IT vs OT: We spoke to the UK’s former maritime counter-terrorism commander and military government adviser to COBR about why so many cybersecurity solutions are ineffective

Cybersecurity is obviously a hot topic right now. But Nigel Somerville MBE MC, Managing Director of Cyber Prism Maritime, believes that there is a fundamental problem with the way most products tackle it. We interviewed Somerville alongside Keith Chappell, Technical Director of Cyber Prism and former Technical Business Director of L-3 TRL, to find out more. Cyber Prism Maritime offers an innovative solution to a critical cyber security vulnerability on yachts and ships.

Explain to us what IT is, what OT is, and the difference between them?

KC: Operational Technology (OT) refers to control systems which manage operations as opposed to Information Technology (IT) systems which manage data and administrative tasks. Operational systems include Navigation, Helm, Engines, Stability, HVAC, Power, Communications, AVI, and Cameras.Typically, IT systems have opposing priorities to those of OT. IT systems need to be Confidential, of High Integrity and Available (CIA) in that order.

For example, it is more important that your bank details are protected than the transaction data be correct and that that the transaction can be made.The loss of your bank details (Confidentiality) could lead to multiple fraudulent transactions of unknown value, an Integrity issue could lead to a single erroneous transaction, and lack of the Availability of the system could only lead to the safe but inconvenient situation of no transaction.

OT systems are in reverse. They must be always Available; they are usually configured to mitigate the risks of Integrity failures and Confidentially is rarely an issue in these systems (AIC). As an example, the Availability of the system to steer the vessel is vital, the Integrity of the control input can be checked (too fast, too severe etc.), and the fact that a steering input has been made need not be Confidential.

NS: IT systems evolve rapidly and are relatively cheap allowing them to be replaced/regularly upgraded to keep pace with new technologies but also to allow shortcomings, especially those related to cyber security, to be managed.

OT systems until recently were never designed to be connected to IT systems and, being considerably more expensive, evolve at a much slower pace. Unfortunately, this means that they remain vulnerable to cyber security issues for much longer, if indeed these issues are ever addressed.

IT and OT must be dealt with separately

Understood. Other than rate of development, why do they need to be handled separately for cyber security purposes?

NS: IT systems and networks are widespread and founded on a handful of operating systems that the authors continually evolve and endeavour to make secure. The IT systems can, therefore, be easily layered with commercial security products to further enhance their security posture (Anti-virus, Anti-malware, Intrusion Detection Systems etc.).

Unfortunately, this is not the case for OT; many of the devices used in the OT domain use bespoke operating systems which cannot support the installation of 3rd party software to provide additional protection. Some conventional IT hardware is found in OT systems (SCADA for example, as can be seen on the vessel bridge).

However, users must bear in mind that the hardware is not providing the control, it is simply providing human access to the systems below decks that are controlling the vessel.

KC: The use of IT technologies in the OT domain requires the same maintenance and care as conventional IT systems – they and should be patched and regularly updated, as they provide a route to the more critical and less well protected OT components.

Why do you think companies try and push them together? What problems does this cause?

KC: IT and OT systems use the same underlying networking technologies and often the same networking hardware. As OT systems have become more connectable/connected to networks, it has often become the responsibility of the IT team to manage these OT devices without understanding their very different nature.

IT and OT systems can look very similar and occasionally use the same hardware. However, failure to recognise the different characteristics of each and the implications of their interconnection when badly managed can lead to disastrous consequences. These include unexpected operation, denial of service and data loss (personal, business, IPR).

On a superyacht this could mean random or failed operation of any of the vessels’ IT or more importantly OT systems. Imagine unfunctional propulsion systems, erroneous ECDIS navigation data, exfiltration of sensitive data –it’s all possible.

A view of YACHTGUARD's interface

Cyber Prism Maritime is the company behind the new integrated network cyber security platform YACHTGUARD. What exactly does your platform do that others can’t?

NS: It is one of the only devices to address the cyber security needs of both IT and OT.  The device is configured by engineers who fully understand how to ensure that the IT and OT systems interact safely. In its simplest form, the platform provides four functions.

KC: Firstly, it behaves as an extremely effective firewall not only between the Outside (WAN or Internet) network and the Inside (LAN) but also between each and every network connected to it, preventing malware from spreading between vessel networks and systems.

Conventional Firewalls typically only have a single internal port as this is all that is needed for conventional perimeter applications such as an office or home. YACHTGUARDTM has multiple Internal ports to allow IT and OT systems and networks to be physically firewalled from one another whilst still allowing them to inter-communicate safely.

Secondly, YACHTGUARDTM provides a platform onto which additional security features can be layered. These include Gateway Antivirus, Intrusion Detection Systems (IDS), GeoIP blocking, Web filtering by type (social media, etc.) or appropriateness (parental controls, etc.), web proxying, 3G/4G fallback, least cost routing, high availability switching and traffic shaping.

Thirdly, YACHTGUARDTM generates alarms and warnings that can be filtered by type and importance and presented either onboard, offboard or both. They can be viewed using the in-built management/diagnostic screens using a standard web-browser, on a dedicated device, or remotely by secure VPN.

Lastly, the platform can be used as a hub to monitor any system or device connected to it. This secure monitoring can be reported on-board or remotely via VPN. Its centralised time server allows other vessel systems to coordinate logs with accurate timestamps. This allows users to diagnose any issues using chronologically organised log data, be that issue a device failure, human error, a targeted attempt to subvert onboard systems or the impact of a more general problem.

NS: YACHTGUARDTM is also completely scalable from the smallest yachts to the largest ships. It can be deployed with a very limited portfolio of additional functions or as a full IT/OT hub providing support and coordination of other vessel systems. It is one of the only devices to address the cyber security needs of both IT and OT. The device is configured by engineers who fully understand how to ensure that the IT and OT systems interact safely.

The installation of YACHTGUARDTM on a vessel may allow some insurance cover to be provided.

Clause 380 specifically excludes insurance policies from covering loss caused by cyber-attack on a vessel. Will your platform do anything to change this?

NS: Underwriters have indicated that the installation of YACHTGUARDTM on a vessel may allow some cover to be provided. This is because the risk of providing cyber insurance is mitigated by YACHTGUARDTM enforcing separation between IT and OT systems, and between individual OT systems as required by IEC62443(ISA99) Industrial Automation and Control Systems Security.

It also has an additional benefit for insurers as it provides accurately time-stamped, forensic logging of unusual traffic on networks, making it possible to identify whether an incident was or was not cyber-related.

Sounds good. We look forward to seeing it put to the test.

The CyberPrism Maritime team will be at Monaco Yacht Show with a mobile version of YACHTGUARD to give a demonstration of its capabilities.

For more information, contact:

Article by Nigel Somerville MBE MC (pictured) and Keith Chappell

Nigel Somerville, MBE MC