Episode Transcript
[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crow.
[00:00:18] Speaker B: Good morning. Thank you for joining us today. My guest today, Christopher Stein. Why don't you introduce us and tell us where you are?
[00:00:28] Speaker C: Yeah, I'm Christopher Stein. I work for Royal Caribbean Group. Today I am on mineshaft seven. We are underway from Copenhagen to Gdansk.
So for those who don't know, Royal Caribbean owns five brands. It's celebrity Royal Caribbean International, Silversea, and then 50% of Tui cruises and Hapbak Lloyd cruises.
Mineshift seven is the newest ship. We just got it delivered a couple of months ago, and now we are doing the cyber security assessment.
So I'm staying on for a week from yesterday until.
[00:01:06] Speaker B: So that's super interesting.
I'd love to have an understanding, a high level understanding of what does it look like to do a cybersecurity assessment on a ship, especially one that is at sea, probably with paying customers on it, with thousands of people and staff and all the things that are going on. On. What does it look like to do a cybersecurity assessment on an active vessel?
[00:01:29] Speaker C: So that's a very good question. And I guess a lot of people would expect it to be very technical.
But in fact, one of the things that is very important in maritime is compliance. So what we're doing today is a compliance assessment for IMO and for ISPIs. And that means that we need to understand our current cyber security posture, both on the IT side, but also the OT side. So today we're conducting interviews, we're reviewing drawings. We're looking at a few technical elements. But because, as you say, we are sailing with passengers, we can't do, you know, deeper dives into the whole technical, technical systems here. So at some point when we are in Doc or we have time, we can do more technical and in depth assessments, which, for example, involves checking networks and checking, checking configurations. But as we are at sea, we are limited to a little bit more administrative tasks.
[00:02:25] Speaker B: Yeah, but that's. That's no different. I've done these in manufacturing facilities and, you know, on power plants and all these spaces, and it's not like they just say, hey, we're going to do an assessment, so we're going to shut everything down. That's not reality. Right. Business has to go on, so we have to find ways. And that's one of the things that's really different in OT, I think, than it is. We don't have an outage window on a Friday night from ten to twelve that I can just patch and do anything that I want because everybody's at home, you know, watching tv or football. These ships have to go. They run 24/7 they have to be supporting even when the customers are asleep. It's all that stuff still has to work. So we have to find ways as ot cyber people to do, to work around those response, those problems even when they're at port. Like you mentioned, doing it at port. It doesn't mean that you just have carte blanche because those systems still have to run. So it's not like you can just attack things and bring things down because those ancillary systems, many of those ancillary systems still have to be up and running.
[00:03:25] Speaker C: Correct. One of the things that is different in maritime than, let's say, a factory is that we need systems to be operational in order to maintain safety. Right. If loses its propulsion, then it might bring us into an unsafe situation. So we can't just do things right. Now.
That being said, when we are in port, there are some things we can set to local control. We can shut them down. We can do certain things while we are in port, test those and then start them back up and continue the voyage.
It's all about timing, it's all about the scope, and it's all about understanding what it is that you want to get from this assessment.
[00:04:07] Speaker B: What are some of, some of the types, obviously, from a compliance perspective, but what are some of the types of things that you're looking for?
Are you walking it down physically? Are you looking for physical assets? Are you looking for asset inventory? Are you looking for, what is a high level thing that you're looking for in one of these assessments?
[00:04:28] Speaker C: In general, we try to do a little bit of everything.
It's all about understanding our cyber posture. So we get a ship from the yard. We want to understand in which state it is in to understand what is our exposure. And also what do we have to prioritize, you know, if we find out that, you know, we're missing an element or something needs to be changed or something like that, we, we now know about it and we can do something about it. So we do walk the ship physically. We do check the drawings. We do check technical items. We basically do, you know, a top to bottom approach on the system.
[00:05:06] Speaker B: Yeah, that's super interesting. And I, you know, I really want to hit home. And how I have these conversations a lot. And when I'm at conferences, you know, I just got back from black Hat and Defcon, and I was at RSA earlier, and, you know, I still have a lot of people come up to me, and they're. They just don't necessarily understand the difference between OT and it.
And what. What is ot? What makes it ot? Why is it different? I've had some really intense conversations to say at the least, around how it. People or people that don't really understand ot, why it's so different and this whole it and ot convergence and all of that and how gray that gets. But you just said it, right. And I think that's the key piece to remember, is you guys are dealing with safety and you can't take it. You can't put anything at risk that can risk the safety of the passengers and the crew and other people that aren't even on the ship. Because, I mean, we just saw in Baltimore the ship that lost control and hit a bridge and crashed a bridge. Like, those things are real. Like, when I'm patching my email server at my corporate headquarters, there's no person's physical safety at risk. Yes. Somebody could. We can lose money. We can lose credibility. We can lose people's email. There could be lawsuits, things like that, but there's nobody that's gonna physically be harmed from that. Right. That's a big piece that's. That's in OT. And a lot of people don't really understand because they just haven't been there.
