Part 1 in a series by Chris Blask and Mark Bentley
Thousands of years ago, our earliest ancestors discovered they could literally walk on the water, rather than being swept along by tidal forces outside their control. That moment when the first of us stood slowly drying on that first log – perhaps holding it still against the flow of a river, or maybe floating along the shore of an ancient sea – those first mariners took control of their environment, and with it, marked the beginning of humanity’s development of industrial control systems. That momentous discovery of being able to travel on the water pushed back our horizons and started ripples that follow us to this day.
The sharp point of industrial infrastructure was as clear in that first moment when that first individual clung to a log as it is today with flotillas of half-million ton ships at sea, as well as with other critical infrastructures, such as our use of national power grids. In each case, from then to now, choices made by the operators of these systems pose potentially severe life consequences simply due to the nature of the environment being controlled. So in today’s world of massively converged infrastructures consisting of exponentially more components and connections, it is worth pondering the critical issues humans have been wrestling with since that very first captain of that very first vessel set out on the open water.
Not long after the first logs were carved into the first boats, the operational security challenge of not dying on the water became intermixed with the adversarial security challenge of not being killed on the water. However, vessels of work and vessels of war both faced a common adversary more bent on their destruction than any human foe: the waters themselves. Taking control of a hostile environment such as the ocean requires a primal marriage between the desire to master the environment with the imperative to protect the lives of those who work and live there.
Once the systems we build to sail the seas leave shore, and with it the safety of a place from which to watch and respond to any failure, our very lives are the stake. As a result, those who build these systems have a legendary incentive to succeed.
Four Critical Marine Systems That Require Advanced Security
Marine Systems Security is the latest example of this imperative. It envisions smart water vessels filled with technology designed to save lives, money, marine life, as well as the boats themselves. And because we live in a world of increasing interconnectivity between people and systems, it requires – and even exacerbates – an equally critical imperative: the need to also include security to protect people, vessels, and systems against both deliberate compromise as well as accidental misuse.
For our purposes, marine systems can be divided into four general areas:
- Marine Living: Life on the water is booming today thanks to a number of converging factors, including the high cost of housing in coastal areas, the appeal of on-water living and vacationing, and the growing Tiny House movement.
- Private Vessels: There were more than 15 million in the U.S. in 2016, with nearly a decade of consecutive growth in the sale of recreational boats.
- Commercial Shipping: Ocean going shipping facilitates 90% of the world’s trade, plying the oceans with valuable cargo and complex, always-on industrial control systems.
- Military: The military, particularly the U.S. Navy, is charged with policing the global commons and responding to adversaries on an annual budget of almost $200 billion.
All four areas of marine systems are already intensely safety conscious, with many users skilled in primitive safety maneuvers. For centuries, when hurricanes threatened Cuba, many Cuban fishermen sink their boats, knowing the safest place during a hurricane is ten feet below the surface where it is immune to destructive winds and waves. Today, we can replicate that behavior by designing unmanned vessels that are autonomously aware of their environment, and can sink themselves for the duration of a storm then rise again when the seas subside.
The goal of marine cybernetics should be to replicate, in digitized form, what has always been a sailor’s duty: save the lives and goods above the water. And now we can extend that commitment with applications that not only secure the marine world but hold promise and lessons for those ashore as well.
Of the four marine sectors, Marine Living offers perhaps the most insightful and overlooked area of marine cyber development. As housing prices skyrocket in coastal cities, ordinary citizens are setting up house at sea, where these “liveaboards” can reside for 50% to 75% less than they can ashore. High hotel prices in tourist-dense coastal areas are also spurring the on-water private rental boom. Vessel owners offer everything from spartan hammocks on pontoons to luxury yacht stays, all with great views and seaside experiences for considerably less than hotels with poorer views and lesser access to the water.
Marine property management companies can expand this opportunity, with minor investment, by adopting lifesaving, energy-saving, and money-saving cybernetic systems which pay for themselves in a matter of months. These can range from on-board self-sustaining systems while at sea, and leverage smart grid technologies to provide better onboard services to units at anchor.
Cheap, strategically placed IoT water sensors, for example would alert owners, renters, and authorities to safety issues before they become critical. When guests are due to arrive, sensors tied together by integrated communications systems, such as Alexa or Goggle Home, could automatically set the temperature and lights, monitor the bilge, and ensure that consumables aboard such as water and fuel are topped off. Motion detectors would alert a distant owner that the vessel has slipped its mooring or is being taken on a joyride, and cameras can automatically record who comes aboard or leaves, when, and with what. Likewise, safety systems could take measures in the wake of a catastrophic event, such as ensure that mooring is secured, that exposed components are battened down, and even ensure that a boat has been vacated before potentially submerging it to prevent damage from a severe storm.
Private Vessel Owners
Private vessel owners face the greatest threats with the least resources. In a marina, they are vulnerable to bad weather, theft, and cyberattacks. Unmanned at anchor they can founder overnight with no warning. If a homeowner’s plumbing springs a leak, that’s a major inconvenience. If a boat springs a leak, however, people can die
Property damage is another concern. More than 63,000 recreational boats were damaged or destroyed as a result of Hurricane Harvey and Hurricane Irma, with a combined dollar damage estimate of $655 million, according to the Boat Owners Association of the United States – numbers virtually the same as Hurricane Sandy five years beforeAfter every major storm at sea, the Coast Guard has to salvage hundreds of abandoned wrecks. A GAO survey of 18 coastal states reported more than 5,600 abandoned and derelict vessels between 2013 and 2016. These wrecks endanger other marine travel, damage coral reefs, and pollute the waters. With the addition of some basic security and awareness technologies, those numbers could be significantly reduced.
