The world of shipping is no different and in the last decade there has been several advancements in this area although some parts of the industry still remains fragmented and lacking standards in how the business is conducted..
Cyber technologies have become essential and critical not just to the operation and management of numerous systems and processes on board ships but also for the safety, security and protection of the ship, the crew, the cargo, and the marine environment..
These technologies have integrated IT (Information Technology) and OT (Operational Technology) on board ships through networking and connectivity to the internet..
The access, connectivity and networking of these systems has however led to cyber security threats and risks..
What is cyber security and cyber security risk..??
TechTarget defines cyber security as “the body of technologies, practices, and processes designed to protect computers, programs, networks and data from damage, attacks or unauthorized access. In the context of computing, the term security implies cyber security.”
The International Maritime Organisation (IMO) defines Maritime cyber security risk as “a measure of the extent to which a technology asset is threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised“..
Cyber security threats exploits the complexity and connectivity of critical IT infrastructure placing the ship, crew safety and health, its cargo and its security at risk all of which could affect a company and government’s finances and reputation at risk..
Cyber security should be an important component of an organisation’s overall risk management..
Cyber security threats can present itself as malicious actions like hacking or infecting your systems with malware or innocent actions like lack of software maintenance on vessels, incorrect user permissions, weak passwords, unauthorised access etc..
Whether malicious or benign, these actions expose vulnerabilities in the operational or information technology on board a vessel.. These vulnerabilities can be present as a result of design inadequacies, integration capabilities, maintenance of systems and not having cyber discipline..
Both these actions should be considered as credible threats as these vulnerabilities in operational and/or information technology can compromise the security, confidentiality, integrity, and more importantly safety of the vessel and its crew..
Imagine if critical systems like the bridge navigation or the propulsion systems are compromised as a result of cyber attacks..
In some cases, many of these systems may be required to comply with international standards and Flag State requirements and if these systems are compromised, the ships/ship owners may be non compliant with these standards and flag state requirements..
The IMO has identified below systems on board ships as particularly vulnerable :
- Bridge systems ;
- Cargo handling and management systems ;
- Propulsion and machinery management and power control systems ;
- Access control systems ;
- Passenger servicing and management systems ;
- Passenger facing public networks ;
- Administrative and crew welfare systems ; and
- Communication systems
In its guidelines on cyber security on board ships, BIMCO identifies cyber safety incidents arise as a result of :
- a cyber security incident which can affect the availability and integrity of OT, for example corruption of chart data held in an Electronic Chart Display and Information System (ECDIS) ;
- failure occurring during software maintenance and patching ; or
- loss of or manipulation of external sensor data which is critical for the operation of a ship and includes but not limited to Global Navigation Satellite Systems (GNSS)
Gard quotes below live examples of cyber security incidents in shipping
- Researchers from the University of Texas in the US demonstrated in July 2013 that it is possible to change a vessel’s direction by interfering with its GPS signal to cause the on-board navigation systems to falsely interpret a vessel’s position and heading.
- A hacker caused a floating oil-platform located off the coast of Africa to tilt to one side, thus forcing it to temporarily shut down.
- Hackers accessed cyber systems in a port to locate specific containers loaded with illegal drugs and remove them from the port undetected.
- Somali pirates employed hackers to access a shipping company’s cyber systems to identify vessels passing through the Gulf of Aden loaded with valuable cargoes and minimal on-board security, which led to the hijacking of at least one vessel.
- In the Norwegian energy and oil and gas sector, more than 50 cyber security incidents were detected in 2015.
- Ten years ago, the antivirus company McAfee registered 25 new threats a day – now they register half a million threats daily.
- An increasing number of objects are connected to the Internet and may be hacked.
As you can see, there are severe consequences due to cyber security risks ranging from ship collisions caused by hacking of e-navigation to physical loss/damage to ships, crew and cargo which in turn could cause massive operational and economic disruption to a port’s activities and businesses..
Maersk Line found itself on the receiving end of cyber attacks when its systems were targeted in 2017 causing severe disruption to its global operations..