Same thing when I do a power plant or I'm doing a manufacturing facility, those things are. There's a lot of safety issues. Safety first. Like, I can't trump, no matter what I need to do, I can't trump the safety factor. To do what I need to do, I have to wear my hard hat. I have to wear my PPE. I have to make sure that lockout tag out that I'm understanding and three way communication. It's why we do all of these things in these OT spaces, because lives can be lost and have been. We're not just doing the safety for. Because it's fun. We're doing it because lives have been lost in the past, and we want to make sure that that isn't in the future.
Obviously, from a business perspective, you also want to make sure that your things are reliable so that passengers will be safe and feel comfortable to come on board and enjoy the facility without worrying about bad things happening. That's obviously bad press. But in the meantime, you guys are focused on safety because it's the right thing to do. And obviously, you want your customers and your. And your employees to be safe on your vessels.
[00:07:35] Speaker C: Of course, safety is a top priority for us. It is like that in maritime business. Every maritime company will have safety as a top priority. Every shipping company is interested in keeping passengers, crew, ship, the environment at stake.
The things that are, let's say, different in maritime compared to, let's say, industrial processing. Like I mentioned, we need operations to stay safe. And that means it's not always possible to apply the same methodology as you will do in it. It's not even always possible to apply the same methodology as you do in a manufacturing facility. Right.
The way that we have to test things also means that we must ensure that we don't break anything, we don't change any configuration, and we also need the vendor to be on board.
Compare it to, let's say, the toilet paper making facility.
[00:08:37] Speaker B: Right?
[00:08:37] Speaker C: I don't know how toilet paper, but I imagine you put a big roll of paper inside one end, and in the other end come smaller roll of toilet. Toilet paper.
The safety element in that is designed to protect the human from, or prevent the human from entering the machine. And if he does, to shut the machine down to achieve an element of safety. If you break something in that process, the machine will just not start up.
When we do things here, we must have operations when we're sailing to maintain safety.
We need power generation to run the propulsion, we need power management to control the power. We need navigation to understand where we are. Even the whole life support element of this is important to maintain safety. And that's why there are regulations and there are requirements to the amount of equipment that needs to stay operational in order to be compliant with safety standards.
And therefore, if we manage to break something by testing or by disconnecting or doing something, that can severely compromise not only actual safety, but also the compliance, you know, compliance in general, which means that we could be prevented from sailing also.
So there are a ton of elements that come into managing a ship, operating a ship, maintaining safety, and cybersecurity is just a part of it, which is quite small, but may have a big impact if misused.
[00:10:24] Speaker B: Yeah. And that's where I just gave a talk at Defcon.
Actually, you and I were together in Idaho talking about CIE, you know, cyber informed engineering, and how cybersecurity needs to be part of the overall system conversation in design, beyond just being a bolt on, you know, cybersecurity thing, but from a part of the system making sure that it is done safely. It's done reliably. There's, you know, and cyber is a risk. But, like, to your point, it is a small piece, but it is a significant one, just like the other. Availability. Like, if you look at the CIA triad, like, we don't care as much about confidentiality. Not that it's not important. It's just not, it doesn't trump availability, which to me, availability and safety are kind of linked together there. Right. Obviously, you just, you mentioned availability of your systems is directly correlated to the safety of the ship and the vessel and the people and everything around it. Because if those systems go down, then you can't control this big moving piece of thing that's in the ocean and just floating, and then that bad things can happen, which is not obviously what we don't want to happen. And that's where we're dealing in OT. So how many. How many types of. I mean, how ships are huge, like, they're roaming cities. So I imagine they have very similar types of systems. And how many numbers of systems and types of things are you having to look at on a large ship like, like you guys are dealing with?
[00:11:57] Speaker C: So on the it side, we have a number of systems which would equate to a medium sized corporation.
[00:12:05] Speaker B: Right.
[00:12:06] Speaker C: Everything is tied into the passenger management systems. It's connected to the, all the shops that we have, all the services that we offer. But on the OT side, many people like to think of a ship as one large factory.
A ship is a constellation of between 30 and 70 smaller factories.
[00:12:35] Speaker B: Okay.
[00:12:36] Speaker C: You have power as a plant. You have water.
[00:12:41] Speaker B: Reverse osmosis water treatment facility, just like you would in a city, right?
