much like any other vertical,” Soh noted. “These challenges stem from the industry’s specific nuances, constraints, and its distinct ethos and culture, all of which require an immersed, hands-on approach to fully comprehend. Unlike more standardised industries, there is no textbook or manual that guarantees success on the first attempt.”
Maiden voyage
More than a decade ago, Athena Dynamics tried to apply its onshore cybersecurity best practices to offshore vessels and ports, and the experience proved to be a steep learning curve.
“Our journey began with various trials onboard different types of vessels — container ships, LNG carriers, roll-on/roll-off vessels, and even smaller, more agile craft such as coastal patrol boats, military ships, and electric hovercraft,” Soh recalled.
Some of the challenges the company encountered included the complexities of end-to-end administration, logistical overheads of onboard assignments, constrained and often unstable communication channels, a lack of IT and security awareness among seafarers, and the difficulty of accurately scheduling work timings while at berth.
Many trials failed to bear fruit due to onboard constraints and mismatched use cases, but one particular instance showed significant promise.
“This trial on a large vessel was highly successful, generating valuable reports on the vessel’s overall security posture. We were on the verge of securing a significant order to deploy the solution globally when the COVID-19 pandemic brought everything to a standstill. Our team was initially disheartened, feeling that years of hard work had come to an abrupt halt,” the CEO shared.
In a twist of fate, the situation gave Athena Dynamics an opportunity to reevaluate its maritime strategy.
“We faced the critical question: How would we deploy and maintain all our hardware devices on vessels sailing across the globe? Maritime operations are inherently global, and relying on hardware meant not only dealing with the complexities of the initial setup but also the ongoing challenges of maintenance and troubleshooting on a worldwide scale. We quickly realised that this approach was not sustainable,” Soh explained.
Hard to starboard
Soon, the company realised that a fully software-based solution could be deployed, implemented, and maintained remotely, even when ships are at sea.
“We affectionately refer to this as the “softwarization” of our solution. Transitioning to a fully software-based approach came with its challenges; the software had to be ultra-lightweight to suit limited onboard resources, yet robust enough to handle low and unstable communication bandwidth, along with other maritime-specific considerations. However, it became clear that this was the right and viable path forward for effective maritime cybersecurity,” Soh said.
While new vessels are designed with robust cybersecurity policies from the get-go, existing vessels can still achieve cyber compliance through a systematic approach, the CEO pointed out.
“We start by remotely assessing the vessel’s infrastructure to understand its current set-up. From there, we make tailored adjustments, focusing on network segmentation to improve the vessel’s overall security posture. Whenever possible, we deploy lightweight, fully software-based solutions that integrate with the existing systems. This approach minimises disruption and ensures cybersecurity measures are effectively implemented, even in environments originally built on older technologies,” he said.
In addition to technological and operational considerations, the human and process components are equally important in any cybersecurity deployment.
“For the human aspect, raising awareness of safe behaviour is essential. However, unlike onshore environments where classroom-based training is common, this approach isn’t practical for seafarers who are often at sea and scattered across the globe,” Soh remarked. “Instead, we provide downloadable, offline self-training materials, complemented by online assessments, which align with the limited bandwidth available onboard. This, along with well-managed simulations and dry runs — such as email phishing campaigns — can yield useful results.”
On the process side, Soh explained that close collaboration with shipping operational leaders allows for the integration of cybersecurity requirements into existing safety frameworks.
“Our approach focuses on refining recovery procedures in line with business continuity management (BCM) and emergency response plan (ERP) frameworks, while considering the unique challenges of operating under sailing conditions. This helps ensure that cybersecurity measures are practical and effective in maritime environments, especially during incidents and emergencies,” he said.
Uncharted waters
With the growing digitisation and electrification of ships, software is set to play an increasingly important role in maritime cybersecurity. Soh expects this shift to not only drive the “softwarization” of key systems onboard ships but also spur the development of lightweight software and services that can perform well in the challenging maritime environment, with its limited and unstable communication networks.
“As global communication technologies improve — offering faster, more reliable, and cost-effective options — we expect this ‘softwarization’ trend to accelerate, bringing more advanced features driven by AI. This will push the industry towards remote operations, taking us closer to the vision of autonomous electric ships,” he predicted.
While these advancements offer promise, industry stakeholders will need to prioritise robust and resilient cybersecurity measures as vessels become more connected and autonomous, ensuring that these innovations are well-protected.