Posted: 15 Apr. 2021 5 min. read

Just one system on one ship? Estimating the cyber impact of OT

As we sit here with our social media feeds no longer fuelled by memes of a stricken cargo ship, run aground and blocking the all-important trade route through the Suez Canal, how many of us are still thinking about it? Our team of industrial cyber security specialists still are.  Why? You may ask, well although we know it is unlikely, a power system outage at a critical moment such as this, leaves a ship at the peril of the wind and the sea.  This example shows that such incidents can lead to significant impact both to the company, and to the global economy.

Different reason, same outcome

We have had many conversations over the years on this topic in the world of industrial control system (ICS) cyber security. It generally comes down to this, a full system outage, with loss of control or loss of view, at the wrong time, or in the wrong place, could lead to a major impact, safety or otherwise.  It seems simplistic but here we see this in effect.  We are not saying this incident was cyber-related.  However, when direct, indirect or accidental cyber causes are a factor, the impact to systems can be the same.

The controls system engineers among us know that these issues are never the result of one event, but a series of systematic failures – this is part of managing safety risk.  The reports on this incident are also indicating this, the wind and tide led to the grounding, however technical and procedural issues are likely a factor leading to these elements having the final say.  It is currently indeterminable where responsibilities fall between shipowners and operators; until the safety investigations are concluded we won’t know what the underlying causes were.

New maritime regulation is now in force

Cyber security risk has been under the attention of the Maritime industry for a number of years, given it is a critical factor in operational resilience and safety.  As is typical across industrial sectors, the uptake has been slow.  International Maritime Organisation (IMO) regulations and cyber security guidelines have now come into force, as of 01 January 2021.  The Maritime Security Committee Resolution MSC. 428(98) outlines the relationship between the International Safety Management (ISM) code and cyber security, recommending that cyber risk is to be managed as part of the Safety Management System (SMS).  Inclusion of cyber security within the ISM Code means that, without action, ship operators could lose their license to operate.  They must demonstrate at their first Document of Compliance after this date, that cyber security risk to their critical operational systems is being managed. Systems such as navigation, propulsion and communication systems.

In order to demonstrate compliance, relevant network architecture and vessel information must be documented, risk assessments carried out and appropriate risk mitigation implemented to reduce risk to an acceptable level.  Ship cyber security requires making risk-based decisions for an environment where both safety and organisational cyber security risk must be addressed.  This is while balancing the considerations of on-board and onshore infrastructure and operations, third party support contracts, and vessel administration.  This is complicated. 

Many industries are challenged by cyber security legislation

Similar to the Maritime sector, many industries have followed an iterative approach, such as those responding to the EU’s NIS Directive (Directive on security of network and information systems).  It can mean not enough investment has been made over the years and suddenly catch up is required.  This puts pressure on the operations teams to deliver rapid results, in an area that is not their core domain. It can also mean that operational teams need to communicate the importance of their operations to the business. It may sound straight forward, yet we see industrial organisations in many sectors challenged by this. 

Business impact assessment is a tool used to consistently evaluate assets, to prioritise investment and ensure that the business focuses on what is most important.  In general, for a ship owner and operator, managing its fleet, does one single ship’s critical operational system get the attention required?  Does a Master get the required support for the accountability he now has? Similarly, this is relevant to manufacturing and other production or distribution sites.

One system or one asset, global impact

One industrial control system failure could lead to millions of dollars of impact, as shown by this recent event which will likely have high costs for blocking this major trade route for a week, holding up 50 ships a day from moving their product in the complex supply chain. The organisational liabilities are not yet defined, the canal operator may impose fines, customer shipping penalties may exceed insurance and the company has had its reputation affected.  In addition, there will be other costs incurred, salvage operations, investigations, and crew disruption etc. A Master has accountability for the safety of the vessel and the environment, even if the ship is piloted by others, and uses tugs to reduce the likelihood of the ship causing disruption. This is also true for cyber security risk, even if the organisation has not been taking steps to mitigate risks in this area and crew, or plant managers, have limited control over management of the increasingly integrated systems.  

Potentially, a system failure on one ship has had an impact on global shipping and trade. Not only the significant cost to the shipping companies but will we ever know the full extent of the impact, not only on organisations but on wider society?  Furthermore, this incident is now driving discussions of new shipping routes through the Arctic moving from the financial to the geo-political. The impact of losing these systems has gone beyond what even those in the industry imagined in a desktop exercise!

Why this is relevant to you

This is a real scenario, where one industrial asset has had a major incident with far reaching consequences.  We often find industrial assets, and critical supporting systems, are further down the cyber security risk prioritisation than they should be.  

We urge those running cyber security programs in industrial organisations to review their impact assessments; are their critical systems truly getting the attention needed?  On-board systems have long been a target of adversaries, however we see here the potential impact can be much greater than even those in this industry understood it to be. 

Sign up for the latest updates

Key contact:

Anna Burrell

Anna Burrell

Director

Anna specialises in cyber security within the industrial environment having over 20 years’ experience, as a CISSP qualified cyber security consultant with prior experience as an Industrial Control Systems (ICS/SCADA) engineer. For public and private sector organisations she has delivered national cyber security guidance, global strategy and technology solutions. She leads assessment and strategy, delivering risk remediation and architecture to integrate Information Technology (IT) and Operational Technology (OT) across the industrial sector and enables business transformation and operational improvement. She has worked extensively at all lifecycle stages prior to specialising in securing critical infrastructure and operational technology, utilising her skills within the rail, manufacturing, water, oil and gas, energy and maritime/shipping industries.

Rob Hayes

Rob Hayes

Director

Rob is the UK cyber lead for Emerging Technologies, which includes Operational Technology (OT) Industrial Control Systems (ICS) and Internet of Things (IoT) Rob has over 25 years of experience in strategy and transformation in industrial cyber security including ICS, SCADA and OT. He has advised global, national and government organisations which are responsible for critical infrastructure in the maritime/shipping, oil and gas, energy, nuclear, transport, manufacturing and engineering sectors. Rob specialises in using his experience in IT/OT integration to deliver business transformation programmes that provide significant benefits to core operations such as cost reduction, process optimisation and improved health and safety. These initiatives include digital oilfield, smart grid and digital rail and shipping.

Bia Bedri

Bia Bedri

Partner

Bia is a partner in our Cyber Security practice. She joined Deloitte in 2020 to drive focus and growth in Energy Resources & Industrials (ER&I). Bia brings 22 years’ industry experience, 15 of which in the Big Four working with clients leading cyber transformation programmes enabling clients to effectively manage emerging cyber threats, cyber risk and regulatory expectations whilst delivering business objectives, innovation and growth.