Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
Imagine you are an officer at Port Control.
It is your job to decide whether
a certain vessel enters
your port or doesn't get
permission to get in.
But this time, it's different.
There's no captain on the ship.
It's an autonomous ship.
So is there an AI running it?
Where is it from? Should I allow it?
That's a decision of the future.
Well, of the near future.
That's what we're going to find out today.
Welcome to Threat Talks.
My name is Lieuwe Jan Koning.
And here, from headquarters at ON2T,
we bring you the next episode.
And the title of this episode is
Predictable is Hackable.
Let's get on to it.
Welcome to Threat Talks.
Let's delve deep into the dynamic world
of cybersecurity.
Let me introduce our two guests of today.
First of all, like last week
when we talked
about the maritime industry,
I'm really thrilled he's here again.
His name is Stephen McCombie.
He’s the professor of maritime IT security
at the NHL Stenden University.
And he has such a big
track record in cybersecurity.
He has been in industry for years.
He's been in the Australian police,
for example, for years.
And he's also created and led
the IBM Incident Response Team.
He's been advising many, many companies
and organizations
on the subject of cybersecurity
and cyber risk.
Also outside of the maritime industry.
So he knows a lot about
ll these subjects.
So I'm really thrilled he's back.
Stephen, welcome.
Thank you for having me.
And on the other side,
friend of the show, Hans Quivooij.
He is the CISO of Damen Shipyards.
Now, Damen Shipyards is a maritime
solutions provider.
That means at least among very
many other things, they are building ships.
Right?
So, any ship you can imagine
Hans can probably make
sure you... with a small-
I might get you a discount, but...
With a little discount, I might need it.
But any ship that you can imagine
almost is a Damen
Shipyards build. So. And they're
a very innovative company.
So they're looking into the future
and the future of autonomous shipping
is exactly what we're going
to talk about today.
So I'm thrilled to have, gentlemen,
have you both, welcome.
Thank you.
Let's explore a little bit
this future that we're talking about.
So autonomous shipping.
Can we compare this to autonomous
driving like cars?
Stephen. I would say it has
a lot of similarities, but,
the big challenge for ships
is that they're remote.
So if a ship's autonomous,
without any crew, if there's a problem,
there’s no way of
actually dealing with it.
And with a cyber attack, we're talking about
the cyber systems on the ship being compromised.
The same systems we’re relying on
for their autonomy and for safety.
So that's the challenge.
Is there, on such autonomous ships, is there
really no staff at all or is it just- Depends
autonomously controlled? There’s different
models, whether that’s small cruise or
just certain functions are done.
But at the moment the challenge for crewed
ships is the lack of cybersecurity knowledge
on a ship, you know, an autonomous
ship's always going to have a lot less staff,
a lot less possibility you have a cybersecurity expert.
But if there's no staff
there's also no insider job.
Or am I mistaken there?
Well the insider could be in a provider that
actually helps maintain the systems remotely.
Yeah.
The people are still there
but they're just not on the ship.
Exactly. At that moment in time. Yeah.
Hans, what’s your...
Yeah, I think we have also
a lot of, some similarities, but also a lot
of things which are completely different.
If you look, for instance,
at the auto industry
and you also have a very high volume,
you have a high level of standardization.
If you look at, we're a big
shipping company or we’re
a big ship construction company,
I should say.
But the reality is we built,
if we're lucky, we do 200 vessels a year.
Yeah.
Just compare that to the auto industry
where you might have
well, you have thousands of vessels
or thousands of
cars being manufactured, which are
highly standardized. In our situation,
and we're not different than
any other ship constructor.
That doesn't happen that same way.
You will have a lot of bespoke things.
You will have a lot of changes.
So... No ship is alike. Almost.
You could almost say that. We, obviously
we have whole ranges of series
which are very much alike,
but that still doesn't quite
count into the thousands.
How far is Damen Shipyards currently with
thinking about these autonomous ships?
