Cyber security, but without the digital limits

Under IMO’s 2021 International Safety Management (ISM) Code for cyber risk management, shipowners and operators are tasked with keeping onboard software updated and crew alert to meet cyber threats. Service providers must also ensure procedures, technical competence, reporting and remote maintenance are cyber secure.

However, International Association of Classification Societies’ recommendations on cyber resilience also lists data providers, who acquire data from shipboard sensors, store it, preprocess and transfer it, then evaluate it and use the results for decision-making purposes, as stakeholders. In this context, cyber security relies on preserving data quality, its safe production, delivery and integration, says Metis Cyberspace Technology chief technology officer Serafeim Katsikas.

Metis, as a data provider, uses the scalability, unlimited storage and processing power of cloud computing to empower big data analytics, machine learning and artificial intelligence on board more than 250 ships.

Combined, it gathers 1.5Bn sensor measurements every month, providing decision-making information across a range of performance parameters, including fuel consumption, emissions, hull fouling and charterparty agreement fulfilment.

Because Metis does not specialise in cyber security, its position as a stakeholder rests in the need for its cloud-based platform, data acquisition, preprocessing, uploading and transmission to be fully cyber resilient.

“Regardless of its source, we allow data to be filtered and stored in a central database, while any processing, analysis, functionality and service implementation are executed by independent microservices,” says Mr Katsikas.

“All microservices are interconnected either through an application programming interface or a common message bus system, so that none has direct access to the main database to execute standard inquiries.

“Any applications or users are prevented from accessing a vessel’s information without permission, while the administrator can see, set and revoke user and app permissions,” he adds.

Ships typically feature diverse digital interfaces and fragmented systems. “Their IT networks can sometimes be of low quality and do not unify all systems on board,” says Mr Katsikas. “Given these conditions, vessel control and monitoring systems are accepted as the most viable route to digitalisation.”

Here, stakeholders look to the International Standards Organization (ISO) for recommendations covering a ship’s control and monitoring systems’ encryption and threat detection capabilities, rather than to IMO itself.

“However, at a time when cyber security is uppermost in the maritime consciousness, an International Council on Combustion Engines (CIMAC)’ systems-integration working group merits separate attention, given its special focus on the design and use of alarm and control systems to manage marine hybrid propulsion,” says Mr Katsikas.

Cyber security requirements provide a golden thread running through the work of this group, of which Metis is a member. While some stakeholders may still be catching up with IMO 2021 regulations, this group is also deconstructing the shipboard control and monitoring system itself, in a way that aims to conserve cyber security while advancing interoperability.

“Opportunities exist to avoid duplication by synthesising modules from multiple systems within each category, and standardising system or module interfaces to enable interoperability by sharing data and services,” says Mr Katsikas.

International Electrotechnical Commission data exchange standards can already be used to access data from navigational equipment, but standardisation has not so far been achieved for ships’ machinery.

ISO standards provide unified rules for developing machine and human-readable identifiers and data structures to enable exchange and processing of sensor data from ships.

They also provide guidelines for the installation of ship communications networks for equipment and systems. “This means a monitoring system defined as a shipboard data server and sharing information to any other system can already be designed to ISO recommendations,” says Mr Katsikas.

“Owners can feel pressurised to follow the digital lead of individual equipment makers, or to settle for the absurdity of multiple cloud-based solutions,” he adds.

“But we believe a strong focus should be placed on standardising shipboard control and monitoring systems. We will therefore continue to work closely with our partners to realise a vision for the digitalised maritime industry whose common goals of safety, security, environmental performance and efficiency are best served by common solutions.”