Link Search Menu Expand Document
Publications
  1. Introduction

Introduction

Ships today are quite complex systems to design, build and maintain throughout their life-cycle. Contemporary sea-going vessels are equipped with a wide variety of technologically advanced systems and are associated with an extremely high level of automation. It is a rather selfexplanatory fact that the continuous improvement and integration/interconnection of electronic systems (most commonly termed as the “network-centric” approach), have created a rather different operating environment for the shipping industry, when compared with the prevailing model of just two decades ago. At that time, the exploitation of data exchange between interconnected equipment and systems on vessels engaged with maritime transport tasks, was relying mainly on stove-piped architectures and applications. However nowadays, the issues of connectivity and interconnection are clearly standing out when examining the prevailing trends in ships’ design and equipment. Furthermore, easy access to various computer systems, and quite often in the so-called “remote mode”, is holding a pivotal role during the conduct of operations -both on board a modern ship, as well as in relation to an extended number of related activities ashore, with indicative examples in this domain being provided by various remote sensing and maintenance tasks (Dalaklis et all, 2020).

The seas and oceans of our planet are now well integrated into the Internet (most often via satellite support); this global coverage has provided the opportunity for shipping companies to reduce costs across supply/demand chains, improve customer services, and even redefine their way of conducting operations. Modern ships are being transformed into “remote offices at sea”; applications like voice over IP (Internet Protocol), email and instant messaging are now used on-board contemporary sea-going vessels on a daily basis. However, this new and “interconnected world” that is also strongly associated with an on-going digitalisation trend within the maritime industry itself is simultaneously associated with very significant risks, which in case they are not effectively and timely addressed, can result into really devastative outcomes. On the positive side and with a quite forward looking approach, during July 2017, the International Maritime Organization (IMO) already approved Guidelines on maritime cyber risk management (MSC-FAL.1/Circ.3) in order to provide high-level recommendations on maritime cyber risk management, to safeguard shipping from current and emerging cyber threats and vulnerabilities. The adoption of Resolution MSC.428(98), which brought the importance of Cyber Security to the forward of attention, is also clearly standing out.

The European Union’s Agency for Cybersecurity has already pointed out that the contemporary heavily industrialised world is constantly changing, including the introduction and/or further modification of technologies and associated business models that are needed to adapt towards “new” and evolving market requirements (ENISA, 2014). One of the most transcendental adaptations that the maritime transport industry is currently experiencing is the convergence between Operations Technology (OT), the operations needed to carry out the industrial processes, and Information Technology (IT), the use of computers to manage data needed by the organisation’s enterprise processes. This convergence has many advantages (optimisation of operations, better use of resources, cost savings, etc.), but on the other hand it increases the need for cyber security of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. Initially, SCADA systems were used mainly in power transmission, gas pipeline and water distribution control systems. However, in recent year their use has expanded significantly and nowadays they are found extensively on-board ships. SCADA systems stand out among other ICSs, as systems that (1) monitor and control assets distributed over large geographical areas, and (2) use specific control equipment such as a Master Terminal Unit (MTU) and (various) Remote Terminal Units (RTUs) and are therefore exposed to cyber security risks (Cherdantseva et all, 2015). The Control Systems framework and the technical components of the basic SCADA structure are presented in Figure 1. Created by the authors, via adaption of certain slides from the presentation: Woudenberg, B. (2012). SCADA Right Now, Retrieved from https://slideplayer.com/slide/5703843/ June 2021

Use and technical components of a SCADA system. Figure 1. Use and technical components of a SCADA system.

Control systems on board ships collect sensor measurements and data from various operational activities and display all the relevant information; they also facilitate relaying of control commands to local or remote equipment. Distributed control systems (DCS) are typically used within a single process or generating plant; SCADA systems are most often used for largerscale environments. Security in general and cyber security specifically were not the major concerns of early standalone maritime SCADA systems. Security was primarily achieved by controlling physical access to system components, which were unique and used proprietary communication protocols (Cherdantseva et all, 2015). For many years, security in SCADA systems was viewed as just an implication of safety. Over the last decade, however, the situation has changed, and that paradigm is not valid in the contemporary “well interconnected world”. It is indicative of the fact that numerous standards/directives dealing with the cyber security of SCADA systems have emerged, as an initial response to the specific need. In any case, this aforementioned convergence between OT and IT, which affects hundreds of thousands of industrial systems worldwide, implies that professionals with knowledge of cyber security for ICS/SCADA will be needed. However, currently, there are very few professionals with the proven skills available to do this work. Following a rather simplistic qualitative approach, characteristics of maritime SCADA cyber security are discussed first and related training needs are identified next. The main aim is to identify the “right” pedagogical approaches which can be deployed in order to train seafarers in risk assessment, prevention and mitigation strategies related with maritime SCADA cyber security risks.

Table of Contents