Late June this year a massive ‘ransom ware’ brought many businesses throughout the world to a complete standstill, extorting the equivalent of millions of dollars. While shipping authorities such as BIMCO had for some time been screaming about how shipping is vulnerable to cyber-attack, many had perhaps imagined that the industry’s relative lack of celebrity compared with banks and Fortune-500 companies would save it.
Unfortunately, those people had a rude awakening, when it was found that amongst Petya’s targets were Danish ship owning giant AP Moller Maersk, APM Terminals-run Port of Rotterdam, India’s largest container port Jawaharlal Nehru Port (JNPT), and the largest port on the US East Coast, the Port of New York and New Jersey.
The message across – Cyber security is serious.
Cyber security is an operational issue, it touches on every aspect of how we design, construct, operate and maintain ships and port facilities, and how we train and equip the people who operate them. Security is not just about hacking, but the unintentional introduction of malware by employees, customers or contractors.
Research has shown that only 4% of cyber-attacks on shipping companies hit the functionality of ship-borne systems, but 67% affected IT system functionality and 21% caused financial loss.
In terms of attacks on ships, most commonly these originate from compromised USB sticks brought in by crew, Port State Control officers, engineers and surveyors.
How the Maritime industry is both learning from and leading cyber security thinking?
Cyber security is the hot topic in the world of Maritime digitization. Emerging Internet of Things (IoT) cyber security guidelines will have particular relevance to systems on ships. In the maritime industry we should also look carefully at where critical inter-dependencies lie, particularly where a network or ship’s system connects to, depends on and trusts the integrity of a system that is outside of the ship. Ship control systems and manufacturers of digital systems for ships are fundamental to the design of security capabilities and so should engage in dialogue now to help define how cyber security will be managed. Ship operators and managers need to identify and address the level of cyber security awareness, training and capabilities that will be required on ships, as well as from beyond the ship, by the operating company or by third party providers.
How do you know that you are secure?
There are numerous examples of systems on ships and ports like Bridge Systems including ECDIS, AIS etc., Propulsion M/C and Power control systems in ER, Access control systems to ensure physical security, Cargo Management systems, including Ballast water systems, etc. that can be enforced.
When considering the limited resources available on a ship, it is unlikely that each ship will be able to track its own cyber security threats, and instead will need to take information from some authorized onshore service.
Which standards should we use and who is responsible for security?
A useful approach when deciding which standards should be used is to map them to a capability framework – IMO have been particularly helpful in their guidance directing Maritime organizations to consider cyber security under the specific headings of “Identify, Protect, Detect, Respond and Recover”. Security additions such as anti-virus or firewalls also need careful accreditation by OT system vendors to provide assurance that processes will not be disrupted.
Responsibility for security in operation always remains with the operator and this is no different in Maritime. Operators therefore need to be concerned about staff training and awareness, robust processes, security monitoring and security configurations and maintenance.
For cyber security in the Maritime industry to make good progress we need joined- up and consistent thinking across different stakeholders. For classification societies and ship builders there needs to be clarity over the cyber security requirements which are to apply. Manufacturers of digital systems for ships should engage in dialogue now to help define how cyber security will be managed. Operators need to look at the real Cyber security awareness, training and capability requirements that will be required on ships. Where they see limitations, they should define the services they will need to have delivered or supported from beyond the ship by the operating company or third party providers.
Ports should evaluate their own cyber security and cyber awareness and take particular care over the security of systems and networks which connect to ships
Collectively, the industry should do more to promote sharing of alerts about incidents and share best practices, as well as learn from other industries, especially others who use operational technologies. Cyber security will become part of the International Safety Management (ISM) code from 2021. It will encourage flag and port states to address cyber risks and will assist in reducing the probability of the harm caused by cyber-attacks to the maritime industry.
Swiss Singapore Overseas Enterprises
Posted on 13th November 2017