MANAGING RISK
Thursday 31st May 2018
Cyber Security – Why does cyber security become more
and more important for successful VTS?
Alan Jacobsen
Federal Waterways and Shipping Administration
Germany
SUMMARY
The Digitalization in the maritime domain is
progressing steadily and the IT is changing so fast like
no other area. The requirements at technical systems
and applications increase more and more. We need big
data volumes, faster data transport, a global network
and more interfaces, but in the same way a higher
quality of data and live-time data around the clock and
seven days a week. But this also means that possible
threats for software or hardware are rising
simultaneously to the growing system complexity.
How long will it take for VTS to hit there and, above all,
how would it impact it?
Cyber Security describes the protection of assets
worthy of protection within this space and represents
strategic as well as operational solutions for achieving
the objectives. In some cases, there are legal
requirements at national and international level. In
addition to these requirements, the dangers for VTS
show the necessity to implement cyber security.
The effort to implement and continuously develop an
ISMS is not as high as the actual benefit. For the
implementation of cyber security, the known
standards can be applied, such as the ISO 27001 or
derived national standards.
Perhaps an anchoring of basic guidelines would be an
idea without questioning the sovereignty of the
national standards, in that every VTS authority cyber
security must ensure by an appropriate management
system that is based on ISO 27001.
RESUME
La numérisation dans le domaine maritime progresse
régulièrement et la technologie de l’information (IT)
change beaucoup plus rapidement que n’importe quel
autre domaine. Les prescriptions des systèmes
techniques et des applications augmentent plus
qu’ailleurs. On a besoin de gros volumes de données,
d’une plus grande rapidité pour leur transport, d’un
réseau global et de plus d’interfaces, et aussi d’une plus
grande qualité de données et de données en temps réel
24 heures sur 24 et 7 jours sur 7. Mais ceci implique que
les menaces potentielles pour les logiciels et matériels
augmentent en fonction de la complexification du
système. Combien de temps avant que le VTS soit
touché et, surtout, quelles seront les conséquences ?
La cyber-sécurité est la protection des informations
qu’il est utile de protéger dans cet espace et qui ont une
valeur stratégique ou représentent des solutions
opérationnelles pour atteindre des objectifs. Il y a
parfois des obligations légales, nationales ou
internationales. Outre ces obligations, les dangers pour
le VTS montrent qu’il faut mettre la cyber sécurité en
place.
Les efforts demandés par la mise en œuvre et la
maintenance d’un système de gestion de la sécurité de
l’information (ISMS) sont inférieurs à ses avantages.
On peut appliquer pour cette mise en œuvre les normes
connues comme ISO 27001 ou les normes nationales
dérivées.
Peut-être qu’un ancrage dans des guides simples, sans
empiéter sur la souveraineté des normes nationales,
serait une bonne idée, pour que toutes les autorités VTS
aient l’obligation d’assurer la cyber sécurité par un
système de gestion approprié basé sur ISO 27001.
CONTENTS
1. Introduction ..................................................................................................................................... 3
2. Definition of cyber security .............................................................................................................. 3
3. Why protect VTS and VTS-information? .......................................................................................... 5
3.1. Requirements ............................................................................................................................ 5
3.2. Threats ....................................................................................................................................... 6
3.3. Responsibility ............................................................................................................................ 8
4. What are the benefits of implementing cyber security?.................................................................. 9
5. How can we protect VTS and VTS-information? ............................................................................ 10
6. Conclusions .................................................................................................................................... 11