[00:12:45] Speaker C: Yeah. Yes. I mean, reverse osmosis is for generating drinking water. You would have water treatment for the ballast water before we let it out. You would have treatment for all the sewage water. So many people don't even realize the amount of treatment that we give water before we let it out. It's actually cleaner than the water we take in.
There are a ton of functions that we need to have running.
In general, we can do almost everything ourselves on the ships. We need to load food, we need to load fuel, a small amount of chemicals for this and that. But otherwise, we produce a lot on ship. We treat a lot on ship, so we can. It's very self sustaining.
[00:13:36] Speaker B: Yeah, that's impressive. I mean, you know, I've been on a cruise and I've seen it, but, you know, I've also been, because I have that ot background, you know, even though I didn't take tours of those locations. I knew they're there. Like, I know there's a fully generating power plant that that's running this whole thing because you don't have all this electricity and, you know, slot machines and lights and pumps on the pools and all of the things, if you think about and you really break down, there's so many subsystems that make all of those things work that, that are huge, even beyond, you know, I've done some conversating and working with, you know, like the military. You know, Navy. Obviously, their ships are huge as well. But even them, they don't have some of the entertainment type things. Like they don't have a pool on deck. Like, obviously they have other things, but they don't have a pool. They don't have a casino. They don't have, you know, water slides and, you know, roller coasters. And a lot of the things that a lot of these amazing ships have these days that are just huge and thousands and thousands of people that all of those system and different than in the military as well. You know, if one of those systems goes down, the military, you know, an ancillary system that's an entertainment type. You know, they're. They're soldiers. They. Yeah, they may complain, but they're, they're there because they have to be. Whereas if I'm paying customer and one of those systems goes down, then you have customer, you know, upset and I having to give refunds, you're losing money. Like, all of those things are impactful from a financial perspective as well as customer satisfaction and all those types of things. So that's an amazingly huge thing with a bunch of balls in the air that all of these things have to work perfectly in concert to make sure that each one of these trips are successful to all the people that are coming on people. And it's just a huge amount of moving parts to be successful and relying on technology for a lot of that, of course.
[00:15:36] Speaker C: And while the systems might be categorized differently, you have it, you have entertainment, you have ot, etcetera. And even within those categories, there are different categories of systems.
We do tend to treat all the systems with the same seriousness, if you will, because for us, it's if the financial impact on a cruise is no different from, you know, lack of entertainment than lack of propulsion. So the systems that we have on board, as we categorize them in it and OT and ET, we still consider all the systems important.
So when we do assessments, when we look at how to protect them, when we analyze the attack surface, the exposure, etcetera. We treat all systems similar.
The connections that these systems would have to our corporate office are also treated in the same way. No matter if they are for an entertainment system or an IT system. It's all equally important. Important because it provides access in one way or another to the ship.
[00:16:50] Speaker B: Sure. It's obvious in OT. And it. We have. There's lots of incidents that have happened in the world, right. Colonial pipeline, all these other things that have impacted ot. So there's a lot of argument of, was that an OT attack? Was that an OT incident or not? And I have always been a proponent of that in that it doesn't matter. It doesn't matter if the system was quote unquote categorized as OT. Did it impact the thing? Right. Colonial pipeline, it wasn't an OT system, but they couldn't, you know, measure the amount of things that were going down the pipeline, so they had to shut it off. So it impacted ot. It impacted the availability, the reliability. The same thing would be truthful in, in your, in your ship. If they couldn't something simple, if they couldn't count all the passengers that are coming back on from port accurately, that's going to impact the ability for your ship to be able to leave port because you aren't able to understand if all of your, now, obviously you have backup systems and all that kind of stuff like this is obviously a very high level example. But it just goes to show systems that are not technically ot can still impact the availability, the safety, the reliability, the y'all's ability to bill. I mean, even going beyond that, like the entertainment systems, as you're, you know, you're buying drinks or you're buying, you know, DirecTV or, you know, the entertainment on your televisions, all those things are going to impact customer satisfaction and your ability to bill, like every one of those things has an impact. Yes. It's not necessarily I can't drive the ship. You know, there's a, there's a severity of the impact, but impact is impact. And you're going to make financial and safety decisions based on the access of those available systems and your backup systems to be able to run through whether or not there's a true incident that we would report as a cyber thing. And that's the other piece. They're not all cyber events. They're not all China trying to attack us or some bad state actor. Sometimes it's just something broke, right. And it wasn't a cyber attack, but it's still something that brought down a system that makes you not be able to do something that you need to do for your compliance and for your internal policy to say, if we don't have these things, then we're not going to do next. Right. We stop here until we find a way to fix this or, you know, have a backup system, etcetera.