We have them.
We're actually,...
So it's not the future.
No, it's not the future.
And it greatly depends on the type of vessels.
We're currently doing a number of initiatives.
We're doing some for public
transportation,
small like ferry like,
we call them, well,
pretty much basically a ferry
or a water taxi or something in between.
We're also doing certain initiatives
together with the Dutch military,
for autonomous vessels.
And you can think of, well, some sea-
like drones or something like that,
I won't go into the details there.
But yeah, we're definitely working on that.
And, I forgot my question.
So if you're talking about these autonomous
ships, how autonomous are they?
Do you mean then there's nobody on there
or is it more like assisted,
is there like a panic button for someone to press?
Right now, of course,
what you will see, because it's
not a fully completed product yet,
there will be people on board
so they can push the proverbial
button you were referring to,
when it really is needed.
But the goal is, of course, to
have as minimum of staff or no.
And once again, that greatly depends on
the type of vessel, what it's going to do.
You can think of a situation where
you might have certain pods
which might take the role of a tugboat,
for instance, in a harbor,
which basically will mean
that you have a thruster,
which you can actually kind of remote
push against a vessel in order to do
the job a tugboat would have that
would not require anybody onboard.
But the moment you're
talking about something
which is bigger than or depending on the type
of vessel, then obviously it would change.
Then it really depends on the type.
And what about the responsibilities. I mean like
if we are looking at self-driving cars for example, and
some of us have been in Waymo's
in San Francisco, for example,
where there's no driver anymore.
And that's a weird situation
because the driver,
that would be the captain of a ship, is the one
responsible if there's a collision, for example.
How does that work in
the maritime industry?
I think we are going to probably
need some legislation for that.
I don't really know if there is already legislation.
International waters? International waters,
that's probably the easiest part.
But the moment you get into harbors,
it's going to be a different situation.
Yeah. And when we're talking about cars,
that is, I don't know how we actually
going to solve it, but someone has to be,
in the end, pick up the ticket
if something goes wrong. Would that
then become the shipbuilder.
Are you going to be responsible,
for example?
Well, that kind of depends whether or not..
I think you have a, obviously depends
on what really happens.
Right now, the moment you deliver a vessel
and you hand it over to the customer
and they take ownership,
they take responsibility.
But indeed, if the moment, if you
provide an autonomous vessel,
then you're no longer just a fabricator.
You're also, to a certain extent, you're the exploiter.
You're the operator of the vessel
at such a moment, because your technique
make certain that it runs
and that it runs remotely, etc., etc..
So yeah.
Stephen, do you think the industry is ready
for this from a cybersecurity perspective?
I think ... and talking about how
the responsibilities,
in terms of the regulators,
yeah, it's important
to keep watch on a vessel
unlike autonomous vessel,
there is no one actually doing
that watch if it's not manned.
And that's quite a challenge.
You think about historically, collisions
as most of them, more than 50%, were
because the watch wasn't effective,
they weren't aware
of their location,
the situational awareness.
So I think that's a big challenge,
you know, how they're going to
have the legislation reflect that, that keeping
watch for an autonomous system.
I think that's a really big issue.
And yeah. Keeping watch, is that as simple as,
having a radar and a GPS system, for example,
and make sure that you indeed
know who you should not collide into.
Well, I think it's more than that.
It's actually looking out the windows
understanding where the vessel is,
the location of the other vessels
in the area, a whole range of things.
I mean, you could say, okay, let's build
a system that's with a bit of AI,
that's going to be able
to have this situational awareness.
But in the end, who's responsible for that bit?
Because in the end,
I mean, the nature of a maritime
law is the fact that there's one
‘throat to choke’, there's the captain.
He's or she is responsible
for the vessel in terms of that.
But many would argue probably
that human error no longer exists
because it's now a computer that does
things all the same at all times.
There's no, an infinite attention span, for example.
