[The excerpts below are from the book Maritime Cybersecurity: A Guide for Leaders and Managers, published in early September.][T]hreats must be put into context. The figure [below] shows the light configuration of a vessel that you do not want to see steaming towards you at night. Not only is this ship coming towards you head-on, it suggests that you are already in very dangerous waters, per Rule 27(f) in the Navigation Rules.
While this portrayal has a certain element of dark humor to it, it is also analogous to real life. When a ship is in a minefield, what is the real problem? Is it the threat of hitting a mine, or is it the vulnerability of the ship to the damage caused by the explosion? During the early days of the Battle in the Atlantic during World War II, Germany deployed magnetic mines against the British. The mines rose from the seafloor when they detected the small change in the Earth’s magnetic field that occurred when a steel-hulled vessel came within range. The British, upon discovering this mechanism, took countermeasures to effectively degauss their warships. This change eliminated the mine’s ability to exploit the ship’s magnetic field and, at least temporarily, obviated the threat. The vulnerability of the ship to a mine was not eliminated, but the exploit was defeated.
In cyberspace, we can’t control where the mines are, but we can control our susceptibility to getting hit by one and the subsequent damage that could result.
This leads to the following general truth about cybersecurity:
Vulnerabilities Trump Threats Maxim: If you know the vulnerabilities (weaknesses), you’ve got a shot at understanding the threats (the probability that the weaknesses will be exploited and by whom). Plus, you might even be OK if you get the threats all wrong. But if you focus mostly on the threats, you’re probably in trouble.
Threats are a danger from someone else that can cause harm or damage. We might or might not be able to identify a potential threat, but we cannot control them. Vulnerabilities are our own flaws or weaknesses that can be exploited by a threat actor. Indeed, not all vulnerabilities can be exploited. We are—or should be—able to identify our vulnerabilities and correct them.
While we cannot control the threats, we should be knowledgeable about the threat landscape and have an idea of threat actors who might wish to do us harm, but we should not obsess over the threats while planning a cyberdefense. Instead, we should look inward at our own systems, seek out the vulnerabilities, and plug the holes. New threats always emerge, but that doesn’t change the strategic importance of fixing our own vulnerabilities.
Ironically, there is a corollary to this maxim: “Identifying threats can help get you funding while identifying vulnerabilities probably won’t.” Almost all cybersecurity professionals have gone to management to seek funds for an emergency update to hardware or software, just to be told that fixing a vulnerable system can always wait until the next budget cycle. Conversely, when management sees a memo from IMO or USCG, or a warning from an ISAC/ISAO, that highlights a credible threat directed at that same hardware or software, it’s remarkable how quickly the funds become available.
A common but mistaken belief at the leadership level of many organizations, both within the maritime industry and beyond, is that the responsibility for protecting information assets lies within the technology ranks. To those who subscribe to that belief, let us share the following: Anyone who thinks that technology can solve their problems does not understand technology or their problems.
Cybersecurity—or, arguably more properly, information security—is not merely, or even primarily, the responsibility of the IT department. Everyone who comes in contact with information in any form has the responsibility to protect it and, further, to recognize when it is under attack—and take whatever action is required to defend it, including reporting suspected attacks to the appropriate defensive agencies within the organization. Ultimately, it is the responsibility of a designated Chief Information Security Officer (CISO) to manage the cybersecurity posture of an organization. That posture includes the creation of a sense of urgency and awareness around cyberthreats at every level of the organization.
It is also important to recognize that IT and cybersecurity professionals have different—albeit often overlapping—skill sets. IT professionals keep networks running and resilient, and provide services and application to the users; cybersecurity professionals defend these assets.
——————————————————–[We wrote this book for] the maritime manager, executive, or thought leader who understands their business and the maritime transportation system, but is not as familiar with issues and challenges related to cybersecurity. Our goal is to help prepare management to be thought and action leaders related to cybersecurity in the maritime domain. We assume that the reader knows their profession well, knowledge that will help to provide the insight into how cyber affects their profession and organization.
Chapter One (The Maritime Transportation System, MTS) provides a broad, high-level overview of the MTS, the various elements within it that we’re trying to secure, and the size and scope of the challenge. Chapter Two (Cybersecurity Basics) offers terms, concepts, and the vocabulary required to understand the articles that one reads and the meetings that one attends that discuss cybersecurity.
The next three chapters describe actual cyber incidents in various domains of the MTS and their impact on maritime operations. Chapters Three through Five address cyberattacks on shipping lines and other maritime companies, ports, and shipboard networks, respectively. Chapter Six (Navigation Systems) discusses issues relating to Global Navigation Satellite Systems (GNSS) and Automatic Identification System (AIS) spoofing and jamming, while Chapter Seven (Industrial Control and Autonomous Systems) presents cyber-related issues and the ever-increasing challenge of remote control, semi-autonomous, and fully-autonomous systems finding their way into the MTS.
Chapter Eight (Strategies for Maritime Cyberdefense) discusses practices that address cybersecurity operations in the MTS, including risk mitigation, training, the very real need for a framework of policies and procedures, and the development and implementation of a robust cybersecurity strategy. Chapter Nine offers final conclusions and a summary.
Author’s note: This book is intended to speak to all levels of members of the MTS, from executives, directors, and ship masters to managers, crew members, and administrative staff. Our hope is that it informs the reader to a higher level of awareness so that they can be more aware of the threats and be better prepared — at whatever level of their job — to protect their information assets.
Because the field is so fast moving, we also have a Web site — www.MaritimeCybersecurityBook.com — where we will post additional information.
Gary C. Kessler is a Professor of Cybersecurity in the Department of Security Studies & International Affairs at Embry-Riddle Aeronautical University. He is also the president of Gary Kessler Associates, a training, research, and consulting company in Ormond Beach, Florida.
Steven D. Shepard is the founder of Shepard Communications Group in Williston, Vermont, co-founder of the Executive Crash Course Company, and founder of Shepard Images.