“We're gonna be able to optimize ship operations. We're gonna be able to optimize cargo coming on and off ships. We're gonna be able to optimize routing so that we take the least amount of time we can avoid weather…[but] now another way for me to hack a ship is going to be by poisoning the data sources.” - Gary Kessler
In this episode, host Bryson Bort sits down with Gary Kessler, retired cybersecurity professor and co-founder and director of the Maritime Hacking Village. As a maritime cybersecurity researcher, consultant, and practitioner with nearly fifty years of experience, Gary walks us through the ins and outs of cybersecurity at sea, automated identification systems (AIS), and AI’s current and future role in maritime operations.
What is AIS spoofing, and why is it dangerous? What are the unique challenges posed by cybersecurity at sea? Is the maritime industry ready for artificial intelligence integrations?
“AI is going to [present] really incredible opportunities for us moving forward. I think however, it is a tool that is not well understood in general by people who are not specialists. And particularly in the maritime industry, we're going to have to get a lot better at understanding the capabilities and the pitfalls,” Gary said.
Join us for this and more on this episode of Hack the Plan[e]t.
The views and opinions expressed in this podcast represent those of the speaker, and do not necessarily represent the views and opinions of their employers.
Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology.
Bryson: I’m Bryson Bort, and this is Hack the Plant, season 5, brought to you by ICS Village and the Institute for Security and Technology. Electricity. Healthcare. The food we eat. Our water supply. We take these critical infrastructure systems for granted, but they're all becoming increasingly dependent on computers to function.
In Season 5, it’s more important than ever to ensure that our essential services are resilient to disruptions. This season, we’ll bring you insights on four of our most vital lifeline sectors - electricity, healthcare, food, and water. We know that our interconnectivity makes us vulnerable to our enemies – but what can we do about it?
We walk you through the world of hackers working on the front lines of cybersecurity and public safety to protect the systems you rely upon every day. From the threat posed by Volt Typhoon to the aftershocks of the Change Healthcare data breach, it is clear: the time for action is now.
In my day job, I'm the CEO and founder of Scythe, a start-up building a next-generation threat emulation platform, and GRIMM, a cybersecurity consultancy and co-founder with Tom Van Norman of ICS Village, a non-profit advancing awareness of industrial control system security.
I'm also an adjunct Senior Advisor at the Institute for Security and Technology, a 501c3 Think Tank dedicated to tackling technology-driven emerging security threats.
Subscribe wherever you find podcasts to get each episode when it drops.
Bryson: For today's episode, I’m joined by Gary Kessler, retired cybersecurity professor and co-founder of the Maritime Hacking Village. As a maritime cybersecurity researcher, consultant, and practitioner with nearly fifty years of experience, Gary walks us through the ins and outs of cybersecurity at sea, automated identification systems (AIS), and AI’s role in operations.
Gary: “I think prior to 2020, if you were to ask most people in the United States anyway, is the United States a maritime country, their answer would've been well. I've got a buddy who occasionally takes me fishing, and I've seen yachts of the rich and famous on tv, but they would never have had the wildest notion that 80 to 90% of all of our imports and exports come by sea, and they would not recognize that 25% of our global domestic product is somehow related to the maritime industry.”
Bryson: We discuss the widespread lack of awareness about the enormous and essential role the maritime industry plays in global and domestic trade.
What does 'smart' maritime infrastructure look like, and what new attack vectors does it create? Why is GPS timing as critical as its positioning function? And what's the one good thing and one bad thing Gary predicts for maritime cyber in the next five years? Join us for this and more on this episode of Hack the Plant.
Bryson: What mistakes in life led you here, Gary
Gary: meeting you at DEFCON all these many years ago, apparently. So just to sort of bring you up to date, and for anybody who may not know me, I am a retired professor of cybersecurity. I retired from Emery Riddle Aeronautical University in 2020. I've been engaged in the cybersecurity space since, well, depending upon how you count sometime in the 1970s, but professionally, since the late 1970s, although we didn't call it cybersecurity then, for all sorts of reasons, and I've been engaged specifically in research related to maritime cybersecurity for about the last eight years.