[00:19:12] Speaker C: Correct. And that is the largest reason is of course, that everything is now digital. Everything is running through computers. So no matter if you have it or ot, it's running on a computer. And that computer is a computer that you go and buy and just like you buy them, best buy, it's running a commercial operating system. It could be Linux, it could be windows.
So they are subject to the same vulnerabilities that your office computer is. And therefore, because of the safety implications and the operational implications, we have to do much more to protect those. And consider all the vectors that could affect the system. And you're absolutely right, it doesn't have to be a cyber incident. It could be something as simple as a thing that's breaking. Right? We need redundancies, we need spare parts, we need things on board that enable us to fix things immediately. Otherwise it could have an impact on safety or on revenue or our reputation or any element that is part of, you know, running ships. The transition, if you will, from mechanical things in the OT space to.
To digitalize things to computer based systems has enabled us to do a million good things. Right? It enables us to have better control of, you know, fuel consumption. It allows us insight into how we operate the ship, optimize the way that we do things. It allows us to relieve the crew from doing tedious tasks and have them do. Do something that's more meaningful. And with that comes the, let's say, whatever comes with having things running on a computer.
And that's both good or bad. So there are many factors to consider and we just need to ensure that we have all of our bases covered.
[00:21:11] Speaker B: So how many ships do you guys currently have that you have to maintain and kind of keep up with?
It's not a small number.
[00:21:21] Speaker C: I know across the group, I believe it's 68.
[00:21:24] Speaker B: So basically you have 68 cities with 40 to 50 or 70, I think you said different factories inside of it from power plants and all these types of things. So you guys are managing a huge impact.
The scope of that. Most people, I want our listeners to understand the magnitude of, again, human life. Cities at sea, you know, you're going to different countries with different rules and legalities. Like all of these things, customs and passport management and people coming on and joining from different locations, and all of these things are up in the air. And obviously, not all of that is on your shoulders, but as a big entity, all of those things are factors in how you make sure that you get from point a to point b, because the customer just joined, you know, they. They join it at Des, at this port, and they get off over here and did they have a good time? Right? Did they. Did they go see the things they wanted to see? Did they have a good time? Did they swim? Did they drink the food? Was it good food or drink and eat and all the things. But there's so much that goes on behind the scenes to make their enjoyable vacation, you know, effortless. Like, they. They don't want to see behind the scenes. They just want to show up and get a drink and get a coffee and get a donut and get the food and. And all the things. But there's so much that goes on behind the scenes that most people don't even see or understand.
[00:22:48] Speaker C: You're absolutely right.
The experience that comes from cruising is largely because we have a fantastic crew. I would say no matter which company you cruise with, no matter what ship you're looking at, the crew that's working on that ship is working really hard day and night, to either deliver your cargo, make sure that you have a great cruise, you know, sail you from point a to point b if it's a ferry or whatever it is.
So ship crews work really, really hard, and they deserve much more respect than I do because I'm on the ship for a week and I just do my assessments. But these people, they work 24 hours a day, working much, much harder than shoreside people. And of course, we are dependent on each other, right? But here's the thing, right? A ship can live without cyber, but I cannot live without the ship.
[00:23:48] Speaker B: Right.
[00:23:50] Speaker C: That being said, I do see that a lot of people would like to understand more of what's happening behind the scenes, and we offer tours behind the scenes. And I know that other companies do offer the same. So no matter which cruise ship you're on, which company you're with, take the tour. It's really interesting, if you've never seen the bridge of a ship or the engine control room, how we do waste management, especially on waste management, a lot of people believe that. Yeah, you do this and that with the trash, and you pollute the ocean and whatnot. We don't do that at all. In fact, we have people full time sorting trash, compacting it, recycling it, sending it off to the right locations to be processed.
I don't actually know how things happen on the shore side once it's offloaded, but you would be surprised what actually goes on behind the scenes on a ship.
[00:24:52] Speaker B: Yeah. I mean, the logistics of all that you just said, right. You know, think about how many people. You know, thousands of people, just from a customer perspective, but also the crew, the food, the water, the. The, you know, the luggage. I've only taken one cruise. You and I talked about this in Idaho. I've only taken one cruise. My wife and I went, but, you know, it was a big ship.
