Fighting cyber-vulnerabilities with immersive training

Ports, ships and workers are increasingly vulnerable to cyber-attack from criminals and malevolent state actors. Immersive new approaches to training aim to protect the industry for years to come

From the NotPetya worm attack on Maersk in 2017, which led to reported losses of up to $300m for the shipping conglomerate, to reports that the Port of Los Angeles contends with 40m ransomware, malware and spear-phishing incidents each month, it’s clear that the maritime sector faces a serious cyber-threat. It is not just the industry’s IT infrastructure that is under threat – its operational technology (OT), which governs physical assets such as switches, safety and navigation systems, is also increasingly vulnerable to cyber-attack. It is this OT vulnerability that keeps cyber-professionals awake at night – recent research by DNV found that more than six in 10 industry professionals expect cyber-attacks to cause ship collisions (60%) and groundings (68%) within the next few years, and more than half (56%) expect these to result in physical injury or death.

Serious incidents also risk pollution of waterways, geopolitical conflict and massive financial losses. Three-quarters of the industry professionals surveyed by DNV expect a cyber incident to force the closure of a strategic waterway in the next few years – which, as shown by the blockage of the Suez Canal in 2021, can lead to global supply shocks as billions of dollars of cargo are delayed.

Cyber expert Dr Rory Hopcraft, SIMarEST and lecturer in cyber security at the University of Plymouth, says the industry represents “low hanging fruit” to cyber-criminals and malevolent state actors.

“It’s quite vulnerable,” says Dr Hopcraft, pointing out that the industry’s recent surge in online connectivity has massively increased the attack surface, as once insulated operational systems are networked and connected to improve efficiency and safety at sea. Often, these vulnerabilities are most acute at the human-digital interface, when mariners fall prey to a phishing email, for example, or are bribed or blackmailed to plug in malicious software.

The push towards autonomous shipping and unmanned vessels could address the risks inherent in the onboard human-digital relationship. But automation is no silver bullet, cautions Dr Hopcraft.

“Fully autonomous fleets are being designed with cyber in mind, which will improve security,” he says, “but the existing fleets will still have another 30 years to run.”

This two-tier system poses new risks. As the existing shipping fleet is increasingly retrofitted with new sensors and AI tools, mariners are not necessarily being given the training to ensure these plug-ins are properly monitored, maintained and managed. Shore-based cyber-training often falls short because it doesn’t accommodate the unique circumstances of being at sea, where traditional IT support processes may be inaccessible and crews may have their own cultural and linguistic barriers to understanding. Each ship and each voyage may bring its own risk profile – whether it is GPS spoofing to trick a ship into disputed waters, or a uniquely complex OT-IT interface.

Research by Dr Hopcraft has found that cyber awareness in the sector is low, which could have a long-term impact on situational awareness. Mariners often put too much trust in digital aids, or lack the necessary skills to validate information.

There is a real need for immersive technology, he says, using cloud simulations that can be accessed while at sea to equip seafarers with the cyber awareness and skills they need to navigate the digital future.

“In the Cyber-SHIP lab at Plymouth, using AR, VR and digital modelling, for example, we can simulate what a cyber-attack might look like on their exact vessel, and ‘gamify’ it, so that even seafarers who aren’t technically minded can learn about the technology, understand its risks and what to do in an incident,” says Dr Hopcraft.

And as autonomy in the fleet increases, seafarers will have to develop new skills, including multi-ship management, validating the outputs of smart tools, and maintaining situational awareness even when deprived of real world sensory data. They will need to understand the unique risks of plying the same waters as fully autonomous vessels, and have the skills and awareness to safely straddle the digital and analogue worlds for many years to come. Using innovative training technologies to address this ever-changing configuration of risks must be prioritised if the cyber-threats so feared by the industry are to be effectively addressed.