It must be so much better. Yeah.
So unfortunately, humans
build those systems and introduce
a lot of errors in them.
But yeah, I think that's...
Yeah, I think that's proven false-
And the entire surrounding
area might not necessarily be
as smart as that one vessel.
That's right.
It needs to work in an imperfect world.
Yeah. I actually I have a story about the Waymo’s;
I remember at some point, so those
electrical autonomous cars in
San Francisco were really risk averse.
So they would, even if they
got priority, not take it,
so they would, chicken out, basically, out of
any confrontation to avoid any collisions.
And the bus drivers actually got
used to this, so they knew that
although they didn't have priority,
they would actually go through and then
the Waymo would stop.
And overnight they changed the algorithm,
so it would be more assertive.
And then collisions happened.
So that's good to, talking
about the human factor.
So is there any risk particular to
autonomous systems that we can
talk about that we maybe
didn't naturally think of?
So there has been some research,
University of Genoa has done
some excellent work around
the predictability of vessels
to avoid collisions.
And using that as a way of making a vessel
go where you want it to go.
And that's been, you know, very effective.
Certainly the research has been effective.
We haven't seen them in the real world
being caused by a threat actor.
But, and it's a real challenge because
the ships have to act very predictably.
And that's the nature of AI.
They're not like a human.
They're not going to
make different decisions
so they can take advantage of that
to actually make them,
in a situation where
there's another vessel,
whether it be a real vessel
or a fake vessel, you know, through
AI spoofing or some other means,
make it go somewhere you want.
And that's, you think about,
you know, threat actors on the sea,
often one of the things they want to do is make
you go where they want so they can board you.
They can put you in danger.
Or stop you completely. Yeah, you had an example
from the database last time we talked.
Exactly, they can stop you achieving
whatever the mission is.
Perhaps it's a defense vessel, you know?
So there's more than enough reason
for an adversary to want to do that.
Yeah.
So Damen Shipyards is probably going
to put a lot of effort
in making sure those vessels
do not collide with stuff.
So there's algorithms in place then.
And what you're saying is
once we understand this whole algorithm,
we can actually also use it
to our advantage to do harm to.
But isn't that kind of like the
rat race we're already facing?
We see it already in IT.
And of course, on one end
we see AI in our defense,
but the same we see them in our attackers
that it's always going to be that
the moment we think of something
that somebody else will think
of a creative way to either abuse it
or make it malfunction in such a way
that the stuff happens, which we
really don't want to happen.
Yeah.
True.
But what's the solution here then?
I mean indeed, if you're saying
listen, if I jam the radar,
I'm going to force this vessel to to crash into
this other one, I mean, that's a nice attack.
Yes. I think that-
Because the difference with
the real world is that
an actual captain will then
look outside and see, oh, there's another vessel,
I'm not going to steer to the left,
although my navigational software says so.
Maybe I heard on
my radio them talking,
and thought, well,
that sounds a bit weird
what they're saying.
It could be all other factors.
I think, you know,
without trying to always be
on the downside of automation.
I think there are some advantages
in these situations.
The fact that an automated a vessel,
there's a lot of information
we know about what's going on.
We've got more visibility on an
autonomous vessel than a normal vessel.
And it’s interesting that's a challenge
with crewed vessels
right now, is getting that visibility
for cybersecurity people to help them.
Whilst on an autonomous vessel, we've got
lots of visibility. The other side of that
is, if it's completely compromised
in some sort of attack
with actually compromised systems
on board, we can't trust that information.
Yeah. And then it's a floating weapon.
More or less. Yeah. Yeah.
Yeah, that must cross your mind as well.
Yeah.
It doesn't stop me from sleeping yet,
but it might happen in the future.
Is cybersecurity keeping up with those
developments or should we do better?
It kind of perhaps, depends on
the definition, but I think that,
obviously we have a wide range
of techniques to defend,
but it also comes down to starting
with the proper designs.
