Interview: ABS Group's Michael Devolld on Managing Cybersecurity

 

Just a decade ago, a ship simply dropped out of digital contact when it went over the horizon, and hackers had little if any access to its systems. With the advent of ubiquitous satellite broadband, that is changing quickly, and owners are getting used to a new reality: cyber criminals have discovered shipping. To learn more about the current threat picture and the steps that companies can take to protect their assets, TME spoke with Michael Devolld, Director of Cybersecurity at ABS Consulting.

Michael, could you start by telling us a little bit about yourself and your history with ABS?

I've been with ABS Consulting for about a year now. Before that, I was with Royal Caribbean Group for about three years, helping to stand up their maritime cybersecurity program for their fleet. Prior to that, I had a 21-year career with the Coast Guard, ending with two years as Chief of Maritime Cyber Readiness at USCG Cyber Command.

Can you tell us more about your experience with Royal Caribbean?

It was an amazing experience. Royal Caribbean ships are essentially floating cities. If you think about critical infrastructure, they have all segments of national maritime critical infrastructure on board one ship. They're supporting up to 10,000 people in some instances with food, water, medical care, entertainment, connectivity—you name it. It's a great platform to really test out cybersecurity defenses. I still stay close with them and continue to support some of their efforts.

What does it take to organize and maintain a robust cybersecurity program for such a complex environment?

It starts at the leadership level. There has to be buy-in from executive leadership that this is something they want to invest in. There are many good standards out there—NIST, ISO 27001, IMO guidelines, IEC 62443. I like to say that cybersecurity is a unique endeavor for every organization, so they have to do their homework based on their operations and the critical functions they're providing. Oil and gas will be different from cruise, which is different from freight or ports.

It really starts with the organization picking a standard and creating a common language throughout the organization. Some of these organizations are huge, so how do you discuss cybersecurity beyond the walls of the IT organization? Marine Operations, engineering, training, supply chain, finance, procurement, and legal offices all have to speak the same lexicon. You pick the standard you're going to follow, then spread that throughout the organization through training, awareness, policies and procedures, and then all the technical implementations.

It sounds like a lot of it is getting people to realize how important this is and take it seriously in their day-to-day practices. Is that a fair assessment?

Yes, 100 percent. You have to get on the vessels and facilities. In many immature organizations, cybersecurity is paired with IT operations as a back-office function, trying to manage things from far away—and it just doesn't work. You have to get out there and talk to those operating the equipment and getting their hands on it. We provide them training and understanding of the mission we're trying to accomplish, then get their participation and buy-in.

Could you give me a general overview of the threat picture you see today?

Five to ten years ago, if you were on a vessel at sea, you had very limited connectivity and were relatively isolated. That has changed dramatically.

The drive toward predictive maintenance and decarbonization means shipowners are connecting everything. They want to see metrics, equipment status, route optimization. With the advent of Starlink and similar technologies, you have always-on connections to vessels with all these systems transmitting data to shore, vendors, or whoever needs access. This rapidly expands the attack surface.

There's also standardization. When you look at suppliers of navigation systems, propulsion, steering—these critical systems—you maybe have fewer than 10 suppliers for each category. With all these vendors being connected and standardized offerings across fleets, if you can impact one vendor, you can target all the ships that are connected to them. Innovation and digitalization of shipping increases the attack surface dramatically, making cybersecurity all the more important.

Can that be addressed in part by ensuring OT systems are properly segregated from the rest of the network?

Absolutely. Network segmentation is very important. Standards like NIST or IEC 62443 clearly define how to segregate systems, but it's all about execution. You can install firewalls and segregate networks, but that has to be managed throughout the vessel's lifecycle. You have vendors' techs coming in and making changes, so you need teams to be on top of that.

It's easy in concept — segregate your network — but harder in execution. We're seeing success stories with folks implementing IEC standards, installing firewalls where needed, or maybe unidirectional diodes where data can only flow one way. But this increases the technical complexity on these ships. It's a delicate balance, and segregation is one of the most critical pieces, though it's hard to validate, test, and maintain.

Vendors' technicians are probably used to following their own procedures and informal work practices - how do you address that?

We recommend getting more language in contracts and service level agreements where the owner can say, "these are our policies for when vendors come aboard — they must follow these procedures." That connects to training the folks on ships, because there's very rarely someone aboard who's a cybersecurity expert.

We need to link this back to safety management systems. We do this for everything else in shipping—safety, physical security. Cybersecurity shouldn't be so different; it's just another risk the vessel is taking on. The challenge is making procedures seem similar to safety and physical security, not some technical issue that confuses people aboard. It's about translating things into common maritime language.

How do you convince them that cyber is of equal importance and get them to understand that? What kind of language do you use to share that message?

