LEO satellite constellations seen as a cyber security threat in vulnerable offshore industries
Joel Scanlan. Credit: ABC
WASHINGTON – The arrival of reliable, high-speed broadband from low-orbiting satellite constellations could lead to an increase in cyberattacks on ill-prepared industries seeking to adopt the new connectivity services.
The offshore mining and maritime industries are especially vulnerable, said Joel Scanlan, a lecturer at the University of Tasmania in Hobart, because they are geographically dispersed, lack reliable and fast web access today and rely largely on legacy software with poor security.
For maritime in particular, “there is a great business case to connect and monitor these vessels worth tens or hundreds of millions of dollars remotely, but they weren’t designed to be connected, and they often run code that is not particularly secure,” Scanlan said Oct. 25 during the International Astronautical Congress (IAC) here.
For now, these industries make use of high-latency, low-bandwidth satellite connections in LEO and GEO for non-mission-critical tasks. But both the off-shore and maritime sectors are expected to transition to shore-based control and increased automation of shipboard systems when a spate of new broadband constellations proposed by SpaceX, OneWeb and Telesat are scheduled to come on line in the next few years.
“Boats are still made with USB ports, and this is how malware gets in, with sailors charging their phones in the navigation system of the ship,” Scanlan said.
“Five years ago there was no connection at all. As an industry, maritime is not really ready, and yet they want to rapidly adopt the new LEO constellations.”
As an example of the challenges the maritime industry could face, Scanlan highlighted a June 2017 cyberattack that crippled Danish shipping giant Maersk. Dubbed “Petya,” the attack shut down information technology systems across multiple sites and business units.
“The biggest shipping company in the world, and every single server, the shore-based operations were all completely taken over by ransomware,” he said. “Happily, it didn’t affect any vessels because they weren’t connected. But jump to 2022-23, and can we say the same thing?”
As a result of the Maersk attack and other cyber incidents, the shipping industry has become more aware of the threat posed to its connected systems. To mitigate the potential consequences, a group of international shipping organizations has developed guidelines aimed at assisting companies in formulating their own approach to cyber risk management onboard ships. A compliance framework is in the works, but Scanlan said it is not expected to be in force before 2021.
“The vast bulk of this, while a good response, is very much in the context of the current systems and the current levels of network connectivity,” he said. “What is about to occur is a rapid paradigm shift in internet access, and not so much the status-quo rate of change.”
He said ill-prepared industries will not be agile enough to respond in time to changes that new global high-speed broadband will bring to onboard network security.
A crewmember’s smartphone plugged into the ship’s console is the kind of thing the maritme industry wants to avoid. Credit: Joel Scanlan
“I don’t know how broadly people truly understand what the impact of Starlink plus OneWeb could have, one to three years from now,” he said, referring to SpaceX’s proposed constellation of thousands of small internet satellites in LEO alongside OneWeb’s planned network of several hundred broadband spacecraft.
“The industry may rapidly take on the new technology, as that will be fairly cheap and easy, but the existing systems and existing educational level about cyber risk is a bigger problem that will take longer to alter,” he said.
In a 2018 maritime cybersecurity survey conducted by Jones Walker LLP, nearly two in five companies experienced an attempted or successful data breach in the preceding year. The survey, which polled 126 senior executives, technology officers and managers across the U.S. shipping industry, found that only a minority of companies have participated in government and industry initiatives designed to mitigate the risk of a cyberattack.
But while higher bandwidth and more interconnected systems will no doubt increase the level of risk to maritime and other offshore operations, Scanlan says some sectors have managed the transition.
“Migrating servers to the cloud, for example, changed the risk profile; many companies were fine, but we do also see a lot more data breaches these days than previously,” owing to multiple factors in addition to cloud computing, he said.
The threat of cyberattack to the aeronautical sector, while less immediate, is another example of an industry mitigating risk, though Scanlan said few parallels can be drawn between ships and aircraft.
“Cockpits in planes have duplicate controls to the implementation of duplicate controls that in a bridge on a ship are very different,” he said. “In aircraft they are truly redundant systems, but I have been on ships where they were merely copies and shared some resources, and thus were not truly redundant.”
Much of the risk for any vessel, whether airborne or at sea, stems primarily from the crew and how well it is trained to avoid introducing malware into onboard systems via USB drives, mobile phones or other connected devices.
“This, to my knowledge, has not been seen as much of an issue in aircraft, but several weeks or months at sea is very different to hours on a plane,” he said. “If SpaceX really does sell their antenna for ~$100 as has been suggested, the prospect of a crew member buying and setting up onboard is very real on a boat, but not a problem a plane would face.”