And that's not necessarily cybersecurity.
That's proper architecture,
that's proper design proposals.
And that's thinking in a way,
but sometimes also especially
also in the maritime industry,
which wasn't a top of mind there.
So I think the techniques are there, they're available.
But it also requires much more of cybersecurity
savviness in your engineering department, in the people
who not necessarily had that in mind in the past.
And as I said, certainly changing for the better.
But it's also going very fast.
So is it hard to, in your organization to make people
aware of this and do those trainings or..? Awareness
is probably, something which is
relatively easy, because everybody,
you have to live under a rock if you're
not aware of all the risks we're facing.
So that part isn't that difficult,
but then doing the proper things
in the right way, that is more of a challenge.
Yeah. I can imagine that the benefit of creating an
autonomous system is so big and it's almost like a given...
Yeah, but as Stephen was mentioning earlier,
it's the autonomous system, it's two ways.
One of course you have to ensure that
the system which operates autonomously
is doing things in a safe manner.
But you also have to be certain that
that system itself cannot be compromised.
And if I introduce something
which might be easy to compromise
once I get physical access to the vessel
or whatsoever, then I might introduce
something which is much more dangerous,
because then I have an autonomous vessel
which could indeed be turned into
the weapon as you were mentioning.
So in a way, it almost sounds like
it's easier with autonomous systems
to secure the IT in those vessels, compared to-
Once again, it really depends on the type of vessel.
If it's a small vessel,
if it's a relatively contained unit,
then you can probably redesign it
in such a way that it's less...
that people can't get access to it.
If it's a big vessel, if it's a vessel which also
needs to be serviced or whatsoever,
then you're introducing something
which could make it even more difficult.
So not necessarily agree with that one.
No, but I can imagine that it,
I mean, everywhere in cybersecurity-
And it also becomes much more complex
because obviously we as a shipbuilder,
we have a lot of knowledge
about building vessels.
We definitely don't have all the knowledge on
how to set up the perfect autonomous system.
That's what we do with partners.
And those partners are nowadays
are much more ingrained
in the end product than in the past.
In the end, or in the past, they would do something,
they would bring equipment onboard, and they would leave.
This also creates a whole different,
a new level of trust.
No, not necessarily level of trust,
but a new level of cooperation
with those kind of organizations.
They're also not as... they are mature,
but it hasn't proven itself yet.
So we're also in its early stages there.
So it's definitely not a walk in the park.
From my point of view.
In previous episodes, I remember
we talked about how it's difficult
if you have a big supply chain
of different systems, they all want
remote access to a subsystem on a vessel.
Since everybody more recognizes that autonomous
systems may be more of a big ecosystem,
it's more, they somehow have to work together,
so it could even be an advantage?
Probably. We haven't seen it yet,
but yeah, you could be right.
But once again, and that's probably
also because of the initiatives
we're doing, we're doing them
on a small scale with small vessels.
Whether or not it scales up
to complex vessels,
has to be seen in the future,
I don't know at this moment yet.
I don’t think there's a perfect solution
for that at this moment.
If I look at our organization then we're
definitely, we're thinking about that.
We don't have a product there yet.
So we're right now still focusing on
the relatively smaller type of vessels.
And that's probably easier.
Smaller is easier because there's less
parties involved, etc. And also less risk.
Depending of course on the type of vessel,
because, you can for instance,
if you're doing a nuclear waste carrier,
then you're definitely
not going to pilot anything,
with autonomy at this moment.
Stephen would probably advise you
to start small.
Yeah. Keep it simple.
Yeah. True.
Yeah. So.
So, and what else? What other advice
could you give here, because in order
to put the right effort of cybersecurity
in these systems
is usually important,
but it could be quite a challenge.
And maybe whilst Hans is a little bit, also in a huge
organization that has their focus on cybersecurity,
but there's probably many
other shipbuilders that don't.