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 2
1. INTRODUCTION
The Digitalization in the maritime domain is progressing steadily and the IT is changing so fast like no
other area. The requirements at technical systems and applications increase more and more. We need
big data volumes, faster data transport, a global network and more interfaces, but in the same way a
higher quality of data and live-time data around the clock and seven days a week.
The state of the art is only achievable for a very short time, so it will be one of the biggest tasks to stay
up to date at every time.
But this also means that possible threats for software or hardware are rising simultaneously to the
growing system complexity. The same knowledge is not only used to develop new applications but also
to develop new malicious programs or for the targeted detection of security gaps.
The networking and data exchange in maritime systems always open new possibilities to penetrate or
manipulate these systems. Apart from external attacks, the rapid development also carries dangers of
malfunctions or failures because the technology itself can cause these risks. Especially in the field of
maritime traffic technology or Vessel Traffic Services (VTS) with very special applications and
predominantly individual software is to ensure the information security a big challenge.
Nowadays, the authorities are more often the target of highly specialized attacks. In every country
exist examples of successful and unsuccessful attacks in the daily news but at the same time there are
a much larger number of attacks that are not publicly known or even discovered.
The reasons for such attacks can be very complex. They range from financial reasons (e.g.
ransomware1) to script kiddies, who just want to try and measure themselves, to targeted disruptions
of state infrastructures or in this case the disruption of shipping. There are a lot of motives and the
question of whether there will be a security incident at any time is purely hypothetical. Rather, it seems
to be a question of time and therefore efforts must be made to protect the processes and information
in the VTS.
In the international cooperation, in the context of the extensive networking and the increased data
exchange, it seems more important that each participant complies with certain security requirements
in order to ensure the quality and availability of the data through the various systems and beyond their
own system boundaries.
The following sections are intended to clarify what cyber security stands for and which tools are
already available today to implement cyber security or information security.
Similarly, the question is clarified why it makes sense to protect VTS. The individual threats and the
responsibility of the operators and authorities are shown.
Furthermore, the actual benefit of implementing cyber security will be shown and how it could have
positive effects now and in the future.
Subsequently, it deals with the practical implementation of the aims and how this can be reached
before a conclusion is drawn with an appeal to focus more on cyber security, if we all want to help
shape digitization in the maritime world and make positive use of it.

2. DEFINITION OF CYBER SECURITY

Cyber Security's approach is a holistic view of the organization and its systems for protecting
information in cyberspace. A fixed and consistent definition of cyber security or the term "cyber" is not
found in literature.

1
data is encrypted in their own systems and then it will attempt to extort money for decryption

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 3
The term has been formed in the context of the rapid development in the technology sector and
expresses the current situation pretty well. Cyber is not concrete or directly tangible, it includes
everything. It's an abstract construct with countless interfaces that has entered all areas of our lives.
There are no identifiable boundaries in cyberspace and apparently no clear assignments anymore. It is
a symbol of anonymity, endless possibilities and also for our technological progress. It has been
anchored in society for a long time and in the future, the question would be whether society will not
be anchored in cyberspace.
Cyber Security describes the protection of assets worthy of protection within this space and represents
strategic as well as operational solutions for achieving the objectives. The terms IT security and
information security are already more concrete and clearly describable in this context. The scope of
information security is greater than that of IT security because is about the protection of information,
whatever form or how they are processed. IT security focuses more on securing IT without having to
look at the entire organization or detailing the business processes.
Thus, the procedure for information security is a suitable approach for cyber security. Cyber security
clarifies more the embedding of information in a networked world and the direct dependence on the
technology, which makes it possible only in these dimensions.
The technology in the maritime domain, specifically also in VTS or other systems for information,
controlling or support of shipping and related areas, fits exactly in this picture.
The protection of the information provided by VTS is substantiated by the following three protection
objectives:
 Confidentiality
Information may only be read and processed by authorized persons.
 Integrity
Information must come from authenticated trusted sources and must be correct.
 Availability
Information must be available at all times in the required availabilities.
As an extension of the term and as the basis for the installation and implementation of cyber security
for VTS, information security is now associated with a management system. The ISO 27001
"Information technology - Security techniques - Information security management systems -
Requirements", which emerged from the British standard BS 7799-2: 2002 "Information security
management systems - Specification with guidance for use" in 2005, describes in this context the
requirements for an information security management system that precisely targets the protection of
information in our organizations with our technology.
The basis of this management system is the PDCA Cycle (image 1), which is also part of other
management systems such as ISO 9001, ISO 14001 etc.

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 4
 Image 1 – PDCA Cycle

The process itself also makes it clear that this is a continuous process of improvement so that cyber
security is also a constant task in management. Responsibility for the management system and cyber
security is carried by the management.
In addition to ISO 27001, there also exist national standards that deal with information security.
Furthermore, the topic is part of other standards such as ISO 20000 "Information technology - Service
management - Part 1: Service management system requirements", ITIL or ISO 22301 "Societal security
- Business continuity management systems - - Requirements ".

3. WHY PROTECT VTS AND VTS-INFORMATION?

The reasons why VTS and information need to be protected are explained below in three categories.
In some cases, there are legal requirements at national and international level as well as guidelines
from the governments of the individual countries. In addition to these requirements, the dangers for
VTS show the necessity to implement cyber security. The examples of attacks complete the line of
reasoning and the normal responsibility as the operator of such systems in relation to various
stakeholders.