To add to this, things are not getting any easier as today’s technologies could become obsolete tomorrow making it all the more difficult to address, contain and stay on top of these risks..
The IMO via its Resolution MSC.428(98) has encouraged its members to ensure cyber risks are addressed in safety management systems and has made cyber risk management onboard ships mandatory as of 1 January 2021..
What is Cyber Risk Management..??
Cyber risk management is the process of identifying, analysing, assessing, and communicating a cyber security risk while accepting, avoiding, transferring, or mitigating it to an acceptable level after due consideration of costs and benefits of the actions..
The goal of maritime cyber risk management is to support safe and secure shipping, something that is resilient to cyber security risks and a natural extension of the existing safety and security management practices..
Companies interested in carrying out effective cyber risk management should incorporate this as part of their organisational culture wherein this cyber security risk awareness should start at the executive and senior management level and filter down to all levels of the organisation..
This will ensure a holistic and flexible cyber risk management regime throughout the company.. This of course should be in continuous operation and must be constantly evaluated through effective feedback mechanisms..
As per the IMO’s cyber risk management guidelines, “One accepted approach to achieve the above is to comprehensively assess and compare an organization’s current, and desired, cyber risk management postures.
Such a comparison may reveal gaps that can be addressed to achieve risk management objectives through a prioritized cyber risk management plan. This risk-based approach will enable an organization to best apply its resources in the most effective manner.”
BIMCO’s cyber security guidelines were formulated based on consultation and inputs of around 16 organisations from shipping companies to communications providers while many classification societies have published their own guidelines and best practices..
Shipping lines and cyber security risk management
Not to be left behind, a grouping of some of the leading container shipping lines in the world have also published their cyber security implementation guide to facilitate vessel readiness for IMO’s Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems..
The Digital Container Shipping Association (DCSA), is a neutral, non-profit group consisting of MSC, Maersk, CMA CGM, Hapag Lloyd, ONE, Evergreen, Yang Ming Line, HMM, and ZIM as its members..
DCSA which was established to further digitalisation of container shipping through technology standards has published its cyber security implementation guide..
The best practices outlined in this guide will provide all shipping lines with a common language and a manageable, task-based approach for meeting the IMO’s January 2021 implementation timeframe..
As per DCSA, this guide aligns itself with existing BIMCO and NIST (US National Institute of Standards and Technology) cyber risk management frameworks, enabling shipowners to effectively incorporate cyber risk management into their existing Safety Management Systems (SMS)..
The DCSA guide gives shipowners the tools they need to help designated technical crew members mitigate the risk of cyber attack, or contain damage (fail safe) and recover in the event of an attack..
Thomas Bagge, CEO of DCSA says “As shipping catches up with other industries such as banking and telco in terms of digitisation, the need for cyber risk management becomes an imperative.
Due to the global economic dependence on shipping and the complex interconnectedness of shipping logistics, cyber attacks such as malware, denial of service, and system hacks can not only disrupt one carrier’s revenue stream, they can have a significant impact on the global economy.
As a neutral digital standards organization, DCSA is uniquely positioned to help vessel owners mitigate the increasing risk of cyberattack on their ships, and in turn, on the industry at large.”
The DCSA cyber security implementation guide breaks down BIMCO’s framework into themes and maps these themes to the controls that underpin NIST’s functional elements: Identify, Protect, Detect, Respond, Recover..
DCSA has also provided non-technical explanations and specific actions to be taken to address each NIST element in accordance with a company’s level of cyber maturity within each of BIMCO’s themes..
Jakob Larsen, Head of Maritime Safety & Security for BIMCO says, “The DCSA implementation guidance provides a thorough and refreshing deep dive into the challenge of how to implement cyber risk management in a shipowner company.
Initially thought of as a tool for container carriers, the guidance can also inspire the thinking in other shipping sectors as well as the ongoing update of the major shipping associations’ benchmark document ‘Guidelines on Cyber Risk Management Onboard Ships’.”