What can we do?
I think I mean, like as in
all cybersecurity, it's
an arms race, you know,
in terms of what the attackers are doing.
And the problem is innovation’s
on the attacker sides.
So we're always playing catch up.
That's probably a defensive measure.
So we have to be much more cognizant of what
the attackers are doing, what the new attacks
are looking like, understanding how we protect from them,
understanding how we respond to them so as to be
the full spectrum of activity, not just,
you know, and certainly in other sectors
this was the case in the old days,
is just this idea let's build a castle
and keep the enemy out
with these high walls.
And that's as outdated as the castle is
in terms of cybersecurity.
You know, we've got to understand
it's the age of constant compromise.
Yeah.
It sounds really challenging.
Honestly.
But there's also a public interest in that
these things are going to be done well.
On the streets of Europe, you cannot have
an autonomous car, for example.
In international waters, but probably most
waters, it's much less regulated.
How big of a risk is this?
So suppose Hans sells hundreds of autonomous vessels
and then someone else tweaks with the firmware, right? Yes.
And it's out of his hands.
And then, some nation state controls
all those and sends them
all to the same spot and causes some kind of...
or to the Suez Canal or whatever.
That is a risk.
And there's no way, as a government, for example,
to somehow put measures in place.
I think. I think it comes down
to the likelihood and the impact.
It's like any risk management
decision, if we understand
that certain threat actors are doing that
for a particular purpose, then
obviously then that's something that
needs to be directly addressed.
The problem is, we can come up
with lots of scenarios
of all types of things that can happen,
but lots of them... It's just not practical.
You know, we can't stop everything.
But we can do certain things
based on what we know about what
the threat environment is, what the like,
the intent of threat actors is,
because that's, all cybersecurity threats are driven
by threat actors. If they don’t exist...
No threat actor, no threat.
It’s what we have to think about, and the maritime sector,
it's a very particular sort of environment.
So we need to think clearly,
have that intelligence,
that understanding of the threats and drive
legislation but also technology that way.
But is that fast enough?
Because if you are, so we talked last time
about your Ship Honeynets. Yes.
You kinda mentioned that you can
make an autonomous digital twin.
Yes. And have people hack
into that and figure out...
So then you know what people...
Exactly, exactly.
But then if there's already
lots of ships in there.
Yes. Out there.
What are you going to do then?
Aren’t we too late with that then?
I think we're never too late.
I think that,
it's always going to be a challenge
keeping up with that innovation.
But the important thing is to understand
what threats are being realized
in the real world and understanding
how to actually deal with those.
And I think without that information
you’ll try and do
lots of things, which might
have limited effect
without focusing on the things that
are actually going to hit you and like,
and we talked last time about Target,
I think it's a great example is
another big, I think it was Nordstrom.
Were hit by a cyberattack three months
earlier, exactly the same threat actor.
And they took zero notice.
And they could have have completely
avoided their breach as a result.
It's the same in all
areas of cybersecurity.
If you understand what threat actors
are doing in the space,
then you build for it.
And it's much harder
in the shipbuilding industry, because
the lead time is quite long.
But I think we need to understand,
make systems resilient in terms of,
you know, basic cyber hygiene, but also
think about, if something goes wrong,
what are we going to do?
Think about those decision making.
That sounds like the only solution,
more or less, is that combines,
we'll ask Hans if that exists, combined
the CISO club of the shipbuilders.
Yeah.
Somehow, make a pact and say, listen,
we're going to share everything we see.
We're going to build
these digital twins.
Yes. Figure out what's going on, and we're
going to adapt quickly in our software.
To do that. It sounds a bit like a
security operation center for IT, actually.
We'll talk in a bit about what
we can learn from that as well.
Yes. In a bit, but it sounds
like initiatives like this,
have to be there, and it has to come
from the private sector then?
Yeah. I mean, I suppose one of
the challenges in the shipbuilding
sector is the fact that, you know,
it's an international business.