3.1. REQUIREMENTS
Governmental requirements based on the example of Germany:
Already in 2005, a strategy was presented in Germany by the Federal Government to secure
information infrastructures. At that time still with the focus on IT security. This strategy was replaced
in 2016 by the „Cyber Security Strategy“, which addresses the changing situation in the context of ever-
increasing digitization. The economy and the government have the obligation to implement
appropriate measures to ensure cyber security.
From this umbrella strategy, a guideline was drawn up for the federal administration, which as a
binding requirement should protect the information infrastructures within the federal administration.
Therefore, every administration must implement an information security management system (ISMS)
and prove the implementation of appropriate security measures.
Legal requirements:
With the IT Security Act of 2015, all operators of critical infrastructures in Germany have a legal
obligation to implement appropriate measures to secure the IT-supported business processes. As a
supplement to the law, regulations for the identification of critical infrastructures were defined in a
regulation in the summer of 2017, which explicitly designates the nautical traffic centres at the coasts
of the waterways and shipping administration as critical infrastructures. This depends on the freight

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 5
traffic of the waterways, so that a large part is classified as critical infrastructure. There is also a legal
requirement to implement measures whose control is subject to another authority, the German
Federal Office for Information Security (BSI).
Furthermore, there are legal requirements in the form of Telecommunications Act, Telemedia Act and
the Federal Data Protection Act.
From May 2018, the EU-wide General Data Protection Regulation (GDPR) will also enter into force,
which will apply directly to the national members of the EU. The overlaps between data protection
and data security are precisely in the so-called technical-organizational measures that are also found
in information security.
Similarly, at the EU level, there is the 2016 NIS Directive, which requires all digital service providers
within the EU to take appropriate technical and organizational measures to address risks to network
and information systems. Each member state has to transpose this directive into national law by May
2018.
Developments in the area of IMO make it clear that cyber security has already become firmly
established in the maritime domain, as resolution MSC.428 (98) requires the implementation of cyber
risk management on board in order to adequately address the risks react. Implementation of measures
must be completed by January 2021, and in this context, IMO has also issued a guideline (MSC-FAL.1 /
Circ.3) on how to implement this on board. Other guidelines exist from, e.g. BIMCO, CLIA, ICS,
INTERCARGO, INTERTANKO, OCIMF and IUMI.
If shipping makes such enormous efforts to secure its systems on board, it is only logical and necessary
to consider the network ship-to-shore as part of cyber security. All systems involved in data exchange
must have the same level of security, both on board and onshore, to minimize risks. Against the
backdrop of progress towards autonomous vessels, the question arises where the enormous amounts
of data required for this purpose should come from. Can VTS deliver this and does it make sense?
Against this background, it would only be a matter of time before international regulations would have
to be adopted in the same way as for vessels, including for onshore systems.

3.2. THREATS
The threats to VTS are very extensive and different. Image 2 shows only a few examples that are
relevant at the organizational, technical, infrastructure and application levels. The interfaces between
the VTS and external systems as well as external service providers represent a particular danger. There
may be targeted attacks against VTS where information could be manipulated and VTS users provide
instructions to shipping based on false information or the system itself transmits manipulated shipping
information. The effects can be enormous with huge financial damage, loss of image, environmental
disasters and the danger to life and limb.

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 6
 Image 2 – Examples of threats for VTS

The integrity of data is of particular importance here, since in a compromised system, the overall
system can no longer be trusted and actions can take place on the basis of manipulated information.
It could be that this compromise remains undetected for the first time, so that no targeted and timely
countermeasures can be taken. Therefore, prefer no information as faulty or manipulated information.
Impairment of availability is usually immediately detectable and could be compensated by other
emergency processes.
A vulnerability of confidentiality could exist in the form of personal data in the current VTS information,
but not on the basis of confidential data that could be leaked for espionage purposes.
Because VTS and associated sensors are not conventional IT or finished standard software, e.g. the
application areas of the sensors are exposed to particular threats due to the effects of nature
(seawater, extreme wind, exposed locations such as lighthouses in fairways). The software also poses
potential threats in the form of missing patches and updates for custom software or lack of
compatibility between application software and hardware or middleware.
The number of possible threats is increasing throughout the IT area, as illustrated by the image 3, in
which the number of malicious programs was presented as a function of the year. The trend continues
to rise.

