A

At the end of the day, you're running on information and you're running on that information. Why? It's not just to get from point A to point B and to do it safely and with speed, but because it's a business. And so cybersecurity is a business decision. It's a business risk.

B

Welcome to Embracing Digital Transformation, where we explore how people process policy and technology drive effective change. This is Dr. Darin, Chief Enterprise architect, educator, author and most importantly, your host. On this episode, Maritime Cyber Security, Managing Risk and Cyber threats. With returning guests Betsy Freeman and special guest Brock Hashimoto. Betsy, Brock, welcome to the show.

A

Thanks for having us.

C

Thanks, Darren.

A

Good to be here.

B

Hey everyone that listen before we dive in and today people should know we're going to talk about cyber security in the transportation realm, specifically, really cool stuff going on up in Michigan that we're going to talk about. But before we go there, everyone that listens to my show knows I only have superheroes on the show and every superhero has a background story. And Betsy, you've been on the show before, but I don't think people have heard your background story. So we'll start with Betsy. What's your origin story?

A

Well, I'll scare you with this and I'll, I'll start with the, the back part and come forward quickly. United States Air Force, active duty officer for many years. Went into, left the service right after Desert Shield, Desert Storm. I was my last assignment was at the Pentagon. Went to big industry out to Pricewaterhouse and through its merger PricewaterhouseCoopers for about a decade after that and then returned to my first loved in the DOD and was fortunate enough to serve for on the executive staff of two secretaries of defense in the DoD back at the Pentagon one more time and then retired from the space at the Pentagon as Deputy CIO in the DoD CIO quite a few years later. Then came back to Michigan which is home and founded two businesses, one which was Radius Advisory Group. And I still have that. It's a management consultancy. And what I'm really pleased to talk about today with Brock is our role as Synergist Mobility Accelerator, a 501c3 nonprofit that, that is based here in Michigan.

B

Now Betsy glossed over the the dead body she left in her wake.

A

Oh, man.

B

No, I'm just kidding. No, Betsy is a force to be reckoned with. Very dynamic. Thanks Betsy for coming on the show again. We're gonna have a lot of fun today. Brock, you're a newcomer to the show superhero obviously because I Only have superheroes. What's your background story?

C

Yeah, sure, yeah. So I got into maritime space. I'm a Kings Point graduate and direct commission into the coast guard. I did 11 years active duty in the Coast Guard as a, as a Marine inspector, all things maritime related and transitioned to the reserves in 21 and bounced around a little bit from Fortune 70 companies to startups to everything in between and started. Started Argosy Group about three years ago and just decided to take my knowledge that I learned in the Coast Guard and all my experience and, and jam it into a business because I saw the need for kind of the niche thing that, that I, that ARG offers and, and decided to grow it and actually partnered with, with a couple of Co Cs that I started station way back when with and been in touch ever since. And in. Anyways, yeah, we just, we kind of just jammed all heads together and started Argosy Group. And here we are today, three years later and just getting started. So happy to be here and happy to talk about what we got going on on the cyber security front.

B

So yeah, when I hear maritime and cyber security, I never put the two together because. Right. I mean especially commercial maritime. Right. We're talking moving people and also cargo. And when I think of moving people, I only think of cruise ships. But we know that's not true. There's ferries and there's a whole big huge industry. But what in the world does that have to do with cyber security? I mean, cyber security is the digital world. What? I mean, come on. I mean, unless you're moving data centers. Are you moving data centers on barges or something? I mean, maybe I'm concerned about cyber security there. I. I don't know.

C

Yeah. Yeah.

B

Why is this a big deal, Brock? Because obviously it is. I mean, you're making a, a business out of it.

A

A port.