It was Royal Caribbean, and the amount of how fast we were able to, you know, check in, give our bags, you know, we got onto the ship, and, you know, a few hours later, my luggage ends up in my room. I mean, the. The logistics of just that is. Is mind boggling because they're going through all the things in the background, and then they end up in my room, you know, and then the whole week, like, you know, where I'm gonna eat and food, and we're going into different ports and we're stopping at different islands, which are in different countries and. And all. And all of these things, and managing thousands of people getting off a ship and thousands of people getting back on a ship and in a timely manner and making sure nobody gets lost and left behind. And there's just so many things to consider and also the cybersecurity and the safety systems that are in the background that are running as well that, you know, that are managed. So I agree. Like, there's a great example of ot is everywhere, and I think it's important for people to start looking for it. So when you take the cruise, go on the tour, like, because it'll be fun. It's going to be amazing, but you'll see the things that are supporting you. Right. You know, I went to black hat, I think, last year. My wife went with me, which is in Las Vegas, but not too far from there is the Hoover dam. So we rented a car and drove to the Hoover dam, and I took a tour with her, which, you know, I grew up around power plants. I've seen them a thousand times. I've seen all the systems in there. But for her, it was. It was eye opening because of the size of the machines and the turbines and all the things that are there. And even for me, it was impressive because the Hoover dam, in and of itself, if you've never been, I highly recommend. But little things like that, like you, it opens your eyes to see the complexity of the things that many of us take for granted. We turn the light switch on and the lights come on, but we don't exactly understand. Most people don't understand how difficult it is for these lights and this technology to work. I remember setting up our home Internet and having battery backup, and we were in the middle of a storm, and right after I did it at home, we lost power. There's a rainstorm, and I'm in Texas, so there was, like a tornado, and my kids and my wife were sitting in the living room, no lights, but the kids are still on their iPads and on their phones surfing the Internet. And I looked over at my wife, and I was like, you realize what's going on? She's like, no, what do you mean? I'm like, you realize we're all still on the Internet? She's like, yeah. I'm like, you don't realize that we don't have electricity, but our Internet still works. And she's like, oh, how's that? And I'm like, exactly. So I kind of explained it to her, but it was. She didn't even. She didn't even think about it, right. It was just. It worked. She knew it was going to work because I just make sure it works. And she just took it for granted. Now she sees it, but it's just funny little things like that. It didn't take me much. It's not like I'm a rocket scientist. I just put a, you know, a battery backup so that the Internet equipment would stay up. But still, that was something that she didn't even recognize. She just expected it to work, because our Internet always works.
[00:28:23] Speaker C: No, that's true. I mean, the. The amount of dependencies it requires just to have, like, a small app on your phone running or, or your Internet be up, or as you said, the lights in your house to beyond. It's amazing.
Previously, it required a lot of humans. Now it requires a lot of technology.
[00:28:44] Speaker B: Yeah.
[00:28:44] Speaker C: And so operational technology, while many people might think, yeah, well, it's just this, or it's just that.
The most complex things that we have are controlled by the simplest, right, the relays, the switches, the contactors, the PLC's that control. Those things are so simple, right. But it all plays a small piece of a much, much bigger and very complex system that has dependencies far beyond what you can even imagine just sitting in your house.
[00:29:25] Speaker B: Absolutely.
[00:29:27] Speaker C: I know you said you're in Texas, and I know that the power grid is disconnected. We're not going to get into that in the rest of the US and in Europe, the interconnections between different power grids in different countries, the way that the power is converted and switched and transmitted from one country to another, when there is too much sun here but not enough baseload over there, we transmit power. You know, we converted. We converted to high voltage. You know, some cables are dc, so we have to convert ac to dc, then convert it back. It's absolutely mind boggling, the complaint.
[00:30:15] Speaker B: Yeah. And, you know, diving into that real quick is, you know, there's a reason. So I've worked for 20 something years, and a lot of that time has been spent in power utility in Texas, you know, and Texas is its own grid, but part of that is because of the reliability, because, you know, the United States is so large. Um, you know, the east coast is a grid, the west coast is a grid, and Texas is a grid. And part of that is because we need. People don't understand, but you need power to start a power plant. Like it's the chicken and the egg conversation. I can't fire up a power plant without electricity. I need electricity to start the electric power plant. So there, there's a. There's a process called black start. So we have these black start plants that can start from diesel fire generators and things like that. That can get one going, and then that has enough energy to get the next one going, and then the next one, and the next one, and then you can get enough rolling generation going so that you can start the grid back on track. So Texas has dc ties. So AC DC, we have DC ties into Louisiana, Oklahoma, Arizona and Mexico. And the reason for that is because part of that is because of, back in the day, the east coast, we had black rolling blackouts that impacted the entire east coast of our country.
And the cool thing with the way that Texas is, obviously, we've had some issues here recently with the Texas grid, and I'm not defending that at all, but the larger grand scheme of the design of this decades ago was. So if the east coast went down, we could, because we're DC tied into east coast, their rolling blackout wouldn't impact us, but we could feed them back to help them get started back up again. And then the same thing, if we went down, we're not going to impact or bring them down. We're not going to be an additional domino that's going to knock them over, but they can help to start us back up. And the same thing with Mexico, the same thing with the west coast, et cetera.