And I think China's a top shipbuilder,
followed by South Korea,
followed by Japan.
So it's actually quite a diverse industry.
It's not like, you know,
in the Netherlands we build...
Yeah.
What's the percentage of the total ships?
And once again depends on the market
of course. If it's for tugs, It's pretty big. Yeah.
For container vessels it's zero. Yep.
So yeah.
No we're definitely on a global market.
If you take the whole
of the maritime industry
or all the shipbuilding,
we're definitely a small player.
If you ... so, totally agree.
Yeah. Okay. But who builds the system?
I mean, is that the shipbuilder
or is it a contractor of the shipbuilder?
It's usually the contractor. Contractor.
Yeah, it kind of depends
of course, on the shipbuilder.
You might have systems where you say,
okay, we have our own kind of agnostic
layer on top of it, where you
plug in all the subcomponents.
But the majority of the systems
on board will be built
by subcontractors.
On any type of vessel. Yeah.
But Damen does feel responsible for this.
To select the right- At the end of the day we are
responsible because from a legal point of view,
the moment we build, we deliver a vessel,
we are responsible.
So it's completely different from
the software industry, right? Yes.
The first thing you do: you’re on
your own in figuring it out, bugs are..
you’re responsible for our bugs.
That's not...
We could learn from...
Yeah, okay. To a certain extent,
it is like this.
The moment you hand over a ship,
then obviously it is.
But the moment you start offering
digital services and also as
Damen we are also looking into, well,
we're trying to reinvent SaaS.
We're doing ship as a service,
which means that we're going to be
the owner also during operations,
which makes us responsible.
So. But we are indeed responsible
the moment we deliver a vessel, that stuff
which is being handed over
by subcontractors,
which installed in the vessel
at the end of the day,
we are responsible if they screw up.
Yeah, yeah.
Whether it's legal or not, you also feels responsibility
because it's also bad for you of course.
And that's completely different in
the software industry, but somehow
we all accept that if my laptop crashes
that it's my fault because I should have...
Yeah. What can we learn from IT?
Because what we're talking about
here is OT, so systems that are
controlled by software, of course,
but it's not like, VMs and containers
and all that, that’s in the,
and laptops and all that.
But maybe there's lots
of things, doesn’t it
look more like it since the IT component
in those vessels is going to be bigger.
What can we learn then?
I think, and some companies
are doing this
where they treat a vessel
just like the head office.
And the same sort of IT controls
are there for the OT systems.
The same sort of technologies are used, and
it's architected the same way as they archited
the head office, you know,
you have all the data.
So and while that isn't necessarily
exactly everything
you need on a vessel, it certainly would
improve the current situation.
There's not many organizations, maybe the maritime sector
is an exception, but in many industries
we have the IT responsible person
and we have the OT responsible person.
There's always both.
I do understand there's differences there,
but the division, the thought,
I believe especially from cyber
defense, should be the same.
Yes. Yeah.
But I don't see this in the real world
at the moment.
I think some CISOs are now and cover
both like I think that's
it's not necessarily 50%,
but it’s a large percentage
where the CISOs responsible for
both areas. In the maritime industry?
Yeah.
What's your take on that?
It's increasing, but it's definitely
not across the board,
it's not there everywhere.
But it is definitely moving that way.
Especially if you have subcontractors,
I mean that’s such a different...
It's a cultural change I think, especially in
[ ] and also within the IT sector.
We cultivated that as well, because
many of my peers in the CISO,
they didn't want to really go into
that part, because we all know that,
especially if we're talking about OT security,
then nine out of ten times you're talking about
older systems, you're talking
about complicated system,
you're talking about systems
which you can't really patch.
And that's quite often
the first approach for them to do.
CISO’s ten things to do:
first one is patch everything,
and then the factory says no.
Yeah.
Because it's going to bring our
system down, maybe potentially.