My COVID-19 project was to write a book on maritime cybersecurity, uh, which has the highly technical name. Maritime, cybersecurity and um, my real area that I've been dabbling in for many, many years is all related to automatic identification systems, and building tools to try to make it a little bit more secure.
That was sort of a research project that I had fun with. But also building tools to be able to spoof aids navigation as well as spoofing vessels. And I, you know, teach a fair amount about that. And GPS spoofing and jamming as well as a IS kind of things. And I just dabbled with some, you know, talking to people about maritime cyber, trying to be a thought leader and prod people along.
Bryson: Okay, so what's your full-time job at the moment?
Gary: My full-time job is being retired. I'm a scuba instructor with a captain's license, so I try to spend as much time as I can in, on and under the water, and I do some research and some writing, and a little bit of consulting related to maritime cyber.
I'm involved in a couple of, um, maritime cyber hacking events and I spend a lot of time with the Coast Guard Auxiliary. I hold a national office in the auxiliary related to cyber support for the US Coast Guard. I'm a guest faculty member at the. Coast Guard Academy. I'm an advisor to Cy Do and a couple other companies and the Cyber Boat Challenge.
Bryson: Okay. And so what can you tell us about Maritime Cybersecurity and of course, more details about your research on the automated ID system as well as spoofing, navigation and vessels.
Gary: Maritime cybersecurity as I think most of the listeners for something like this would be aware, it is basically cybersecurity, but what makes it unique is all of the unique systems within maritime.
So nobody else has the automatic identification system. Nobody else has nodes that are moving at a slow rate around the world on a constant basis. And so therefore, we have to worry about international regulations as well as every nation's regulations where ships are going to pull into port. We are talking about an infrastructure, namely the domain transportation system that is elemental and necessary for just about everybody's national security. Global security. I mean, if you look at the statistics, people are talking that somewhere between 80 to 90% of global trade happens by ship. And again, depending upon whose count you're gonna use, there's probably on the order of a hundred thousand maritime vessels and.
So since certainly in the last many decades, we've become a truly global economy, and we saw that of course, with the pandemic. Prior to the pandemic, most people in the world could not have used the word supply chain correctly in a sentence. And in 2020 everybody learned exactly what it meant. So when you look at that type of environment, it makes the cybersecurity challenges very interesting.
And then in cyber, of course, or in maritime rather, we're trying to do some things that we're maybe towing with in other transportation sectors. Going about it in a very different way in maritime and, for example, leaping to mind the idea of building autonomous systems. So having an absolutely clueless vessel to the extent that we are building vessels these days that don't have space for people because they're designed from the kela to be autonomous and not have crews on board.
They will indeed have some sort of remote. Monitoring because even the, um, international maritime organization, the IMO are talking about, well, you know, you have to have a captain of a vessel, right? But that captain does need to be on the boat, which now brings into all sorts of other things because the IMO also believes, and, and, and I think most tend to agree that a remote captain of a vessel doesn't really need to be monitoring the vessel 24/7, paying attention only to that vessel. A captain, a remote captain, could presumably actually be monitoring multiple vessels at the same time. Now that makes sense. Of course, when the vessels are in the middle of the ocean, it makes less sense when they're getting into a port where obviously needs more attention.
At the same time, we're trying to build smart ports, smart ships, smart cargo containers, and. Basically what that means, the smartness. It's a bringing together of advanced computing algorithms, smaller, faster, cheaper computer processors, smaller, faster, cheaper sensors, so that the captain of a vessel from a dashboard on the bridge.
The bridge, by the way, may or might not actually be on the ship, but having a dashboard that allows me to know everything about the environment of my ship. Everything from the salinity of the water, the temperature of the water, my speed, my torque on my propeller shaft, and, and, and even the torque on my mooring lines.
So if we ever were in a situation where we needed to have information that was timely, authentic, available, accurate, and all of that kind of stuff, I mean, clearly that time is now. Throw this together with people not really understanding, but throwing around the term artificial intelligence a lot. And AI is becoming huge everywhere in society.
But specifically to maritime, I keep hearing and reading people talking about AI and not necessarily truly understanding what AI is. And I will tell you that I don't claim to be an AI expert, although I am pretty AI highly aware. I first ran across AI in 1975 when I started grad school in computer science, and I've been, you know, sort of tracking the progress with AI ever since then, although certainly the last few years have, um.
We, we, we've seen a, a, a change in AI that eclipses the last 50 years. So one of the things I like to talk about with artificial intelligence since, since I got this far, is most people that are aware of AI may or may not have heard of the Turing test. And the Turing test, of course, was named for Alan Turing, who really started talking about the intelligence of computing.
Probably before I was born, but the idea of the Turing test was if I as a human can have an interaction. A conversation, if you will, and I am unable to determine whether I am communicating with another person or if I'm communicating with a machine, then that machine is said to have passed a touring test.
And I've come to the conclusion recently that the Turing test is insufficient. It's necessary, but insufficient. And the reason is I, I don't want to quote Resident Alien and say humans are stupid, but I will say, the humans are easily fooled. And so, I can have a conversation with ChatGPT and ChatGPT can lie to me and or hallucinate and or just give me flat out wrong data because it doesn't know the right answer or it can be telling me the truth.
I can't distinguish between any of that, but that didn't make ChatGPT truly intelligent, although there are many that would argue that ChatGPT passes a Turing test. Many of the things that we call AI are really nothing more than really super duper advanced ability to process and synthesize a lot of information quickly.
Bryson: Yeah, I'm gonna need you to tie it back to maritime security.
Gary: I think the issues that I was trying to get at is AI is becoming important in cybersecurity in general. It is certainly becoming important to maritime, and I think my real hook is into the smart systems that we're building in the autonomous systems.
So I have autonomous ships, they. Need to have, therefore, some form of autonomous navigation. There needs to be ways in which I can take the existing collision regulations and navigation rules and apply them to situations that we will see at sea. But the next issue though, is that I had started on with having a remote captain, not on the vessel, but communicating from a distance. I still need to have a lookout on the boat if I don't have a lookout. As we understand having a person standing there with binoculars and looking around, we're gonna have to have a whole ton of cameras and sensors. Well, they're gonna now be communicating back to some central place, and that means that I have another vector for somebody to attack.
I can either have somebody who's doing maintenance on the ship installing some Trojan horse device. A misconfiguration on an autonomous vessel can be fatal to the autonomous vessel. People who are bad guys can be listening to the communication between the ship and the captain on the shore, and. We believe that we can make those communications secure.
However, I'm not convinced that any communication can be made totally secure and. That is going to become an issue, I believe going forward.
Bryson: What kinds of sensors, I mean, you mentioned a lookout, which is effectively a human sensor. I'm watching the bow of the ship. I'm seeing where we're going. I'm seeing potential obstacles or other ships and artificial intelligence would follow the same thing with establishing.
Computer sensors pull in different levels of information to try to emulate that same human lookout, to be, you know, to inform the remote captain of what's happening. Sure. Um, you, you noted the surface area challenge. As with anything, if there is computational capacity, there is risk of exploitation and manipulation and control in terms of level setting.
What is the system? What kinds of sensors are we talking about? What do they do?
Gary: We're talking about things as simple as cameras. We certainly need sensors that are telling me, you know, the state of the ocean, as I mentioned, or, or, or, or recognizing things like the basic state of the ship.
What is the salinity of the water? What's the temperature of the water? What's the depth, what's the current, what's the tide? Obviously I need to know. Basic things that I would know anyway about what is my course, what is my heading, what's my Latin long and that kind of stuff. From a lookout specific area, I need to have a camera that is constantly looking 360 degrees around a ship.
Earlier this year I was on the Chesapeake Bay in the middle of the night and the boat I was on was not transmitting IS signals. There was a merchant cargo ship a mile and a half away who saw our lights and called us because he wanted to make sure that we could see him. Turns out, we could see him. A, he was very large.
B, we had an IS receiver, so we knew where he was, but the point being was that he was doing his job. He didn't know our intentions, so he was able to check in with us. We need to have the equivalent of that on even autonomous vessels. So like I said, cameras are biggies, as you know, environmental sensors as well.
And obviously the connection, as you've already alluded to all the operational technology on board the boat and. That's not specific to autonomous vessels, but certainly it is widespread within the infrastructure of maritime information. Technology networks are fundamentally different from operational technology networks and in, in lots of subtle and not so subtle ways, and I think it's only relatively recently in academia that we are starting to educate people about.
How to build OT systems, how they interact with IT systems. Most hacks I understand from our OT systems come from the IT network eventually. Um, 'cause that is the vector. And so how to interconnect all these things in a secure way. And OT is difficult to secure for a number of, of reasons. Among them being.
Inexpensive devices tend not to have a great user interface. They tend not to have a way where I can change things like passwords. And we are still seeing operational technology come out of the box with unchangeable passwords. Passwords that are just not a secret, um, because nothing's a secret on the internet when somebody discovers it.
Bryson: So question from about 10 minutes ago, you mentioned that 2020 supply chain impact. I didn't understand why you referenced 2020 as the time that everybody understood supply chain impact, particularly when I think people initially think of the 2017 cyber attack with NotPetya that affected Maersk. And while it didn't affect the OT systems directly, it's a classic example of where an IT issue.
Can cascade and take down all operations. And even though your OT is functioning just fine, your organization doesn't work. So
Gary: let me talk a little bit about Maersk. Maersk got taken down in 2017 by NotPetya, and I will start by saying I give a tremendous amount of credit to Maersk. Maersk got hammered very, very badly, not because they were subject to a specific attack, but or rather not because they were targeted.
By a specific attack, but because they were susceptible and Maersk's response, um, once they were able to put their network back together, was almost publicly within the industry to say, we got whacked and we know why, and it is never gonna happen to us again. And there were a lot of lessons learned. We're sharing the lessons learned.
So like I said, I, I give nothing but credit to Maersk about that. But again, my point being they weren't targeted. They got hit as badly as the national healthcare system in, in the uk, who was also not targeted, but was susceptible to, to what happened. I mentioned 2020 as the time when everybody became aware of supply chain 'cause we couldn't find toilet paper on the shelves of our stores.
It was really the pandemic, I think that made people start to see images of ships lined up outside of the ports of Los Angeles and Long Beach, and they started hearing about the fact, well, wait a minute. I can't buy a car because there are two chips that the car needs that are manufactured in China and we can't get them here from China quickly enough.
And I think. Even with the Maersk attack, which was relatively well known, I don't think it hit quite the public mind as much, and the supply chain wasn't impacted as much the ever given. Also started to give people an idea of the, I wanna say fragile nature of all of our supply chains. Um, here you had a ship as, you know, you know, stuck in the Suez Canal for a week and companies were trying to decide, well, do we wait this out?
Or do we reroute all of our vessels? And how much is this costing us a day to the global economy and the movement of goods? And so I think the, again, the truly international. Trade that we have came into really full effect a little bit with Maersk, a little bit with every given, but I think the, um, the, the COVID year really, um, started, uh, bringing this to people's minds.
I think prior to 2020, if you were to ask most people in the United States anyway, is the United States a maritime country, their answer would've been well. I've got a buddy who occasionally takes me fishing, and I've seen yachts of the rich and famous on tv, but they would never have had the wildest notion that 80 to 90% of all of our imports and exports come by sea, and they would not recognize that 25% of our global domestic product is somehow related to the maritime industry.
Bryson: Alright, so we, you've covered kind of the future of maritime, which is going to be driven by autonomous. Uh, cargo, we've seen the same thing on land as well. Um, folks are doing a lot of work, um, primarily actually, uh, for where we have ships bringing things into a country you still need to distribute inside the country, which most of that is done with trucks.
So that is the, the, uh, analog for where we're seeing autonomous, uh, transportation inside on land from, from the ports with respect to the current state of things, right? Legacy. Ships still being run by humans. What kinds of concerns do you have?
Gary: I actually have a number, number of things probably worth mentioning.
One of them is, my favorite topic is related to navigation systems and particularly, uh, global positioning system. G-P-S-G-P-S of course is, is fundamental to maritime, but it's also fundamental to all transportation. Uh, not the least of which in this case. Uh, also being aviation. There are. Areas in the world where GPS is practically worthless.
I think of the Baltic states being one of them. But one of the concerns that I have, not just about GPS spoofing and GPS jamming, is the fact that we don't really have a good backup to GPS at least. Um, I have read nothing to suggest that we do, and. I think one of the other things that is not well understood about GPS is that GPS is not just about navigation positioning, it's also the timing that we get from GPS.
So. All of our digital systems have to have really accurate, precise clocks because, you know, we're, we're, we're doing this streaming event right now at high speed, but high speed digital only works when the transmitter and receiver can agree on where's the beginning of a bit time. And we can only do that if we have really, really good clocks.
If GPS goes down. The, the, the statement that I frequently use is, I will not be able to use my cell phone to call the power company to tell them that the power is out. Because all of these systems from ATM machines, to agricultural systems, to energy systems, to communication systems, all are relying on, um, GPS driven timing and interestingly.
Um, many other countries are investing big time in backups to GPS, both for, uh, positioning and navigation, as well as the timing issues. So Iran is a big topic of research and in fact, implementation. We see it in Western Europe, we see it in China, and. Um, I, I see articles all the time here about why aren't we investing more in that backup to GPS.
I am sure that the military is doing something, um, to back themselves up, but GPS has now become such an incredibly essential civilian asset. And so when, when I think and talk about GPS and we already addressed Maersk, one of the things that I think that. We have to be concentrating more on, in the cybersecurity field is not just cyber defense, but it's cyber resilience.
Bryson: Hey folks. You might remember that we’ve discussed the effects that timing can have on vital equipment on Hack the Plant before with Cisco’s Joe Marshall. During the first year of Russia’s invasion of Ukraine, Joe helped to build a multinational, multi-company coalition of volunteers to rebuild the country’s energy infrastructure in the wake of GPS failure. Listen to Episode 36, Supporting Ukrainian Electrical Grid Resilience in Wartime, for more.
Gary: So I look at something like, so what happened to Maersk was not only did all their systems get whacked, but they were using Microsoft Active Directory. So Active Directory's idea of resilience is a server will fail. Well, when it fails, we merely put in a new server and all of the other active directory servers will help the new server populate with the information it needs to do its job.
This, by the way, is the same reasoning behind the domain name system on the internet. A server will go down, we'll bring in a new computer, and all the other servers will populate information. And for that matter, with GPS, I've got 36 GPS satellites. I'm only using about, yeah, 28, 29. At once, one of them goes bad, move another one into orbit, they start exchanging information.
GPS comes back. That's because we think our enemy is nature. We understand statistically, um, that things are gonna break, things are gonna fail, and that's why we have all these sarcastic algorithms about meantime to failure, meantime to repair mean downtimes and all those kind of stuff. But suppose our adversary is an intelligent agent.
Suppose our adversary has the capability to shoot down all 36 GPS satellites in the next five minutes. Suppose we can take down all of the DNS root servers as nearly happened about 22 or 23 years ago when we only had 12 root servers on the internet and nine of them failed on the same day. Well, the internet was really, really slow that day because nobody knows an IP address of anything.
We know the name of everything. And without the DNS to do the name number translation, like I said, the internet was very slow. And again, same thing with active directory. What happens when all of your active directory servers go down, which is what happened to Maersk, except luckily they had one server that has suffered a power failure the day before and was offline.
So. When we talk about resiliency, we need to be thinking about intelligent actors being behind any cyber event that we have and being able to respond to our responses. And furthermore, our response to an incident can't be so canned. Predictable so that an adversary can basically own us because if they know what your response is gonna be to an incident, they can then make you respond anytime they want.
Bryson: Okay. So anything that you want to cover that we haven't yet
Gary: In maritime right now? I think one of the problems we have is workforce development. It is similar. To the problem that we're having throughout the cybersecurity industry in where are we getting our future workers? But I think that we have to be a little bit more creative and think out of the box where in maritime we find people to work at the various levels of cybersecurity person that we need.
We don't need to have a cybersecurity expert code jock. On every ship, but we do need to have somebody on every ship who is hyper cyber aware and becomes the resource for the vessel. I would observe. You may have to look no further than the engineering department. The engineering deck knows when something is wrong inside the skin of the ship.
They're an optimal workforce for us, and so we also need to do better at making everybody. In the maritime industry, and this could be extended everywhere to be more cyber aware and moving beyond the one hour required mandatory annual training so that I can check off a box and saying that my, my crew is compliant.
They have their training because without appropriate follow up, without treating cybersecurity as a safety issue within maritime. We're really just paying lip service to, to the problems.
Bryson: ICS Village has been working for the past couple years via a grant from the Gula Foundation to build ICS workforce training as an alternative to university. We include it in our annual policy conference, Critical Effect, with an annual Workforce Development Day an opportunity for students, or anyone who is interested in OT, for that matter, to get real world training and hands-on experiences with OT technologies like this. If any of our listeners want to get into maritime cybersecurity, it’s a great opportunity!
Bryson: How far does Maritime cybersecurity extend into issues with ports?
Gary: Well, one of the things that I would observe is, first of all, tightly coupled to the ports, because every time a ship goes into a port, they fall into the regulation, obviously, of the nation state, where the port is.
Which means that ships now need to comply with not only international regulations, but every country in which they touch. Furthermore, if there are cyber issues at a port, in this case thinking particularly malware type of issues that could possibly be transferred from the port to the ship, the ship now is carrying this malware and can carry it to other ships in other ports, and which is sort of the, the inverse of what I was next gonna say, and that is.
If a ship has malware that's undetected and connects to a ports network, it has the potential that it could transfer the malware to a port which could then transfer to other ships. So as long as the networks are able to touch each other, the link between ship and port is inextricable.
Bryson: So how do recent developments in artificial intelligence factor into all of this?
Gary: Artificial intelligence is going to be incredibly important to the maritime environment as it is to just about every other segment of society. AI is going to be able to help us. With our autonomous systems and even our non-autonomous systems, we're gonna be able to optimize ship operations. We're gonna be able to optimize cargo coming on and off ships.
We're gonna be able to optimize routing so that we take the least amount of time we can avoid weather, we can avoid seas that are are not favorable to us. It's going to optimize fuel and we're starting to build. Big cargo ships that are gonna be wind assisted. Well, I'm gonna be able to use AI perhaps to work with all the information that we have and look at tides, currents, and winds and say, for this, this multi powered vessel, where's the best place to be?
It speaks to the incredible requirement that we're gonna have, that all of the information that is being used by these AI systems is correct. It's available and it's accurate because now another way for me to hack a ship is going to be by poisoning the data sources. So AI is gonna be really incredible opportunities for us moving forward in that way.
I think, however, it is a tool that is not well understood in general by people who are not specialists. And particularly in the maritime industry, we're gonna have to get a lot better as to understanding the capabilities and, and the pitfalls and where it's gonna work and where it's not gonna work.
So some of the research that I started doing years ago, uh, working on AIS was, was first addressing, uh, the weaknesses in the protocol. And, and there are various, I I'm not gonna go into those right now, but. As I was building tools to try to address the weaknesses and just build a demonstration and capability, I had to build tools that effectively allowed me to spoof a IS messages.
Well, once I could create my own a IS messages, it's easy enough to spoof a route and we are seeing all sorts of instances. A IS spoofing and have been for, for years and years because people are spoofing routes because a, they wanna hide where they really are for perhaps military strategic reasons. They are doing it for sanction avoidance.
Uh, some of the work I've been doing with some colleagues, um, has been tracking. Russian vessels moving sanctioned oil and doing ship to ship transfers throughout the Mediterranean, but it's not just Russians and it's not just the Mediterranean. Illegal, unregulated, unreported fishing is huge and we are seeing very, very large fishing fleets from any number of countries go into somebody else's water and they show their fishing vessels are, you know, somewhere near New Zealand where in fact they're in the Galapagos or something like that.