Some owners, mindful of the value of their vessels, are connecting their onboard cameras, motion detectors, underwater sonar systems, and leak detectors to the National Oceanic and Atmospheric Administration (NOAA) to enable them to automatically navigate to safer waters as storms approach.
They are also adopting connected systems that relate to traditional seafaring activities. OpenCPN is an open source software package developed by and for blue water sailors to integrate digital navigation aids like charts and weather data with onboard systems. Software developers among the sailing community are extending OpenCPN to automate management of shipboard systems, opening the hatch to the careful addition of home and industrial automation systems already used on land.
Private vessels, especially recreational boats, are also responsible for impacting ocean life. Sea creatures large and small – manatees, sea otters, sea turtles, dolphins, whales – are regularly injured and killed by boat strikes in ever-growing numbers when boat owners are unable to detect their presence and take proactive measures to avoid them. There is clearly a need to link individual underwater navigation and sonar devices to regional systems so that, for example, an aggregation of manatees can be identified and monitored, and updates to boat navigation systems can be shared to avoid mishaps.
Initial systems will adapt over time to not only improve the accuracy of the data available – like land-based mapping and navigation systems that rely on aggregated data to provide constantly refined information to travelers. And as those data and systems are refined to meet the life-critical needs of private vessel owners, especially those remote and alone on deep blue waters, they will provide critical lessons for other marine and industrial sectors.
Commercial shipping’s massive vessels face their own unique hurdles, and on a leviathan scale: they are constantly on the move, pressured to reduce operating costs and increase speed, have little or no cyber support onboard, run rotating crews without cyber domain experience, and are subject to piracy at sea and physical intrusions against dockside cargo.
The U.S. Merchant Marine estimates that global piracy costs shippers between $4.9 and $8.3 billion a year. They are also subject to cyber-pirates, with the shipping giant Maersk suffering a recent cybersecurity breach that cost the company $200 to $300 million. And, on average, more than a dozen large ships, along with their crews, sink or disappear each year.
These vessels typically have automation systems in place that are seriously outdated by IT standards. For example, they often lack the communications encryption common in drier industries, and are further exposed to cyberattack through the smart devices deployed in their holds, their onboard operating systems, and even through smart devices carried by their crews. These concerns are heightened by the enormous liability and regulatory risks they are subject to.
As such, commercially operated ships are the primary crucible for developing connected systems that can endure the rigors of marine conditions as well as enable ship owners to capitalize on competitive advantages.
The world’s largest naval fleet, the U.S. Navy, is the most conspicuous example of advanced electronics on the water with laser-guided weapons systems, onboard robotics, encrypted inventory control, autonomous vessels, secure physical and cyber access and monitoring systems, and even virtual reality for fine-tuned navigation of air, land, and sea vessels. As a result, military conflict on the water is, simultaneously, both as primitive as our first log sailor and as advanced as any human endeavor in history. Regardless of mechanism, be it a Roman ram or guided attack drone, the physical result remains the same: Ships can be boarded by bad actors half a world away as effectively as Errol Flynn did in Captain Blood.
Because the Navy’s ships and sailors are exposed to massive threats on several fronts, its “fight tonight” commitment is in constant jeopardy. The threat of global conflict is constant. The waters in the Middle East and Asia are growing more dangerous, with aggressive encounters and provocations, while cyberattacks on its networks are relentless – to say nothing of exposure to dangerous weather conditions and the unique networking challenges of ships at sea.
In part to counter these threats, the Navy is now embarked on an ambitious, fleet-wide digital transformation necessary to maintain superiority on the digital seascape. A significant part of that transformation involves advanced cybernetic systems. As they apply these systems to the harsh marine environment, the Navy and its global peers are testing limits and experimenting with radical new ideas. What they discover and develop will be invaluable to the other three marine areas.
The Security Imperative
History tells us that when people discover that something valuable is also possible, they pursue it – risk or no risk. They climb Everest, they plan missions to Mars, and they explore the Marianas Trench. And iterative developments in technologies not only refine the process and success of these endeavors, but impact the rest of society, from the invention of Velcro to keep items in place in zero gravity, to warmer gear to navigate the harsh conditions of mountain climbing, to advanced GPS systems that allow boats to easily navigate when out of sight of landmarks.
Which says that as new valuable marine systems breakthroughs occur, they will be eagerly adopted and adapted as soon as they become available. Since early adopters tend to have a high tolerance for risk, the providers of these systems must be extra vigilant in rigorously embedding their solutions with the security and safety that the lives and fortunes of sea-goers depend on. Every aspect of cybersecurity – from decision support to threat intelligence, cloud computing to cryptographic zoning, artificial intelligence to autonomous operation – all must function together, just as a sailing ship’s sheets, shrouds, and rudder work together to guide it across an ocean and into safe harbor.
Marine travel is an inherently dangerous sector, demanding the greatest safety consciousness, and the healthy skepticism of those who go to sea is notorious. For those at sea and those on land, the value of marine cybernetic innovation will continue to push the technology envelope and expand the messages of cyber thought leaders. The promise of these breakthroughs, especially in terms of both physical and virtual security, goes far beyond the marine world, offering universal and powerful lessons for security practitioners in other sectors, especially in the increasing internet-connected Operational Technology sector where critical infrastructure systems are being exposed to new cyber threats. Sea-goers place their infrastructure – and themselves – at the mercy of the world’s winds and waves, often far from safe harbor or help, so they have exacting standards for security that others can benefit from.
If these cybernetics systems can secure the perilous marine world, they can secure anything.
For the foreseeable future, the dream of fair winds and following seas for all marine operators – whether the first-time owner of a 20-foot sailboat, the owners of a city-size container ship, or an admiral in the Navy – depends on digital breakthroughs rigorously protected by superior security.