C

A portion of the business, yes, for sure. Yeah. So, you know, for the longest time ships, you know, weren't connected to, to the Internet and everything else around the world when you were. When I was sailing as around a cadet, you know, email would come through once, once, maybe once a day and it would come through satellite and it was very limited on how you were connected when you were underway at sea and even in port you were, you know, buying a SIM card from, from the agent and putting it into your phone and all, you know, getting phone cars and all these things. But you know, here we are, you know, 20 years later and everybody wants to be connected constantly, you know, with, with, with Starlink, with the improved Satellite communications, you know, it's just easy, it's easy to be connected. And you know, not only the crew but, but the owners want to be connected to their ship. They want to see what's going on. They want to be able to monitor systems, they want to be able to connect, do those things and communicate with those systems on board like they haven't ever really been able to do before. And so with those constant communication, feeds going in and out, data being transferred, there's definitely a threat level there to be hacked. And we've, we've seen that throughout, throughout here in, in, you know, the release 10, 12, 15 years. You know, we've seen that happen from GPS spoofing to GPS denials to all kinds of things. And it's an evolving landscape. And for the longest time, like I said, it was just not connected. That was the beauty of being underway. But now everybody wants to be connected and it's easy. So yeah, just when you can take over a ship.

B

Yeah. So Brooke, let's talk a little bit about that. And Betsy, please weigh in. With your experience in Department of Defense and being a CIO at Department of Defense Cybersecurity, has so much been in the IT side of the house, not necessarily on the operational technology side. Is that still the case, Betsy, that the main focus is on the IT side, even with maritime? Or are we starting to see a convergence happen here?

D

You know what they say, early bird gets the ultimate vacation home. Book early and save over $530 on a week long stay with VRBO. Because early gets you closer to the action, whether it's waves lapping at the shore or snoozing in a hammock that overlooks, well, whatever you want it to so you can all enjoy the payoff come summer with Verpo's early booking deals. Rise and shine. Average savings $550. Select homes only Minimum 7 day stay required foreign.

A

To see a convergence. I, I think the key thing here is, is that whether you're talking about security on a, a military platform, whether you're talking about on a recreational boat, on a ferry, on a barge, that's moving something from one part of the world to the other, people want to do it with speed, accuracy and safety. And they don't want to think about the digits and about what could get them and what could. They just want to do the job. And I think that's the part that not only is part of and has been for, I think for a lot of years now. I work this as a deputy CIO. Not the duty CIO, but the deputy CIO, one of the deputy CIOs. What we constantly looked at is how. How can you do the balance between the regulatory things like compliance and also be secure? Because those are two different things. Same thing in our commercial world. You look, you take an airline flight, you take a ride on the bus, you go on, on a railroad for a visit to, you know, a sister across the state or two states away. You don't want to have to think about, can I use my phone? You know, can we get there safely? Are we going to this? Are we going to that? It just happens, right? That's what this does. It's a. It's. It's a seamless integration between the IT and the ot. There is a very big difference between information technology and cybersecurity. And so people still get those confused many times in business. Sometimes it gets confused in other corridors too. But the convergence of those things, to your point, is so close now that you really. It doesn't make them the same thing. It just means that they were highly dependent. It's an ecosystem of all the things that we run, right?

B

Well, and this is kind of breaking down the traditional. And Brock, you already kind of mentioned this. This is breaking down some of the traditional isolation that existed on ships, right? And the OT space, right? If I don't have connectivity, no one can hack me, right? Except for. Except for maybe GPS jamming, right? But even with a GPS jam, I have other techniques I can use to find out where I'm at. Bring out the sextant, bring out, you know, a compass. I can figure it out, right? But that's all, like Betsy said, that's all converging. So now these ships are starting to rely a lot more on IT to know where they're at, what speed they need to go. But there's also another boundary on the ship between the operational side and the IT side. Is that boundary still intact? Are they starting to merge those two? Like the things that control the engine or the things that control cargo, you know, temperature or, you know, any. Anything that's controlling the physical world. Are they starting to break down those barriers too, or are those still intact?

C

So I would say yes and no. They're still intact for now. But there's. There's this constant push to know no more, no more. Right? From the shore side, the. The vessel operators are there seeing it live. But, you know, the charters want to know what's going on. The, the operators, the owners, they want to know, you know, what's going on so they can monitor things. So this big push to push data off the ship to let those people know what's going on. What, you know, all these things. Yeah, I would say it's, it's delineated now, but it's quickly becoming merged together. Very quick and fast. Yeah.

A

Darren, it all comes down. I'm sorry, Go ahead.

B

Go ahead, Betsy.