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 7
 Image 3 – Threats in the maritime and federal domain

Examples in the maritime domain are:

 MAERSK
Virus was imported via an unpatched system that encrypted the data from MAERSK, so that shipping
was no longer possible for MAERSK because customer data, cargo data, destination data, routes etc.
were not available. There was a financial loss of more than 200 million euros.
 GPS Jammer
In ports (such as the Port of Hamburg) there were incidents in which GPS signals from the AIS
equipment on board were disturbed by so-called GPS jammer, which are very small and can be
purchased very cheaply on the internet. As a result, there were no current ship positions from the GPS
devices. Unlike jamming, GPS spoofing attempts to generate wrong locations. These incidents had no
impact, but collisions between military ships and freighters also led to speculation about spoofing
attacks.
How long will it take for VTS to hit there and, above all, how would it impact it? The state itself is
already regularly the focus of attacks and remains a worthwhile destination. There are many examples
in almost every country here.

3.3. RESPONSIBILITY
However, the tasks of the authorities that operate VTS, such as ensuring the lightness and safety of
shipping and ensuring the protection of ports and the environment, can only be honestly and seriously
perceived if the system itself is secure.
Incidents may not only affect the organization itself and shipping, but also the population. Shipping is
an essential part of the international trade of goods with the associated logistics. If waterways are
blocked by collisions, in extreme cases even supply bottlenecks could result.

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 8
Also environmental pollution caused by the collision could take directly significant negative impact on
flora and fauna and so on the population.
Furthermore, the VTS operators have a responsibility to their users to operate a system with which
our own staff in the nautical traffic centres can work legally safe. They must be able to trust the
information provided by the VTS.
With regard to external users receiving information from VTS, such as ports, pilots, government
authorities, logistics companies, etc., it is equally the responsibility of operators to provide and
exchange reliable data.

4. WHAT ARE THE BENEFITS OF IMPLEMENTING CYBER SECURITY?

In the previous chapter, the general and legal requirements were explained, why an ISMS has to be
implemented and which threats exist in general for VTS. However, these should not be the only reasons
for implementation, but rather each VTS authority should recognize the benefits and advantages of
implementing a cyber security management system.
The effort to implement and continuously develop an ISMS is not as high as the actual benefit, which
will be illustrated by the following examples.
In the context of the previous chapter 3.3, an operator as well as an entire organization must take
responsibility for VTS, and everything possible will be done to prevent harm. Here, the legal question
of liability comes to the fore. The focus is on the management. In Germany, the legal view is that in a
security incident without the proper implementation of security measures in connection with an ISMS,
the management acts grossly negligent. Accordingly, it should be in the interest of each VTS authority
to break out of the possible form of gross negligence.
An ISMS and the associated processes and measures create more transparency in the organization
because the analysis includes the business processes. Likewise, unregulated operations would be
uncovered and transformed into orderly and documented processes, as long as the processes are
important to cyber security (e.g., human resource management, authorization management, change
management).
Another consequence is a correspondingly high level of safety awareness in the organization and
among the users of VTS and its information, which also underlines the important position of VTS and
their stakeholders, as it is absolutely worthy of protection. Sensitization could just avoid human error.
Overall, a VTS authority protects against potential threats and risks of vulnerability due to system
errors, targeted manipulations and failures. This directly contributes to savings in costs and human
resources, as the overall system is more hardened against negative influences. This is enormously
important in the context of 24/7 systems because an ISMS contributes a significant part to the
availability.
In the context of progressive technological development, an ISMS reacts to these changes because the
management system itself has a continuous improvement process as its basis. Thus, the adaptations
to the respective state of the art and to new developments would fit in more harmoniously and with
less effort into the overall architecture. It therefore provides assistance in improving the VTS and in
further development, so that the VTS authorities in the market are up to date and able to keep up.
Finally, an ISMS is also a measure of quality, which can be demonstrated by a measurable level of
security. The quality of the data will become even more important in the future with regard to
maritime digitization. The data exchange and the amount of data will increase, so that the question
must also be asked as to whether the VTS authorities as potential data traders are in the position to
fulfill this task at all. High-quality and available data are an elementary component without which the
digitization can not be implemented.

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 9
Because the requirements for this data are already there and will increase in future, the industry or
other organizations could provide this data with high quality and availability, which would raise the
question of what role the VTS authorities actually still play or want to play or whether they can.
From an economic point of view, an ISMS brings a competitive advantage to a company for a while,
since customers also want to be safe from external service providers and in some cases have their
information collected, processed and stored in a secure manner. As in other areas (such as quality
management), some customers even require cyber security certification, which can be based on ISO
27001 or nationally compliant standards.
Nowadays, no company or organization can afford to be unaware of and respond to risks, so an ISMS
plays a large part in the overall risk management process.