That's a great example of these systems are so large and complex, it's well beyond most people's even understanding.
Even me working in power utility for so many, and my father before me worked there for 40 something years. I have a very high understanding of the power grid in this country and even in Europe and other countries as well. But still, my understanding is, you know, still here, which, you know, there's people that are far more understanding of it than me, and I couldn't tell you exactly how it runs. I understand it at enough level to talk about it semi intelligently on this podcast, but I'm not, I'm not one of the engineers that could make it work. For sure.
[00:33:03] Speaker C: We have the same on the ship.
Starting a ship from cold happens using the emergency generator, which is device that's not powerful enough to power the, to propel the ship, but it provides enough power to allow us to start all the dependencies that allow us to start the bigger engines and generate propulsion power.
[00:33:24] Speaker B: Yeah. So, yeah, well, it's like if you saw the, what is it? The Apollo movie with Tom Hanks Paul 13, where they're trying to do the startup procedure when they couldn't land on the moon, and they were trying, they only had so much power, and if they started up, they had to figure out the procedure in the, in the, uh, uh, on ground so they could give him the procedure. Because if they started up the wrong way, they trip circuits and they didn't have enough amperage to start up their systems. And when they figured out if they turn these things off and they start up in this process, then they had enough power. Right? We don't. Again, all of these things are interconnected, whether they're cyber, whether they're. But, but they're all digital, you know, working in a, in a nuclear facility. Um, a lot of the nuclear power plants in our country, in the United States specifically, they were designed in the fifties. They started being built in the sixties and late seventies, and a lot of them were turned on in the eighties. There's one in Texas that I used to support, and it was commissioned in the early eighties.
The technology has changed drastically since it was designed to. Now, a lot of the systems it was designed on and they got their license on are analog. Like you said before, they're very simple relays, you know, very simple systems and processes. Since then, we've, we've added different technical capabilities, digital technologies, ethernet, that kind of thing. But those, those tertiary systems are still analog. So when we've added capability, because we wanted to get more visibility and control and automation out of things. We added to it. We didn't take away. So we didn't replace the analog system in this system. We added an additional digital system in series so that I could get that data. But if that thing fails, it's still going to fail. Back to the physical old school tertiary backup system. So we have, and obviously in a, in a, in a nuclear environment, there's obvious reasons why that is. I'm sure you guys have a lot of similar type things in safety and tertiary and multiple redundant capabilities because there's high risk. There's high, there's a lot of stakes when we're talking about past your lives and thousands of people and, and life and limb and environmental and like all of those factors. So where, you know, the, the little factory that's building toilet paper like you mentioned, the risk isn't that high. The worst case scenario is, I mean yes, there is safety issues in any physical thing like that, but you know, maybe it's a few people not saying that that's a, that's an acceptable loss, but at the same time it's not the same as, you know, four or 5000 people on a ship that, that could be impacted by an incident. So obviously you're going to focus and spend more and have more tertiary and more safety systems to ensure those critical processes are not at ever, we're never going to be unable to control. Like maybe it goes back to a manual process, but I still have control in some way.
[00:36:20] Speaker C: Correct? Correct. All systems that we have on board, especially safety related ones, have manual control. So the way that ships have evolved over the last 50 or 60 years is that they've undergone an era of automation. And what that means in practice is that we're still doing the same things on the ships that we did 40 years ago, but we're now doing it digitally. That allows us to use less crew to monitor the ship. We can now have crew come and entertain the passengers instead of sitting down and looking at the gauges and the bars and, you know, temperatures and whatnot. And with that, as you said, we've just, we've added things on top of the physical layers that ease management, ease monitoring, ease control, but they do not take away the fundamental function of that. I mean everything is still physics. So we will have, while we do not necessarily in the engine control room, have all the manual controls there because now everything digital and happens on monitors, we can always go down in the engine room itself into the machinery space and press the button. Yeah, because that's where the magic happens.
The engine control room is a quiet, climate controlled space that it's comfortable for people to sit in so we don't have to send them down in the machinery space all the time.
