Cybersecurity on Board: “Anyone Who Talks about Maritime 4.0 Has to Do Their Homework”

In the film “Tomorrow Never Dies,” terrorists divert a military ship from its course by manipulating the GPS signals. What was part of the fantasy world of British filmmakers in 1997 – the theatrical release date for the eighteenth James Bond movie – is a real threat a mere 20 years later. “GPS spoofing”, as it is known to the experts, is real, and researchers from the University of Texas provided impressive proof in 2013 when they diverted an $80 million dollar luxury yacht from its course without its crew noticing. What is new in cybersecurity in the shipbuilding industry? Ship builders, system integrators and shipping companies are enthusiastic about the new opportunities that Maritime 4.0 offers. To find out if the sector ready for this, and what still needs to be done, we spoke with Professor Karl-Heinz Niemann from the University of Hanover.

Prof. Karl-Heinz Niemann, PhD in Engineering

Professor Niemann researches and teaches in the Department of Electrical Engineering and Information Technology at the University of Hanover. He represents the academic fields of process information and automation technology and lectures on integrated automation, industrial bus systems, process interfaces and energy efficiency. His core research focuses on cybersecurity in production systems, particularly in the context of Industry 4.0. In addition, Professor Niemann leads a think tank on IT security at the SME 4.0 competence center for Lower Saxony and Bremen and is active in various working groups for the Profibus Users Organization and the Association of German Engineers.

Prof. Karl-Heinz Niemann, PhD in Engineering

The device which the Texas researchers used to trick the navigation system of a luxury yacht was about as large as a briefcase. The 65-meter long yacht had two GPS receivers and was still spoofed. The Texans simply generated a GPS signal and increased the signal strength until the receivers on board switched to the transmitter. What does this scenario mean for you as an expert in cybersecurity?

That there is much more work to be done. There is still a lot of ground to make up in cybersecurity in automation. While everyone else is thinking ahead to Industry 4.0, we still have to do the homework assigned for Industry 3.0 – existing systems need to be toughened up.

You are talking about automation technology. In your opinion, is there a difference between industrial automation and the automation aboard ships?

I think that the maritime sector is set up just as well, or poorly, as any other sector when it comes to cybersecurity. Your example of the luxury yacht finds many parallels in other sectors. Off the cuff, I can think of a blast furnace which was idled by a cyber attack. Blast furnaces are process technology systems that usually run for several years without any interruptions. The externally initiated stoppage ultimately caused a complete loss. The effects of cybercrime are serious everywhere they appear. To this end, I see no sector differences in the current level of implementation of cybersecurity – nor in the importance of dealing with the topic and the risks that arise from it.

What can companies do to ensure cybersecurity? What homework would you assign?

It is imperative that operators prevent attackers from simply linking into a network. They should, however, consider that not all external connections are bad; they simply have to secure them correctly. In this context, it’s undoubtedly a question of settings.


» There are always people who want to explain to you that their system has no connection to the rest of the world and that cybersecurity thus has no relevance for them. Do not believe them! «

Prof. Karl-Heinz Niemann, PhD in Engineering

What do you mean by that?

There are always people who want to explain to you that their system has no connection to the rest of the world and that cybersecurity thus has no relevance for them. Do not believe them! There is always a connection somewhere. The more comprehensive homework we have to complete, in my opinion, is establishing sensitivity for the relevance of cybersecurity for different parties in the maritime industry. At what points in daily life do these professionals come into contact with security breaches, and which do they generate unintentionally?

Do you mean, for example, the common practice on container ships, where a cargo master enters his or her cargo data into the ship’s system using a flash drive written on land?

That is the exact type of case. Flash drives should never be used. Despite this, the practice is routine, even though it is an obvious weak point in security – at least if there is no quarantine area for imported data.

Is cybersecurity a problem that only the ship’s crew should deal with? Who is responsible, in your opinion?

The people in operations on board are, without doubt, potential weak points for any IT installed on board; unfortunately, they usually have no ability to recognize the sophisticated attacks on their systems. Therefore, it is important that shipping companies establish processes and methods, and then formulate a commitment to managing cybersecurity. With regard to the container ship in your example, a protocol would be established for the next time that someone stands on the bridge with a flash drive in hand.


» In terms of cybersecurity, we deal less in terms of methods than with a corporate strategy which trickles down from management – and everyone has to be prepared to expend some effort on this. «

Prof. Karl-Heinz Niemann, PhD in Engineering

Then you see management as responsible.

True. In terms of cybersecurity, we deal less in terms of methods than with a corporate strategy which trickles down from management – and everyone has to be prepared to expend some effort on this. It is imperative to define authorizations, monitor accesses and establish emergency plans in the event of a complete data loss. It no longer suffices to lock control cabinets against unauthorized access using a square key.

What we need is defense in depth, like a knight’s castle. First, the fence protects the facility property, then there are access limitations on specific rooms, followed by regulations regarding specific cabinets.

A castle is, however, quite stationary. So you see the need for special measures regarding ships?

Compared to land-based applications, there are indeed new challenges and points of threat for ships – particularly due to the additional electronics that are on board. These include, for example, navigation, tracking and collision warning systems. This is equipment that is necessary for the ship’s safety. In addition, no ship is an island, regardless of what anyone thinks. Indeed, many of these additional systems establish external connections and thus offer attack points for manipulation. Just like the scenario you described at the beginning of our discussion.

This sounds as if the advancing digitization on board is presenting a host of new problems for cybersecurity.

That is also true! Industry 4.0 is establishing additional communication links, because companies are configuring their data flows to be consistent. Due to the horizontal and vertical integration, existing isolation concepts are no longer sufficient as a component of in-depth defense. The new demand is for IT Security by Design. This is when functions of cybersecurity are integrated from the start into the configuration of a layer-based security architecture in the controllers.

Does this path impact approvals for maritime technology? Do the classification agencies need to consider cybersecurity in their certifications based on the explosive nature of the problems you have described?

I am convinced that those agencies are already working on this topic – especially as there is a need to catch up with regard to cybersecurity in the maritime sector. As I said, to create a functional defense in depth, we have to complete our 3.0 homework – for me, this is a compelling prerequisite in order to implement the ideas that are under development for Maritime 4.0.

Your contact person at WAGO

Additional service offerings: