Estonia is a seabound country with a coastline of nearly 3,800 kilometers, which means the shipping companies, ports, and vessels it relies on are vulnerable to cyberattacks by criminals and terrorists. The country however also has a deep bench of IT talent, much of which is entrenched at Tallinn University of Technology (TalTech). Researchers at the university recently received close to €2.5 million from the EU to establish a Center for Maritime Cybersecurity.
The project will commence in January 2021 and run through December 2025 and involves hiring a European Research Area (ERA) chair to oversee the center, as well as a research administration manager. TalTech researchers intend to draw upon existing resources to comprise the center by partnering with the Estonian Maritime Academy at TalTech, as well as the NATO Cooperative Cyber Defense Center of Excellence, and other associations, institutes, and private companies.
“The Maritime Academy is quite strong in Estonia, and the country is known for cybersecurity,” notes Olaf Maennel, a professor of cybersecurity at TalTech who is taking part in the effort to establish the center. “There is also the history of e-Estonia and startup culture,” he says. “Combining maritime and cybersecurity is new, but neither domain on its own is new for us.”
Cybersecurity itself, Maennel adds, is interdisciplinary in nature, covering fields as diverse as cryptography, psychology, technology, and law. “You have a lot of different disciplines in cybersecurity,” says Maennel. “Now we are going to focus together on the transportation sector, because you need a holistic point-of-view to fight state-sponsored actors, criminals, and terrorists.”
‘Floating computers’
Shipping companies across Europe have had to manage cyberattacks from various actors in increasing frequency in recent years. In 2017, for instance, Maersk, the Danish-owned global transport company, fell prey to a major malware attack that disabled its IT systems for more than a week. IT hackers also worked with drug traffickers to import heroin and cocaine into the Port of Amsterdam between 2011 and 2013. GPS jamming and spoofing is also a threat. Between 2017 and 2019, there were 37 instances of GPS interference reported in the Mediterranean Sea.
According to Dan Heering, an early stage researcher at TalTech who is involved with the effort to create the center, maritime transport has become increasingly reliant on the internet in recent years, but much of the infrastructure and competencies onboard leave ships exposed to threats.
“Ships are built to last 20 to 30 years. Many of those older ships sailing today are using legacy systems that were not meant to be connected to the internet but now are, so there is no security in place,” says Heering. “People operating new and modern ships lack the knowledge to handle new, difficult situations that may occur at sea,” he adds.
And yet while these vulnerabilities exist, ships are now connected to the internet around the clock. “We can consider ships to be floating computers with the same cyber risks on sea that you have in your office on land,” says Heering. The location of ships at sea makes mitigating these risks more difficult. “If you have a cyber incident at sea, you can’t just ask the IT guy to show up in half an hour and fix your computer,” he says.
Ships are also using more specialized systems as they become more digital, Maennel points out. If a ship is reliant on a digital system to start the engine, and the engine stalls, it can therefore create significant issues. Some systems, he notes, run on Windows and use specialized software on top of it, but others have specialized systems. All of these nuances complicate responding to cyberattacks.
Ports are also vulnerable. According to Heering, one of the more common attacks against companies is the use of ransomware to target ports and shipping. “Within the last two years, the biggest shipping companies have been attacked,” says Heering. “The latest ones have been quite targeted, which means the cyber criminals have taken a strong interest in the shipping industry.”
Seeds of cooperation
The envisioned Center for Maritime Cybersecurity will aim to develop resources to better predict and respond to such threats, pooling experts from both the maritime and cybersecurity fields. Maennel notes, for instance, that researchers from the center could use the ship simulators at the Maritime Academy to experiment with threat response, as well as to study human responses to crises. “We can connect directly to the ship bridge simulators and test not only technical aspects and see how these played out in response on those ships,” says Maennel.
Heering also believes the center will cooperate with the maritime industry. “Incidents at sea are happening more and more, and they need some institutional organization to come and ask for assistance,” he says, “or maybe they want to buy some new equipment and test if it is secure.”
There are also similar centers popping up around Europe that will no doubt serve as partners. The University of Plymouth in the UK maintains a Maritime Cyber Threats Research Group, and recently allocated £3 million to support a specialized lab to combine maritime technology with cybersecurity. In January 2021, the Norwegian Maritime Cyber Resilience Center will open in Oslo. And last year, the Danish government unveiled a new strategy for cybersecurity, which included the establishment of a Danish Maritime Cybersecurity Unit.
Maennel says that the TalTech team has already reached out to colleagues at these centers to discuss collaboration. “The problems we are facing are so big that we don’t have to worry about stepping on each others’ feet,” he says. “So it is not a competition, but a collaboration activity.”
As the new center explores potential avenues for collaboration, both domestic and international, it is also working toward meeting its initial goal: hiring an ERA chair to oversee the center. The goal is to have someone hired by next summer. In the meantime, TalTech will begin building the lab and infrastructure for the center, so that when the chair arrives, the center will be in place.
Written by: Justin Petrone
This article was funded by the European Regional Development Fund through Estonian Research Council.