[00:37:55] Speaker B: Absolutely. You know, even something as simple. And again, this is something that, if you haven't worked in an OT space, something as simple as what we call operator rounds. So if you think about when you've got, you've got equipment. Back in the day, before, we had all the capability to digitally send data and be able to read the setting of a valve or the temperature or the pressure on a particular area, you had to send an operator down there to look at a physical gate and inspect, okay, this is within tolerance. So they would have to do that every so frequently throughout the day. And they would have certain machines and equipment that they're responsible for. So they would physically walk those things, put hands on things, look and make sure things sounded right, things looked right. The pressure, like all of those things, those operators could just touch a pipe and understand, because they've known what good looks like and what bad looks like. They know when something's out of the. Out of norm, right? It's like you're in your car and. And you've driven it for a thousand miles or, you know, for a long time, and something's not right. Like there's a vibration, there's, you know, it's not shifting right or whatever, you can just tell because you've driven that car so many times, you know what good feels like and you know, something's different, right? So that's what we used to do. It was all physical. We still do that, but we don't have to do it as much with humans because we have more ability to trend and get those readings digitally, remotely. I can send those, those. Those trends and the temperatures and pressures and valve placement and all that type of stuff to these computer systems. Now we can. We can better say, hey, instead of having to go do these things all the time, I can send them, hey, there's something going on here. Go check. Go take a look at that thing again. That doesn't mean that we don't send an operator to do random to make sure that the gauges are accurate, but it means that I can do more with less with less people that have to physically put hands on things. It makes us more efficient. It means that we can do more with less. As far as needing 15 people to do the job now, maybe I can do it with a few and be more efficient and better outcome because of that, because of the other capabilities that the digitalization has brought us.
[00:40:10] Speaker C: Correct. Digitalization is a, you know, huge new thing in maritime, especially given the whole discussion of decarbonization, the switch to alternative fuels.
It helps us understand our operations. Right. We can now measure things that were impossible to measure before or, you know, really difficult to measure before. We have sensors everywhere now. We can tell you anything at any time on the ship that you can say, well, okay, this is impacted by X or Y or Z. If we trim here, if we do that, if we add or change or remove something, then we can optimize the operation. We can save fuel. We can lower our emission.
We can sail faster or slower. We can arrive just in time at a certain port because of X or Y or Z. So it really has had a huge impact in shipping, and we'll continue to have that over the next many, many years as maritime sort of catches up on the digital evolution with big data and AI and whatnot.
[00:41:27] Speaker B: Yeah, that's exciting. I can't even imagine people that got on the a ship, you know, in the 18 hundreds. They probably, you know, coming from another country. Let's just talk about people that came to America, for instance. You know, that they got on a ship in Ireland or Scotland or wherever they were coming from, and they'd probably never seen or really understood what this America was or this place that they were going to. They got on a ship.
They probably weren't sitting in a, you know, a fancy nothing like what you're sitting in today in the comfort and Wi Fi and food and drinks and air conditioning and, you know, all of that type of stuff. And they traveled across the ocean with analog systems with physical people running them. Obviously, we've heard of incidents like, you know, hitting icebergs and things like that in the middle of the ocean, but storms and, you know, loss of power, any number of things could have happened, not to mention even further back than that, when people used to sail, you know, across the ocean with. With completely analog, you know, no. No systems whatsoever. Just wind and sails. Like, that's just. It blows my mind, the ingenuity of humans and how far we've come in a relatively short amount of time to the capability of the vessel that you're sitting on today and how people just take it for granted. Like, they don't think about any. They just get on and have fun and they get off and, man, that was amazing. Right? And the amount of work that goes into it and the safety and how far it's come from, you know, the Mayflower, these wooden vessels to, or vikings that came across on little bitty, you know, not even ships, boats, more like to now these huge things that, that are multiple, you know, 1015 stories tall with, you know, swimming pools and tennis courts. And it's just incredible that we take it for granted these days and, yeah, let's go on a cruise.
It's simple and it's fun. Let's take a ten day cruise and take the whole family and unlimited food and it's just a blast. And, oh, we happen to be floating across the ocean and going to different countries. But that's normal, right? That's super normal.
[00:43:48] Speaker C: I'm happy you take it for granted because that means we're doing our job right.
[00:43:52] Speaker B: Exactly. That's the funny thing. It's not funny, but it means that we're doing right things right. So when we talk about all this digitalization and, you know, I'm a parent, I've got three kids, and, you know, we look at technology and you can see a lot of negative things with technology, with, you know, people zoning out and social media and politics and all the things that you see and. But there's a lot, there's so much good that has come from digitization and the technology that we have. Our cars are safer. You know, I've got, you know, crash detectors in my car and airbags and, you know, all of these things that it's a lot safer now to be to the point that nobody was taking a cruise for fun, you know, 200 years ago. Like, they were doing it to get from a place to a place, like, and it wasn't really an enjoyable trip. They just grin and bared it, right? It wasn't like it was. Now some of the wealthy, obviously, that that's a different conversation. But everybody can afford to go on a cruise. Everybody can. Can go and enjoy and be, like, luxury back then, right? Anybody can do that and have a trip and get pampered and have that. It's literally available to absolutely every person within reason. But, you know, obviously it's not free, but it's attainable. It's not unrealistic, it's not millions of dollars. You don't have to be a millionaire. You don't have to be independently wealthy. Like, this is something that everyday Americans and people from all over the world love and experience, and it's not out of reach, which is incredible to say how much technology and digitalization has made that, because this, it's safe, it's affordable, it's repeatable. Like all of those people. Process and technology have made it so that everyday people can, can attain this thing that is, again, 100 years ago was unattainable unless you were super wealthy. So. So with that, I appreciate the time and I know that you're in the middle of. Of an assessment and also in the ocean, which is just super cool. This is the first time I've had a guest join me that wasn't on land, as far as I'm aware.