And so we're not going to do it.
So there’s a lot of work to be done there.
It's an incredibly challenging
position to be in as a CISO,
they have such disparate environments
they’re responsible for.
But I think that's
how security needs to work.
Yeah, agreed.
How are we going to get there?
Honestly, I think it's hard.
This is maybe the hardest part
of what we’re doing.
Let's hope it's not driven by disaster.
True.
Yeah.
Well, and but even then,
I mean, how many examples do you...
There's a whole [ ]
Yeah.
We have got quite a few on file. Yeah.
How many examples do you want?
Apparently this doesn't help.
Examples of where things went wrong doesn't
change behavior in organizations apparently.
To me, this is the...
I disagree with that one.
Because if it happens to something in your
own organization, then usually it does.
But if something happens to your neighboring
organization, there will always be an explanation why:
okay, but we're different.
We're not doing it in that way.
So indeed. Yeah.
But you don't, let's also be realistic.
You really don't want to have
those kind of incidents
happening in your organization.
Yeah. So you'd better do learn from them-
[ ] Yeah. Yeah.
But is there anything that
you guys can help
fellow CISOs or leaders
in the maritime industry
to put this better on the agenda?
Start by asking the right questions.
I would say, because what you will see
that in many maritime organizations
that things I did, is something where
I wouldn’t say people are blissfully unknown.
That's absolutely not true, but they don't
really understand the remifications of it.
So start by asking the right questions.
So start by doing some kind of threat modeling.
Start by doing, albeit just a simple table top.
Just do some scenarios.
What could possibly go wrong there.
And then you will hopefully
get the organization
along that they start to have
more realization on this one,
start to educate people, start
to educate them in all sorts of things,
starts also your engineering,
start to educate them
in how to do security by design, if you're
talking about those kinds of things.
So it's all raising awareness.
It's raising education.
Yeah, I know it’s a big part
of what you're doing.
[ ]
So whose job is that then, that means
that if you are CISO of a main office
IT department of any shipbuilder
or supplier to you for example,
you need to take responsibility-
You need to- might not be in your job description.
Yeah. True to a certain degree.
But what you also need to do
is you do stakeholder management.
You need to make sure that the people
who's responsible for that type of products,
that they take mutual responsibility
because if you're as IT
taking the sole responsibility
for this, you're screwed.
Because they will, hey, people already, many organizations
always point at IT and then their way of pointing
only becomes bigger because then
they have OT to blame IT for as well.
And then I really pity
the CISO whatsoever,
I think actually the worst thing from
a CISO perspective, what you can do
is claim that you're the
the sole guardian of this.
It's a mutual ownership.
At the end of the day, indeed, you might
be the one who sets out the strategy,
but if you can't get those
people to understand
why you're doing this,
then you're doing it wrong.
[ ]
Because they-
At the end of the day, they are responsible
for that type of product you're doing.
It can't be that they say, okay, well,
I'm responsible for everything, apart
from the security part.
Yep. Absolutely.
Yeah, we talked about this last time.
And I just think, as you're saying,
if you can get them to understand
the way we talked about this last time,
is all that could happen, that’s the great lesson.
Yeah.
When this threat is realized
and they say oh okay,
and I'd be responsible for that?
And then when that lesson happens,
that's when you really, you get their attention.
So there is a way.
There is a way.
However, what struck me,
when it comes to awareness,
to C-level or to leadership is making
things really tangible, really simple.
I see behind you, Hans,
you very well know this,
not a real vessel, but it's a different-
Definitely no Damen vessel. But.
Yeah.
No, but the technology right
there is real world technology.
And, we actually demonstrated in a previous
episode, we'll put a link in the show notes,
how easy it can be to capsize the ship
so that the containers fall off.
And honestly, when we developed this, internally, I was like,
yeah, but from a technical perspective this is so simple.
What is there to gain?
Because of course, there's almost
no security in this whole system.
