How the uptake of Internet of Things (IoT) technology by shipowners and operators is leading the industry towards consequential cyber-risk exposures
Internet of Things (IoT) is rocking the boat. As a system of interconnected devices, mechanical and digital machines, it is[ds_preview] enabling us to automate systems and processes and unlock efficiencies in a way we never would have thought possible. These developments that have been coined with the term, the »Fourth Industrial Revolution«, introduce a scale, scope and complexity that is removing the need for human-to-human or human-to-computer interaction; transforming not only the way we work but the way we operate as a global entity including both the public and private sectors, academia and civil society.
Shipping as epicentre
At the epicentre of globalisation, the shipping industry is crying out for ways to implement, through data-driven technologies, efficiencies in core processes such as real-time tracking of shipments, cargo optimisation, predictive asset maintenance, route optimisation and more.
The problem? More data, more opportunity, more risk. Shipping infrastructure and on-board technology is developing in pace, scale and variety of devices, which naturally increases the risk that traditional computing presents. Add in the fact that these devices are all interconnected and you’re left with a minefield of possible malicious exploitations and data protection issues that are enough to sink even the strongest of shipping organisations.
Given the scale of IoT implementations, we must now assume that risk could be systemic and the effects of an attack could propagate through the supply chain. This means the way maritime organisations approach risk also needs to change, and rapidly.
Unlocking efficiencies with IoT?
According to an Inmarsat Report on Industrial IoT, published in 2018, the maritime industry has adopted IoT solutions more than any other sector, with sources revealing that some of the leading maritime businesses plan to invest about 2.5mmill.$ per owner on IoT based solutions in the next few years, with an expectation of achieving around 14% cost-savings over the next 5-7 years. The same Inmarsat Report states that 25% of the maritime industry obtains health and safety benefits through IoT solutions, while 56% expect to do so in the future.
This is in line with what Nettitude, a Lloyd’s Register company, is seeing. Many of our clients are automating operations, proactively planning the maintenance of the equipment on board and looking at improving their cyber security across the supply chain.
The green agenda and restrictions on emissions are driving shipowners to monitor and optimise fuel consumption using IoT devices producing data that is then sent to the cloud for AI processing. In addition, predictive analytics have allowed for optimised transport by making more calculated route planning decisions.
An example of how sector specific standalone applications can be efficiently integrated is offered by the i4- Insight Platform, that leverages the latest development in machine learning and artificial intelligence to generate completely new insights on chartering, fuel consumption, vessel performance and predictive maintenance. This relies heavily on increasingly interconnected networks between the ship and shore, and also the ship and supply chain.
There are also faster and more reliable communications between components, where IoT is enabling new functionalities and interoperability. As an example, IoT enables shipowners and managers to deal proactively with maintenance, by monitoring components and machinery onboard and proactively planning in order to prevent potential failures and reduce downtime.
Evolving risk landscape
It’s impossible to underappreciate the benefits that IoT brings to the maritime sector; namely streamlined communications, emissions tracking and a more reactive and interconnected supply chain. However, the industry needs to prepare for this transformation. Traditional cyber security risks evolve and scale up as IoT advances, and yet as it does so, the risk could potentially be systemic due to the interconnectedness and the distributed nature of IoT architectures.
As industrial systems and their supply chains become interconnected, risks will become increasingly shared by organisations, equipment manufacturers, shipowners, ship operators and the other various stakeholders in the supply chain.
Maritime organisations are beginning to open up to these developments. However, without a thorough understanding of the security infrastructure required to cope with the sheer scale of IoT devices, existing risk assessment methodologies are unlikely to cope with the complexity and dynamism of IoT models, in which there is a need for more dynamic monitoring of risk through real-time data. Static snapshots will not be good enough to capture the rapidly changing network topographies and risk models of the IoT systems.
Transformation needed
To harden the resilience of the maritime sector towards cyber-attacks, owners and operators need to transform their approach to risk, leave behind preconceived ideas of systematic monitoring and change the very behaviours that govern the integrity of our organisations. How can we approach this mammoth task? After working with a number of maritime organisations, our cyber security experts recommend taking a glass half empty approach: Assume the worst. Expect a bad outcome. And plan to fail.
The most effective approach is to drop all connotations of »business as usual« and disrupt the way we approach risk mitigation. A strategy for the future should »assume failure« as a basis for developing a cyber security strategy, »assume insider threat« within systems and supply chains, and assume the risk could be systemic and the effects of an attack could propagate through the supply chain. In this sense, recommendations are:
Documented goals and objectives: Set out to the whole business what the end game looks like. As boundaries of IoT infrastructures become increasingly dynamic, owners and operators must think about what they are protecting, from what threats and its importance to the organisation. Define the services, assets and things that need protecting and in what way, and then describe the objectives from a business impact perspective.
Well defined Governance Committee: Who will oversee and measure the progress and current state of security posture, in such an extended ecosystem? The organisation’s Governance Committee needs to be able to challenge, provide the checks and balances to the operational state and have the power to test contingency plans and verify outcomes.
Clearly defined and communicated risk appetite & priority: Define a clear risk preference or appetite for the organisation. What level of risk is tolerable and what is unacceptable? And what needs to be transferred to the supply chain?
Strong oversight & reporting: Define the dashboards, the metrics/KPIs and the measurements that test the goals and objectives. Defining the right things to measure can be one of the hardest task,s to get right. Ensure the technical output can be translated into business outcomes.
Resources & budgets: Make budget and resource decisions based on the goals and objectives required.
Education & commitments: Get buy in from the business, including managers and team members, in order to ensure ownership, accountability and belief.
Elisa Cassi Product Development Manager Nettitude / Lloyds Register