So with that kind of closing question I always give to folks is, what is one thing that you seek in the next five to ten years coming up over the horizon? And you can focus it specifically on maritime that maybe is concerning. And what's one thing that is exciting that you see coming up over the horizon in maritime cyber?
[00:46:24] Speaker C: Yeah, of course. I mean, as we digitize more, the number of dependencies that we have on computer based systems increases.
We depend more on the connections that we have to shore side. We also want to deliver an experience to our passengers that also depends on all of these systems. So we need more efforts put into understanding the new digital solutions that are coming out and how they potentially could affect our operations, our systems, our safety, and be proactive in terms of, you know, preventing things from happening.
[00:47:13] Speaker B: Sure.
[00:47:14] Speaker C: On a more positive note, and this is very, very maritime specific, the various organizations and lawmakers in maritime are starting to align on maritime requirements, securing on the cyber part, maritime as a whole, there are now more cyber requirements to systems that operate the ships, both in the OT and the IT space. And that means that we are less susceptible to bad actors.
We will continuously improve cybersecurity on the ships. And as legislators become more aligned and more aware of actual risks, we go into a future that is similar to other elements of shipbuilding, more prescriptive, and offers actual solutions.
[00:48:21] Speaker B: Sure.
Now that's so true. And as you were saying that all I was thinking of is, you know, relatively recently, we've started having Internet available on airplanes, right. And now everybody takes it for granted that it works. So when, for whatever reason, Internet access stops working on a plane, people complain about, you know, I just can't believe the Internet didn't work or it was slow or whatever. Like, do you realize you're flying 30,000ft in the air, hundreds of miles an hour, and you're surfing the Internet? It's like the, the discussion I had with my wife about, you know, the Internet working in the middle of a power outage. You don't think about what it takes for that to work. You guys have a giant ship with thousands of people on it in the middle of the ocean, and if the Internet goes down, you're going to have a bunch of upset people, which is funny because the amount of things that it takes to make all of that work is beyond most people's comprehension. But people take it for granted, and that's a good thing. Like you said before, we want them to take it for granted because that just means that you're doing your stuff right. But the amount of things that it takes to make all of that, that trip be successful is incredible. So I'm excited to see the changes and the focus being put in the maritime environment, obviously for the entertainment side, but also in shipping and all of the things, because we are, as a society, very dependent on our maritime environment, both for entertainment, like on a cruise ship, but also getting goods and services across the ocean. And there's just no better way to do it that we've come up with today. You can, you know, planes are only so big and you can only put so much stuff in there, whereas in on a, on a merchant ship, you can put thousands and thousands of containers and ship all sorts of stuff from cars to, you know, weight is almost no issue. So it's very important. And we see that with terrorists that are going after things in certain parts of the country or of the world where it's slowing things down and it takes longer, which means it's more expensive and it increases the cost of goods because it takes more money to get things to where they need to go. So all those things are impactful. And cyber is a big piece of that as well. Obviously, it's a relatively small piece of that does not mean it's insignificant. So I applaud you, sir, for all that you guys do. And definitely next time I take a cruise, I will definitely be taking the tour and taking my wife so she can see all of the dependencies and all the cool stuff behind the scenes that go into making that awesome experience so effortless.
[00:51:03] Speaker C: As a customer, I'm happy to have had the opportunity to, to join this podcast, and I hope that I've inspired you and your listeners to, you know, open your minds a little bit about what actually happens on a ship.
[00:51:18] Speaker B: Absolutely. Very, very behind the scenes, literally as you're sitting on a ship, which is so, so cool. So. Well, thank you, Chris, for joining me. I really appreciate your time, sir. It's been a long time coming, getting this, getting this scheduled. So I appreciate you, you being here and taking time with me. And I look forward to seeing you again in the future, sir.
[00:51:36] Speaker C: Thank you.
[00:51:37] Speaker B: You, too.
[00:51:39] Speaker A: Thanks for joining us on protect it all, where we explore the crossroads of it and ot cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this every evolving field. Until next time.
