Contact
PRODUCTSSOLUTIONSTRENDSCareersCOMPANYCUSTOMER SERVICEDOWNLOADSCatalogs

Interview
Cybersecurity on Board: “Anyone Who Talks about Maritime 4.0 Has to Do Their Homework”

In the film “Tomorrow Never Dies,” terrorists divert a military ship from its course by manipulating the GPS signals. What was part of the fantasy world of British filmmakers in 1997 – the theatrical release date for the eighteenth James Bond movie – is a real threat a mere 20 years later. “GPS spoofing”, as it is known to the experts, is real, and researchers from the University of Texas provided impressive proof in 2013 when they diverted an $80 million dollar luxury yacht from its course without its crew noticing. What is new in cybersecurity in the shipbuilding industry? Ship builders, system integrators and shipping companies are enthusiastic about the new opportunities that Maritime 4.0 offers. To find out if the sector ready for this, and what still needs to be done, we spoke with Professor Karl-Heinz Niemann from the University of Hanover.

Prof. Karl-Heinz Niemann, PhD in Engineering

Professor Niemann researches and teaches in the Department of Electrical Engineering and Information Technology at the University of Hanover. He represents the academic fields of process information and automation technology and lectures on integrated automation, industrial bus systems, process interfaces and energy efficiency. His core research focuses on cybersecurity in production systems, particularly in the context of Industry 4.0. In addition, Professor Niemann leads a think tank on IT security at the SME 4.0 competence center for Lower Saxony and Bremen and is active in various working groups for the Profibus Users Organization and the Association of German Engineers.

digitalisierung_referenz_karl-heinz-niemann_x1_2000x1125.jpg

Prof. Karl-Heinz Niemann, PhD in Engineering

The device which the Texas researchers used to trick the navigation system of a luxury yacht was about as large as a briefcase. The 65-meter long yacht had two GPS receivers and was still spoofed. The Texans simply generated a GPS signal and increased the signal strength until the receivers on board switched to the transmitter. What does this scenario mean for you as an expert in cybersecurity?

That there is much more work to be done. There is still a lot of ground to make up in cybersecurity in automation. While everyone else is thinking ahead to Industry 4.0, we still have to do the homework assigned for Industry 3.0 – existing systems need to be toughened up.

You are talking about automation technology. In your opinion, is there a difference between industrial automation and the automation aboard ships?

I think that the maritime sector is set up just as well, or poorly, as any other sector when it comes to cybersecurity. Your example of the luxury yacht finds many parallels in other sectors. Off the cuff, I can think of a blast furnace which was idled by a cyber attack. Blast furnaces are process technology systems that usually run for several years without any interruptions. The externally initiated stoppage ultimately caused a complete loss. The effects of cybercrime are serious everywhere they appear. To this end, I see no sector differences in the current level of implementation of cybersecurity – nor in the importance of dealing with the topic and the risks that arise from it.

What can companies do to ensure cybersecurity? What homework would you assign?

It is imperative that operators prevent attackers from simply linking into a network. They should, however, consider that not all external connections are bad; they simply have to secure them correctly. In this context, it’s undoubtedly a question of settings.

digitalisierung_referenz_karl-heinz-niemann_x8_2000x2000.jpg
There are always people who want to explain to you that their system has no connection to the rest of the world and that cybersecurity thus has no relevance for them. Do not believe them!
Prof. Karl-Heinz Niemann, PhD in Engineering

What do you mean by that?

There are always people who want to explain to you that their system has no connection to the rest of the world and that cybersecurity thus has no relevance for them. Do not believe them! There is always a connection somewhere. The more comprehensive homework we have to complete, in my opinion, is establishing sensitivity for the relevance of cybersecurity for different parties in the maritime industry. At what points in daily life do these professionals come into contact with security breaches, and which do they generate unintentionally?

Do you mean, for example, the common practice on container ships, where a cargo master enters his or her cargo data into the ship’s system using a flash drive written on land?

That is the exact type of case. Flash drives should never be used. Despite this, the practice is routine, even though it is an obvious weak point in security – at least if there is no quarantine area for imported data.

Is cybersecurity a problem that only the ship’s crew should deal with? Who is responsible, in your opinion?

The people in operations on board are, without doubt, potential weak points for any IT installed on board; unfortunately, they usually have no ability to recognize the sophisticated attacks on their systems. Therefore, it is important that shipping companies establish processes and methods, and then formulate a commitment to managing cybersecurity. With regard to the container ship in your example, a protocol would be established for the next time that someone stands on the bridge with a flash drive in hand.