So of course we're going to hack it.
Of course we're going to make
the ship cause problems.
But then, when we showed it to people,
people were really odd, because
they're like like, oh, wow.
So it's that easy to this could happen.
So it's on that very bit...
Sometimes you forget if you are a
researcher or you are a teacher
or you hire a CISO, and all in the field,
we take things for granted that can go wrong.
And, we should probably make it
simpler and get our...
Actually, one of the reasons we have this podcast is
to do that and to show how simple it is.
And maybe that it helps a lot.
I mean, we're more than happy
to make the boat capsize a little
bit, anywhere for everybody
who wants to understand.
But if that one got autonomous
and we would put it on,
somewhere outside, I wouldn't,
not even that one,
I wouldn’t even trust it outside, because
I know how easy it is to get in there. True.
Yeah. All right.
Gentlemen, in closing, what should we do?
What should be the practical advice?
Is there anything that we should prioritize,
that we should give the industry?
That they should do.
And it could be for the maritime industry,
for autonomous systems.
But maybe those are things
that are also valuable to
people who are not necessarily
creating a building a ship.
I think to a certain extent, realization
and realization that, of course, that
things are moving at a ridiculous pace,
and if you don't keep up the distance
behind is only going to increase
and which also is
going to increase your risk.
And I think it's also a matter of constantly
raising the awareness in your organization
outside of the people who are
already knowledgeable about it.
9 out of 10 times, your IT organization
already knows, that's not the issue.
It's going to be your OT organization.
It's going to be product development.
So, cross boundaries there, to do that.
Yeah.
So, your OT department should
go to IT and say, hey, listen,
what amazing bad stuff
have you lived through?
Tell me.
Because I don’t want to live the same-
I think that would definitely help
in many organizations, because right now
you will see that in many organizations,
those are completely separate.
So at least start the dialog and,
and also doing things like what we did
with Hack the Boat is make it visual.
Many people, and I think Stephen
can elaborate on that.
It really helps just showing
what can go wrong.
And that's the reason, of course, why we
did this together and make it visible.
Obviously we didn't want to make it too visible It was a
Damen vessel, because then marketing would kill me.
But in this way, this is it is easy.
And this really helps.
Yeah, we removed all the diamond
protections, to show...
Yeah, it would be impossible with
a Damen vessel. And moving on.
Yeah.
I think it's really important
with a shameless plug for research,
but I think, if shipbuilders
and people in the industry
would work more closely with researchers,
cybersecurity researchers and not just, well,
there's lots of groups that are working on
cybersecurity, University of Plymouth,
Taiwan Tech, University of
North Carolina, amongst others.
So there's lots of good research
universities in general,
which I mentioned,
who are doing some great work.
I think there's great opportunity
to work with researchers to understand
how threats might manifest themselves.
And, understand a bit better about things
that have happened in the past
and then make the decision making around
designing and protecting vessels better.
Yeah. Yeah.
So the knowledge is out there
that's not the problem.
We got to look for it and
tell people to go look for it.
Yeah.
And is it fair to say that cybersecurity
should evolve in organizations that create
autonomous systems, at least as a base
of the autonomous systems itself?
I think that would be... Absolutely.
Okay.
Let's conclude with that then.
So, gentlemen, thank you very much
for your insights today
and for giving us a peek into the world
of the maritime industry going forward
and making sure that our world supply
chain and, I mean, the physical one,
is actually going to stay there
and stay safe.
Thank you very much. Happy to be here.
And to our viewers, thank you
very much for tuning in today.
If you liked what you saw, please like it.
It helps us spread the word and it's
really close to the subscribe button.
If you press that as well,
the next time you will have
another episode of Threat
Talk in your inbox as well.
Thank you so much. Bye bye.
Thank you for listening to Threat Talks,
a podcast by ON2IT cybersecurity and AMS-IX.
Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up to date
on the topic of cybersecurity.