John Jorgensen, director of IT security at classification society ABS, writes exclusively for Splash.
Until very recently, many ships and offshore platforms operated their entire working lives using only the safety features that were installed during construction. Their mechanical systems perform certain sets of functions that can be regulated and monitored by crews who possess complete knowledge of the systems and their interactions.
But times are changing. The historically slow pace of technology adoption is moving rapidly as the greater use of automation becomes more practical and cost effective. As the shipping industry moves towards deployment of highly instrumented, automated and connected smart ships, unforeseen technical problems and risks have emerged.
Over the past 20 years, while a ship’s lifecycle requirement and system configuration have remained broadly the same, many elements of equipment now have shorter timelines for modifications and updates. Integrating automation has brought programmable systems and software, both of which provide much greater capability.
As hull, mechanical and electrical standards for ship systems are supplemented with automation, the functional capabilities of their host marine assets are being transformed into complex, interactive ‘systems of systems’ that might be classified as hull, mechanical, electrical, computers and sensors.
Typical ship or platform requirements these days must include the functions and considerations associated with software-intensive systems. Lifecycle requirements, once largely based on finite numbers of improvements or replacements to hull machinery and equipment resulting from long technology evolution cycles, now must include software updates and upgrades.
For reasons of cost control, asset owners commonly seek rapid and measurable value in return for software updates because the updates rarely are associated with physical construction or dry-docking. The lack of value recognition can result in operational systems not being updated, especially if updates are out of sync with asset maintenance cycles or if costs are incurred at unexpected times.
The advent of smart ships brings with it a significant rethinking of these assumptions. The reality of automation growth is that increasing interconnections come at a time of greater hazard, whether through malicious code, malevolent actions or imprudent care and maintenance.
Growing dependence on software for ship control, increases in control system integration and connectivity to onshore monitoring systems have made cybersecurity a serious issue for both conventional and smart ships.
The critical issue is that the crew likely has little knowledge and understanding of changes being made by the software vendor or equipment manufacturers. The usual means of alerting the crew of equipment malfunctions or developing problems have been transformed into more comprehensive and information-rich reporting and prompts that serve the needs of integrated systems.
As the industry continues to automate, there will be greater pressure on OEMs and shipyards to design ships and platforms in which the system architecture is well defined, documented and communicated so informed decisions can be made before and during modifications. Better system architecture and engineering should require that the vessel is delivered with a documented process in place to easily and securely permit security updates.
The role of class in the smart ship concept, as with all new technical developments, is to apply its technical competence and industry-wide experience to determine the risks and hazards and to provide a framework for practical and appropriate safety infrastructure without unduly restricting the potential for progress.
The maritime industry will continue to innovate in its efforts to derive benefits – both obvious and as yet unimagined – from the interconnection of cyber-enabled systems. In the meantime, it is likely that early adopters as well as regulators will seek some formal assessment that accompanying risks also have been evaluated and considered acceptable.
Earlier this month, ABS published the first in a series of cybersecurity guidance notes, downloadable here.