The most effective thing I've found is tabletop exercises and drills with real-world scenarios. Real-world scenarios are hard to come by because, until recently, incidents weren't reported. With safety, if there's an incident, root cause analysis is performed and information is shared. We're not quite there yet with cybersecurity.

One of the most powerful tools is having tabletop exercises showing scenarios that actually happened. When you tell an engineer that their systems are configured the same way and this could happen to them, they initially think cybersecurity is just a story—"this won't happen to us, our systems are air-gapped." Nothing's air-gapped anymore, but they don't see that until you show them concrete examples and evidence from an engineering perspective.

Once they understand how it can be done and what the impacts are, they wake up and see how this translates to a safety or environmental incident. In maritime, it's all about safety. If you can tie it to safety, you're going to get people to buy in.

A cyber impact on an OT system will eventually manifest the same way as any other system failure, but it's someone deciding to make it happen rather than a typical breakdown. You explain what to look for, the signs, who to call, and how to recover. We put it in those terms within existing policies and procedures rather than creating something completely new.

Are you seeing an acceleration in threat evolution because of AI tools being used in phishing campaigns and code writing?

100 percent. Phishing is no longer the Nigerian prince with spelling errors. These are expertly crafted campaigns. I've seen convincing phishing scenarios impersonating designated persons ashore or shoreside contacts. It's scary, and it bridges into audio and video spoofing. If you have video or audio of someone online for more than two or three minutes, AI can create a clone.

Threat actors can research much faster now. Most maritime systems documentation is online. What used to take a year and $10 million can be done in a week with AI help when crafting exploits for new vulnerabilities. It's evolving frighteningly fast, but fortunately, we're also leveraging AI on the defensive side to keep pace. Cybersecurity is always a cat-and-mouse game.

 When someone calls for assistance, do you send a team out to their ships?

It depends on the client. We meet clients where they are because the maritime industry is so diverse. You have mature cruise operators and oil and gas companies on the high end, down to small and medium operators starting from almost zero.

We start with an initial consultation—where are you in your journey, whether compliance or risk management, what have you done, and where can we help. We try to fit in as a trusted advisor. We do risk assessments, provide training, help our clients create policies and procedures, conduct tabletop exercises—we can do it all.

We like to build or augment programs because cybersecurity encompasses the whole business. Many organizations have mature enterprise security postures but need help extending that to vessels or facilities. We get out on assets, do risk assessments and gap analyses, make recommendations for technical controls, policies, procedures, and training. We try to be very practical—not "the sky is falling"—but realistic about budget constraints and putting resources where they'll have the most impact.

Are there specific projects you'd like to highlight that show how this works?

I can't name clients specifically, but we're engaged with several large cruise industry clients on new builds. New class requirements for newbuilds are coming out, so we're helping our clients comply with those regulations.

We're doing extensive training for the new MTS cybersecurity regulations. There will be probably 100,000 people needing training at different levels. The cybersecurity officer — the person accountable for cybersecurity at organization — needs training, then individual training for employees on vessels and facilities, plus role-specific technical training for operators and engineers.

Training is probably the most important part of this process — it's the glue holding everything together. We want quality training that moves the needle rather than just clicking through to say you did it.

Should there be a cybersecurity curriculum at maritime academies?

Absolutely. There should be basic cybersecurity curriculum at maritime academies, probably role-specific. Engineers might need to understand different things than operators, but regardless, why are these folks having to play catch-up when they join the maritime workforce?

If you're a navigation officer, you should understand GPS spoofing and jamming, AIS manipulation at a basic level. You should recognize when systems aren't functioning properly and whether it might be a cyber incident, then know what to do.

If you go into a modern ECR (Engine Control Room), it looks like a spaceship launch center. Everything's on screens and panels, everything's digital. The knobs and dials don't exist anymore. Looking out 10 years, all vessels will be like that — everything connected, everything a touch screen or video panel with an IP address. Having basic cybersecurity understanding will be critically important to the job, because the cyber team isn't on the ship - and can't be.

I'd love to see maritime cybersecurity as a viable career path, not just a part-time thing. The regulations require organizations to have someone accountable for cybersecurity by name, and there just aren't enough people to go around. People ask me: would you rather have a cybersecurity person and teach them maritime, or have a maritime person and teach them cybersecurity? My answer is always maritime. Have a maritime person and I can teach them cybersecurity. They'll pick up concepts faster, understand operations, ships, and shipboard systems, versus someone with a traditional IT background who's never set foot on a vessel or facility.

There's a huge opportunity for maritime academies. These folks can be embedded in industry as the glue between enterprise IT security teams and vessel or facility operators—bridging that IT/OT divide. But it's more than OT, it's maritime-specific operations. -TME