And. You know, people sometimes think, oh, somebody's illegally fishing, so you know, you take a red snapper here or there that you're not supposed to take. But in fact, when you're talking about. Big fleets of fishing vessels, you are impacting another nation's food security, economic security, environmental security.
I mean, it, it turns out that, that it is a big problem and spoofing of a IS is relatively trivial to do. The fact that I can do it and build tools tells you that it can't be that hard. And so that it, for many years I didn't share all of my tools because, you know, I wasn't sure. I mean, how, how far do we go in sharing, hacking tools?
And in the last couple years I've become way more open about it because it's, it's not a secret anymore. And the good guys need to have access to these tools so that they can figure out how they're used, how to counter them, how to recognize them. And I'm hoping that bringing this back to ai, that. We have a, we have ways where I can look at an a IS track, historical track and we can tell that it's fake.
What I don't think we're doing very well right now is, can I look at an a IS track in real time and determine that it's a fake track? And I think that is an interesting area of research that I would love to work with somebody, uh, on that. 'cause I just don't have the capabilities and the lab and the graduate students.
Bryson: Yeah. Most of the work that I've seen on GPS spoofing has been around cars.
Gary: Yes. Yep. And, but I can a IS spoof and I don't even need a GPS spoof.
Bryson: You ready for the lightning round? Yes. If you could wave a magic non-internet connected wand, what would you change? In many ways, I
Gary: realize how much of an idealist I maintained from my early twenties.
I never understood why people would take things that were meant for good and screw with them. I don't understand why people attack GPS. I mean, they're doing it for their own good, obviously, but I've never quite understood why people are so self-centered. And can't do things for a collective good. I know that sounds hopelessly naive, but I would want there to be some universal truths and some universal goods and people just not.
Screw around with stuff that hurts other people. That was unfortunately my knee jerk reaction in maritime cybersecurity. I would just like people to be more aware of the technologies that we're using.
Bryson: Well, you've waved your magic air gapped wand. Now. Pick up your crystal ball. One good thing and one bad thing that you think is going to happen in the next five years.
Gary: So I'll, I will. I will tell you a fear that I have. People don't take a problem seriously until something really, really bad happens. I have heard people as recently as two weeks ago at a meeting where I attended, say, this whole cybersecurity issue with ships is being over overblown. Has anybody yet sunk a ship as a cyber event?
Has anybody crashed a ship into a bridge as a cyber event? My fear is that there are too many people who are decision makers in the industry who are not gonna move until such an event happens. My crystal ball and my, my good thing is that I have seen, no pun intended, a sea change. The attitude about cyber from other decision makers that recognize that waiting for somebody to get killed at the crosswalk is not the way to build where I put crosswalks and lights, and I've seen more movement in cyber, in maritime in the last.
Two years, I would say, than in the previous five. And without trying to extrapolate too much, because we're also seeing a rise in cyber events, I think the smarter leaders in the industry recognize that eventually we're gonna be overwhelmed by statistics. And we can't wait for the catastrophic thing to happen, not when we can predict that it's gonna happen.
We just don't know what that thing is gonna be. And that is one of the other things. I think that five years is a really long time period. I don't know that we can predict five years out, not, not with any sort of accuracy.
Bryson: Heck, we can't predict next year. Uh, this is, this is that time of year where all the experts are mandatorily supposed to put together the 2026, you know, the next year.
Predictions. Yeah, exactly. I, every time I get it, I'm just like, there's gonna be more of the same. I mean, there really isn't novelty. It's things that were there continue to be there. Well, you
Gary: know, I, I hate to quote the Bible, but I will, my favorite book of the Bible and possibly the shortest, and maybe that's why it's my favorite, um, is Ecclesiastes.
Perhaps because it's filled with cynicism, there is nothing new under the sun.
Bryson: This is Hack the Plant, a podcast from the ICS Village. Catch us at an event near you. Subscribe wherever you find podcasts to get episodes as soon as they're released. Thanks for listening.