The threat of cyberattacks on critical infrastructure like power plants and vessels at sea is increasing. Teemu Eronen, Wärtsilä’s director of cybersecurity, says keeping systems safe depends more on human actions than technology.
What are the most significant cybersecurity threats in the maritime and energy industries?
In the past, we talked about technological vulnerabilities in two different segments – operational technology (OT) and information technology (IT), but now we see these things converging with the promise of improved efficiency and new business models, and this has created new vulnerabilities. This is true for both maritime and energy.
In the maritime industry, up until very recently, advanced digital technology has been seen as nice to have, but not really something necessary. But now, maritime has realised that there are a lot of advantages in having up-to-date information about things like weather conditions, fuel consumption, and communication to the ports. Digitalisation also has brought a lot of advantages in terms of optimising the movement of passengers and goods from the factory to the departure port to the arrival port to the customer.
Unfortunately, when designing these systems for the maritime industry, security has been the last thing on anyone’s mind. This is in part because the maritime industry has not been a major attack target for cybercriminals, but over the years, they have come to realise that the maritime industry is a valuable target.
Energy industry is now focusing a lot on remote operations. A power plant might be located in a rural area, but it is operated (mostly) remotely from a nearby city. This offers many opportunities and elevated risk for cyber incidents. Some of the most talked-about recent cyber incidents have been attacks on power plants. This can cause disruption in cities and even countries.
What would you say are the biggest challenges to improving cybersecurity in both these industries?
One is that the lifespan of power plants and large vessels can be up to 30-40 years, or even more. Something that is up and running today might have been designed in the 1980s. This makes it is already obsolete from a digital technological point of view, and it offers a great attack surface for cybercriminals.
The best kind of security is security by design — something that has been designed and embedded in the technology and the physical aspects of a piece of equipment or infrastructure. With these older power plants or vessels, when they were designed, there was no thought about the need to update the technology or the operational system, and it becomes very vulnerable because modern technology might involve more sophisticated technological protocols or layers. Even basic cyber security controls are missing.
With new construction, we have the opportunity to do security by design, but it doesn’t always happen. When the OT environment is being designed and coded for new power plants or vessels, the connections are not being checked for cyber security. Developers don’t run a test on their code, they don’t run a test for the interoperability with other systems. They don’t test it because the time to market is more important than the quality. It’s just the way we live today — time to market is essential.
There is also a general lack of threat intelligence – understanding the risks of what can go wrong. When we talk about energy and logistics, we are talking about critical infrastructure. Wärtsilä is one of the forerunners in terms of developing cybersecurity for critical infrastructure and we are collaborating with a lot of other players in the industry. Wärtsilä is one of the founding members of the Operational Technology Cybersecurity Alliance (OTCSA). This is a forum where manufacturers and technology suppliers work together to develop resources to mitigate cyber risk for companies that are providing this critical infrastructure.
How can the security of operational technology be improved?
One of the most important things about the security in OT is to have visibility: to understand what is in there and what we are trying to control with the operational technology. We should be able to identify the endpoints, which are the sensors that are installed in the technology. We should know where they are, how they work, why they are there, and what protocol they use. We need to have the visibility so we can have the capability to monitor what is going on and then fix it if there is a problem. The guiding principle is to know your network — know what is in there and why it is there. If we don’t have the visibility or understanding, we cannot have the incident response. We cannot fix the problem because we don’t know what we don’t know. This is where OT Asset Management has a key role to play. We have been running a dedicated program to help our stakeholders have an OT asset inventory before our products and services leave the factory.
What role can technologies like artificial intelligence and machine learning play in cybersecurity?
Artificial intelligence is an important part of having a security baseline, seeing when we have something abnormal happening, when there is a deviation we need to act on, but human knowledge and understanding is much more important today.
When we talk about good security controls, we say there are three main aspects: people, processes and technology. Prior to this spring, there was a lot of hype in the cybersecurity community about artificial intelligence. But since we have been working in this remote environment, we have learned that artificial intelligence provides only about 20% of our cyber resilience. People provide 40% and processes another 40%. People are number one because they are capable of analysing things, they are capable of fixing things, and they are capable of collaborating. Machines don’t really collaborate or make decisions to mitigate.
Processes have a very important role when it comes to incident response. When something abnormal is seen, having a process means that there are particular steps to take so everyone knows what they are supposed to do next, regardless of physical location or culture. These processes have to be aligned, frame-worked and practiced.
Artificial intelligence should be used to help make decisions, not make the decisions. And that is true for OT and IT and across industries. It is very important to realise that.
How has the increase in remote work due to Covid-19 affected cybersecurity?
Because of people working in different time zones and with different levels of connectivity, we don’t have the kind of visibility we had when everyone was working from the office.
From January to February 2020, we saw a 100% increase in cyber incidents faced by ourselves or our customers. Since then, there has been an increase in cyber incidents of between 40-60% every month; it’s been a very steady and aggressive increase. At the same time, we have the same resources we had prior to this remote working environment. So, we have to focus on the things that are important. We realised that incident response – the ability to help someone who is in trouble – is the most important. We have had a 24/7 hotline for quite some time, but it has never been this busy. It is one of the most essential things, and this all comes back to the human capabilities. Artificial intelligence couldn’t answer the phone, and help the caller calm down, and assure them that we will fix the problem together. This is the same when it comes to OT, whether maritime or energy. If a power plant is going down because of a cyberattack or if a vessel is stuck at sea because the navigation and management system has been hacked, if the incident response is focused on the human behaviour and processes, the technological part can be fixed.
What role can cybersecurity professionals play in educating colleagues about the importance of cybersecurity and keeping systems secure?
Education is the most important thing. The cybersecurity team can support and help, but we can’t be everywhere at once. Within Wärtsilä, we need to make cybersecurity a core competence. It will never be our core business and that’s fine – we’re not a cybersecurity company. But if every single person working for Wärtsilä understands the importance of cybersecurity, that will become our competitive advantage. Everyone knows how to do basic math and how to read. Understanding basic cybersecurity should be as important as those things. We should understand why we should be careful and aware in the cyber environment. This is my lifetime goal: When I retire, I hope this understanding is one thing I’ve been able to add to Wärtsilä’s corporate culture.