A

Yeah, I was going to say it all. It all comes down to the point that it doesn't matter if you're still using a paper tablet and a sextant or whether you have a transportation management system that's an app on, on the ship. At the end of the day, you're, you're running on information and you're running on that information. Why? It's not just to get from point A to point B and to do it safely and with speed, but because it's a business. And so cyber security is a business decision. It's a business risk. And so it has to. I think that's the biggest thing in the, in the, the, if you, if you will, in the, in the landscape that's emerging. And I'm thrilled to see it in the marine business because there's. There's a lot of, A lot of reluctance in many other areas in the world in transportation. Right. You don't see total solutions in anything else yet. There's a, there's a railroad conference coming up in, in Washington, D.C. next month. That's, that's about cybersecurity. That shocked me.

B

Railroad?

A

Yeah. It's like, wow, okay. Because people are starting to figure out that this is not just something that sits on the side and it's not just an IT responsibility, it's something that impacts the operation of your business. And so to your point, when something starts to impact the operation of the business, now you're talking about return on investment, you're talking about a bigger business risk from reputation and financial and legal and all of those areas. And as that happens, this stuff will converge and it won't be nearly as bifurcated, I think, as it has been.

B

So we're starting to see that happen. What impediments are you seeing out there? That slowing down the adoption of cybersecurity best practices in, in the, in this space, because there's obviously something that has slowed it down, otherwise they would have already adopted it. So what are you seeing out there causing the slowdown?

C

So I think from, from my perspective is what I see is the maritime industry is rooted in tradition to its own fault. That sometimes.

A

Yeah.

C

Right. So if they're rooted.

B

Wait, I got to stop there for a second. Tradition. So do you still get keelhauled if you do something bad in depend.

C

Depends on.

A

Frog. It works good, right?

C

Yeah. Right? Yeah yeah, yeah.

A

Look at that. Yeah, yeah, yeah, you are right.

B

Tradition. Tradition plays a big role here. So culture. Right. Is a big, is a big play. Interesting.

C

Yeah, culture plays a big role. I mean fortunately we're seeing a big. We're at a very interesting turning point in the, in the industry right now in, in involving new technologies and integrating new technologies into the maritime space. And you know, with that comes a different thought of, of how we deal with these new technologies, integrating this cybersecurity into traditional ship systems which have been know, traditionally not off the grid, I guess, if you will. Right. But I think the slowness to adopt. So we've been, they've been trying to push, you know, the international side and class societies have been trying to push cyber security for, for a long time. And I think it's just the, the reluctance to admit that yeah, these vessels are, there is a threat there because it just never was really thought about, I don't think. And, and, and I think a lot of people just don't understand what the threat is, so they just scoff it away, you know, like, oh, I don't really get it. So it, you know, it's not going to happen to me. Like, well, we'll figure it out when it happens. Right. Or, or, or we're not vulnerable to that. So.

B

Yeah. Are there any international bodies that are kind of pushing for better cybersecurity in especially? The thing that comes to my mind is, is cargo. You've got these massive cargo ships.

C

Yep.

B

And if someone were to take over one of those ships, you could do a lot of damage to a city, to, you know, hundreds of millions of dollars of merchandise. There's a whole bunch of risk involved here. So are we seeing any international standards or international pressure being put on, on adopting better cybersecurity best practices?

C

Yeah, yeah. The International Maritime Organization has been, has been pushing cyber security for a while and through classification societies, which are basically the, I would say the overseers of international regulatory compliance is, is kind of how that, how that works. And you know, with, with the backing of the IMO and class societies putting out class rules about how to deal with cybersecurity. Yes, it's, it's been pushed internationally, uh, and it just really hasn't hit the US with the same power as it has internationally just because The Coast Guard actually, you know, regulates all of, all of the commercial maritime commerce and.

A

Got it.

C

It's not regulated by the Coast Guard. It's, it doesn't really apply to, to our US fleet here, US flagged vessels. So, you know, last year in 2025, the Coast Guard finally published and made into regulation some cyber security rules and standards that, that are coming into effect. And I think that if it's not, you know, if it, if it isn't required, it's just not. More often than not, it's not going to be done. So there has to be some requirement, some regulatory backing to really push that piece forward with anything, you know, and especially in the management industry. But, you know, the cybersecurity thing, I think having the Coast Guard finally push those regulations through, making it mandatory is the horsepower that's going to get everybody in compliance, because now they have to. There's no IP and or buts about it.

A

So, yeah, this is like. Go ahead. This is like pushing peanut butter through a funnel. Okay. The number one issue is, and I do this still when I go in speaking engagements, because people ask me the question, what's the number one thing that is a barrier to success with this? And I take my compact out of my purse and I open it and I turn it and I say, right here is a barrier. Okay, it's, it's. And I, I salute the, the Coast Guard for stepping up to do, to put the teeth into this, to actually make it mandatory. But at the end of the day, it does come back down. And you said it, Darren. It comes back to the word risk. You could delete the word cybersecurity from anything. Security is the key. Cyber is part of the overall security of the business of the operational side of the business of the it side of the business, of the economics of the brand.

B

That's really, that's really interesting, Betsy, because you brought up an interesting point. Everyone knows if you're, if you're sailing off of the coast of Northern Africa, East. Northern Africa, Somali area.

A

Yep.

B

You have to have protection or they're going to take your ship. That's just, I mean, we've seen it time and time again. Do we need, do we need a big event in the maritime where someone, someone has hacked a ship and taken over control for people to stand up and say, maybe we should do something about cybersecurity? Or do you think they're going to make that shift on their own?

A

Well, I think Brock and I are both hoping that that shift happens on its own. You can see that I want it.

B

To happen on its own too.

A

But yeah, you can see the telltale signs of all of that. And it's not just in the, in the maritime business. Right. It's in all business. But look at maritime alone, look at the security of ports. You brought up the security of the ship itself. What about the security of the containers? The containers on the ship have computers in them monitoring what's in there. So something could happen with that and the container can blow up. Most of the transportation management systems, what are they? They're apps. And so we know apps can be hacked. And, and what do those transportation management systems do on the commercial ships that have them? They actually, they actually run the ballast on the ship that, you know, they, they keep it, keep it steady in the water, right. So it doesn't go one way or the other and it, and they run all of the functions. So again it's, it's, this is about, you know, operationally if something's going to stop my business and in this case we're talking about marine business. If something's going to have an impact on my ability to operate the business, which is my ability to make money and to generate money. Right. And deliver goods and services as I've, I've committed to people to do via contract, then I got a big business problem. Cybersecurity is part of that.

B

Yeah, no, I can see, see that. So how are, are you guys out there evangelizing? Is that your main thing right now? Get out and evangelize. Teach people in the maritime industry what is real cyber security? Best practices? What, you know, how is it different than traditional it? Because it is different. I mean, you're talking about some OT stuff here, right? And you're talking about, you know, the real world. It is a different story. So is that where you guys are focusing right now is on education and evangelism or do you have solutions that I can go, Brock, I'm going to start my own cargo business. I want to build security in, give me my security, you know, just hand, hand, hand me like a container, I hand it and all of a sudden my maritime business is ready to go. Is it that easy? What, what's your guys approach here?

C

Yeah. So your point? Teaching is definitely an important piece, being educated about what all this is. But you know, our solution is we're kind of, we're kind of past the teaching phase because now we have regulations that are in place that do require people to be compliant from. We've been talking mainly vessels, but this Also affects all regulated facilities in the US as well. So it's a massive, I mean, that we haven't had this big of a maritime security shift since MTSA was formed back in 2004. So. And that was all physical security. That's like something tangible. It's easy. You can stand up a fence one day and be good. Right? Like it's, you know, and there was, there was a lot of, a lot of pushback and waiting till the last minute with, even just with that, you know, so, you know, cyber is a whole different animal. It, it's not tangible. You can't just put up a fence one day and call and be compliant the next. Right. It's not that easy. And so we've recognized that. And I'm not a cyber security expert by any means, but I am a compliance expert and that's, you know, kind of where we, we have formed this, this, this alliance together to kind of partner, to bring a, a one stop, stop, one stop shop solution to the industry. Basically, you know, we have the technical cyber compliance piece of it, the vulnerability assessments, all the things, the technical side that goes into it. We have the compliance piece that comes after and then we have the continued, you know, support after you implement the plan and that's required for the regulation. So again, we're just, we're offered a service to be a one stop shop. You only have to think about it. It's kind of like a done for you model, because it is, it's not, again, it's not something you can just walk into and put up a fence, put up a security guard and call it a day. So it takes.

B

Right, so it's an ongoing, so it's, it's more of a relationship that you have with these. It's not a turnkey. I buy it off the shelf and I'm done. It's, it's a long relationship that you form. And this is where Betsy and Betsy's organizations have come in to help as well. Right?

C

Yeah.

A

Yes, yes, absolutely. We were very fortunate that Argosy invited Synergist Mobility Accelerator to come in on this with our cybersecurity expertise. At the end of the day, I think the shift here is about the mindset, but the time for evangelizing is almost over. We've been evangelizing in the Cyber business for 20 years. You can tell people, but until it hits them, they're not sure they really need to do something. So we got together and said, let's skip that step. Because if you don't believe you don't believe. But to Brock's point, compliance is compliance, and the government's going to require you to do that. And that's a good thing in this particular case. So we joined together and Brock's challenge to me was, hey, you have to find something. Big business is one thing. They have assets, they have resources, they can pay for things. They can take the big scale stuff that needs to be done. Even mid tiers have a much greater ability because they have cybersecurity staff or even just security staff, and at least they have a point of contact within the organization. He said, you, you figure out what the small business solution looks like. Because he said, that's where I've got owners that have a boat and two barges or a half a dozen boats or a boat and a facility. Right. And guess what? They don't have time, they don't have money. And you know what? They don't have the knowledge.

B

Yeah.

A

And so. Yeah. And so what do you say? You know, I have a small business, I started a small business. And my answer to that was, and I'm in this business is I don't have time for that. Who's got time for that? Right? And so. And so, no. So I think, I think that's the challenge that, that they gave to us. And we feel like we, we met the challenge in that we're trying to bring together now, under this really great partnership which we call Trident Shield alliance, their compliance expertise, our cybersecurity expertise, and learning to roll it up into the compliance type formats that are required by the Coast Guard for maritime systems and vessels and facilities, and to get that little small business net out there, too, because that's the part that always gets lost. And they have to be compliant, too. So we put a lot into that with Argosy, and they've allowed us some great flexibility to try to figure out things that could actually meet their clients, where they're at.

B

I love how you guys have taken this approach instead of trying to build up all the expertise in one place that you're forming these alliances. I think it's a great way to go because you can still focus on what you're good at and bring together, you know, this whole thing. You guys, this has been wonderful. I never thought I'd be talking cybersecurity and boats. I never was. Not on my radar. But I know anytime Betsy calls me, I pay attention. And I'm always smart to pay attention to Betsy. She always got. She's always got great ideas, always can bring great people to the show. So, Betsy, thank you for this and Brock, it's been a pleasure speaking to you today. If people want to find out more, where do they go to find out more about about maritime cybersecurity? Especially if I'm a mid sized small company, where do I reach out to get information from you guys?

C

Yeah, you can, you can reach out to us. We have a, a page on our website, argosygroup.com cybersecurity. Find all of our information regarding the Trident Shield alliance and links to Betsy's synergist Mobility and the cybersecurity experts that we work with over there and as long as along with our website and our specialties as well.

A

Yeah, so we start with Argosy because at the end of the day, they are the leader in terms of compliance and if you're already working with them, great. If you're not, you should be. Because then again, cyber becomes one more element of your compliance. It's not a separate thing. It's not something else you have to do. It rolls right into the systems and the compliance and the way they do things. And it's one of the reasons why we are really privileged to be kind of in the sidecar there, if you will, and to bring the cyber expertise so.

B

Well, that's awesome, Betsy. Thanks again guys for coming on the show. Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community@patreon.com embracingdigital where we share bonus content and you can always connect with other change makers like yourself. You can always find more resources at embracingdigital.

C

Org.

B

Until next time, keep embracing the digital Transformation.