5. HOW CAN WE PROTECT VTS AND VTS-INFORMATION?

To protect the information, a generalist approach must be chosen that analyses and considers the
technology, infrastructure and organization. As has been shown, the threats are so complex that simply
secure the technology is no longer sufficient in today's world.
For the implementation of cyber security, the known standards can be applied, such as the ISO 27001
or derived national standards. In Germany, we have our own authority, the BSI, which issues national
standards that are compliant with ISO 27001.
The management approach has to be followed during implementation and realization, which means
that the responsibility of the management has to be ensured at the beginning. Only then can a
corresponding security organization be set up with a security officer who, as a management
representative, transports the requirements for the implementation of appropriate security measures.
The security measures should be chosen from best practice approaches, as the recommendations of
the standards claim.
Before carrying out analyses or measures, the entire organization must be sensitized in order to gain
the greatest possible acceptance and to win over both its own employees and external users as
support.
As part of the PDCA process, the effectiveness of an ISMS and the specific security measures must be
regularly monitored.
To develop a security concept with concrete security measures for VTS, it is possible to proceed
schematically in the following steps, which were derived from ISO 27001 and national BSI standards:
1. Determine scope
What must be considered, it is about single nautical traffic centres, the entire system or the
entire organization. The scope must be clearly described.
2. Structure analysis
The technology, applications, infrastructure, organization must first be identified, so that there
is a picture of everything in the scope.
3. Identify protection requirements
Based on the actual business processes of VTS, the criticality must be assessed. How critical is
it when, for example, the radar video or traffic display application fails, the information is
incorrect, or the information becomes public knowledge. Only by knowing the criticality,
appropriate and realistic security measures can be established.

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 10
 4. Set up appropriate security measures
For all identified objects of the scope, appropriate security measures have to be established
by own risk analyses or other best practice approaches (e.g. requirements in standards).
5. Security check
A target/actual comparison of the identified measures versus reality must be made.
6. Realization
All open measures go into a realization plan and must be planned and realized.
Because the technology for VTS in some places differs from the normal IT and the operating
environment is special, many well-known and generally accepted measures are to be adapted to the
specifics. In order to select a simplified procedure here, risk analyses that have been carried out can
be combined into reproducible modules that contain requirements for a component of VTS. An
example are buoys with information signalling (light signal) and networking (e.g. GSM) or radio
components. Thus, there is the opportunity to set up standardized and reusable security modules
specifically for components of VTS, which include appropriate measures.
The question of whether there are already sufficient regulations and standards for cyber security for
VTS or generally in the maritime domain, would also have to be answered in future. Would it be a task
for the IALA to set minimum security requirements?
So far it can be said that the ISO 27001 is a universal international standard for information security.
In addition, there are also national standards that often take priority especially for administrations.
Here, care should be taken that these standards are compatible with ISO 27001. Shipping is moving
beyond national borders and the related data exchange also does that. Thus, all members of the data
exchange should have and follow consistent cyber security standards.
Perhaps an anchoring of basic guidelines would be an idea without questioning the sovereignty of the
national standards, in that every VTS authority cyber security must ensure by an appropriate
management system that is based on ISO 27001. Conceivable then would be a forum for the exchange
of security modules / security measures that have proven themselves. Furthermore, the exchange of
security incidents so that this incident does not happen to another VTS authority.

6. CONCLUSIONS
It remains to be noted that the threats to VTS and VTS-data have been around for some time, are still
there and will continue to be there. There are particular cyber security risks, both private and
commercial, and states with their authorities are always a worthwhile target for attacks. The examples
from the maritime domain illustrate this.
The impact of security incidents, whether due to system failure or targeted attacks, can be catastrophic
in the VTS area. The following image as a possible data trader, in connection with the progressive
digitization in the maritime domain or of autonomous vessels, shows the absolutely necessity of cyber
security measures. Also, out of self-interest, an implementation brings many benefits that also enable
a VTS authority not to detach from other organizations and consolidate and reinforce its position in
the maritime domain.
Standards already exist with ISO 27001 or national regulations, but it would be a consideration for the
future that there is an anchor of the fundamental obligation to implement appropriate cyber security
management at the IALA.
How good is the operation of VTS or the use of VTS-data, if the information cannot be trusted or cannot
rely on the system in context of availability.

Cyber Security – Why does cyber security become more and more important for successful VTS?
P. 11