New maritime cybersecurity centre to fight pirates

by Jean-Benoit Legault THE CANADIAN PRESS

A new research centre created at Montreal’s Polytechnique university will aim to protect ships from pirates – and they’re not talking about Blackbeard or Captain Kidd.

Canada’s Maritime Cyber Security Centre of Excellence will combine the expertise of two Polytechnique researchers, Quebec cybersecurity startup Neptune Cyber and Davie Shipbuilding. The five-year research project will focus on cybersecurity for critical maritime infrastructures.

“It’s time to do something, because the shipping industry is still lagging behind, technologically,” said Neptune Cyber’s technological director, Jeremy Citone. “It’s time for the shipping industry to catch up.”

Critical ship components, including navigation and motors, are more and more connected to the internet in order to diagnose problems at a distance and avoid having to send a repairperson onto a ship that could be half a world away.

But systems connected to the internet can become potentially attractive targets for hackers, who could try to paralyze a ship in the hopes of extracting a large ransom from the owner.

“The idea is to see to what extent, with our background and our expertise, we can provide interesting solutions to make these systems resilient,” said Polytechnique professor Nora Cuppens.

“The solutions we know must be adapted so they can be applied in other specific fields, such as the maritime sector.”

A serious threat

Hackers have shown repeatedly that they represent a serious threat.

In June 2017, a number of companies – including Danish shipping giant Maersk – were hit hard by the NotPetya ransomware virus. It took Maersk almost two weeks to recover from the attack, which is said to have cost the company at least US$300 million.

Closer to home, Montreal’s public transit agency was victim of a ransomware attack last fall that paralyzed its activities for several days.

One can easily imagine what could happen if cyberattackers took over the controls of an airplane in flight, or of several dozen cars on the highway. But what about an out-of control cargo ship steaming down the St. Lawrence Seaway?

“We get the impression that not many people have asked themselves the question,” Citone said.

IMO requirement

As of Jan. 1, the International Maritime Organization has required shipowners and operators to integrate cyber risk management into their security initiatives. It is the first cybersecurity regulatory framework for the shipping industry, which previously operated without international standards, according to Cuppens.

Previously, what was in place amounted to procedures and guidelines on what to do in the event of a cyberattack, Citone said. “But if the attack has already happened, it’s too late: you’re in the middle of the ocean and you’re down,” he said.

Cuppens says that beyond attacks targeting port facilities or ships’ systems, there’s a need to protect the entire supply chain, including trucks that bring merchandise to port.

Ships take up to five years to build, and it’s impossible to predict what threats could exist in the future. Therefore, the solutions – whether on board or run from a distance – need to be able to be deployed quickly and affordably if the industry is to adopt them, Citone said.

Cuppens said solutions also need to take into account human factors, such as an employee who brings in a USB key to watch a film and ends up infecting the entire ship.

Within a year, the project’s participants hope to have identified key vulnerabilities and laid the foundation for addressing them, Cuppens said.

Neptune Cyber and Davie will contribute a total of $1.7 million, of which $500,000 will be in cash and $1.2 million in support and equipment for the project’s duration. About 10 graduate students will also be trained to become among the first specialists in the field.