A newly built bulk carrier recently was delayed for several days because its Electronic Chart Display and Information System (ECDIS) was infected by malware. Previously a ship would simply have used a map to chart their course. However, since the bulk carrier was designed around a paperless navigation system, it was not carrying any. Fortunately, the malware was eventually removed and the ECDIS computers restored. Unfortunately, the delay in sailing and making repairs ended up costing the operator hundreds of thousands of dollars (US)(BIMCO, 2018).
Ships are increasingly reliant on digital and operational technology to control and manage multiple on-board systems. It makes them more efficient but without proper controls, a cyber-related incident could interrupt these systems and disrupt the operation of the vessel. Most safety critical systems will “fail safe,” but dealing with the disruption can reduce the ship’s ability to meet sailing schedules and generate revenue.
Clearly, cyber risks in vessel safety management systems need to be addressed. Especially after 1 January 2021 when it will be a regulatory requirement under IMO Resolution (MSC.428(98)) which expects owners to address such risks no later than the first annual verification of the company’s Document of Compliance.
Typical ship systems that could be vulnerable to cyber incidents or attacks include:
• Bridge systems. These include ECDIS, Global Navigation Satellite Systems (i.e. the United States Global Positioning System) (GNSS), automatic identification system (AIS), voyage data recorders (VDR) and radar/automatic radar plotting aids (ARPA). Connections to shore side systems may increase their vulnerability to denial of service threats or similar disruptions. Systems such as GNSS, are used to not only assist with the navigation of ships, but in the tracking of goods and the provision of precise timing signals for engineering systems.
• Cargo management. Systems used to load, manage and control all types of cargo, which will often have some form of shipment tracking. These systems will often need connectivity to the ship’s operating company, and during the process of transferring cargo manifests and passenger lists could make them a target for attackers.
• Propulsion, steering and power control. This is increasingly digitised and often requires a remote connection to the manufacturer for maintenance, fault diagnosis and updates. Although such a connection may be controlled and used on an ad hoc basis, it presents an opportunity to subvert systems.
• Communication systems. Including voice and data transmission via satellite/very small aperture terminal (VSAT)/Fleet Broadband (and less commonly HF radio). It also encompasses the use of VHF radio for ship-to-shore traffic and UHF radio and WiFi for onboardcommunications.
• Other systems. These can include ballast water systems, waste water treatment and heating, ventilation and air conditioning (HVAC), as well as additional hotel systems (point of sale, cabin access, CCTV) on cruise ships. These systems are often not considered as part of the cybersecurity profile of the vessel, but they can act as an entry point for an attacker who may then move laterally to compromise other ship systems.
Since shipping companies may have a range of vessels under management, it is unlikely that a “one size fits all” approach to cybersecurity at sea will work. Instead, a core set of controls and policies needs to be established, with appropriate appendices or practical variations, depending on the ship type.
Maritime is a complex regulatory and legal environment. Vessels are subject to company and ship specific regulations, as well as those of the flag state where they are registered and national and international laws. A single journey could see a vessel being subject to a variety of different laws and regulations as it crosses borders or operates within a certain distance of national coastlines. This could significantly complicate an investigation into a cyber-related incident.
Cyber Threats to the Maritime Sector
Threats will often be directed against commercial maritime businesses, rather than directly targeting infrastructure. Of course, marine transportation systems may form part of critical national infrastructure, making them attractive targets for nation states and similar actors intent on denying, degrading or disrupting them as part of a specific action or campaign.
It is estimated that 30,000 vessels globally now have equipment providing them with constant internet access, which represents a phenomenal increase from 6,000 in 2008 (Centre for Cyber Security, 2017). Passengers and crew alike expect and demand access to the internet and social media as part of their daily activities.
System suppliers also need regular connections to conduct Remote maintenance and management of onboard equipment. Although shipboard networks can be layered, isolated and firewalled to prevent lateral movement by an attacker, a simple infected USB stick may be enough to breach such defences.
Cyber related activism may impact the maritime sector. Since it is agenda driven, determining when an activist threat might mutate into a significant risk can be difficult. However, high profile environmental or geopolitical events often act as a catalyst, which makes monitoring and understanding such events a key part of modern maritime cybersecurity.
Classification societies are playing an increasingly vital role in helping ship operators, ship owners and ship builders address maritime cybersecurity. In line with IMO guidelines, they have issued guidelines and standards that outline basic cybersecurity approaches and measures for onboard protection.
Guidance is now also provided regarding protection against cyber risks – not only when sailing, but earlier when vessels are under construction, to ensure “Security by Design.” With reference to the latest IACS recommendations and ISO27001(*1) and the ISO27002(2*) Information Security Management System global standards, this focuses on the Information Technology (IT) and Operational Technology (OT) that supports ship navigation. Implementing the requirements of these standards into their Management process will put companies and ships in a better position to evaluate and manage cyber risks.
All in all, a Cybersecurity management system for ships would provide guidance on ensuring, implementing, maintaining, and continuously improving the security of companies and ships with the goal of safe navigation.
The ClassNK - Cybersecurity Management System for Ships released in March 2019, provides guidance on ensuring, implementing, maintaining, and continuously improving the cyber security management system of companies and ships with the goal of safe navigation. It includes management measures regarding protection against cyber risks in not only the navigation stage, but also in the construction /design stage of ships through Security by Design. Additional Guidelines for Software Security aim to assist with risk management focused on software used onboard vessels were also released in June 2019. These guidelines outline the recommended security measures to take throughout the development, integration, and operation stages of the software onboard vessels. These guidelines with pragmatic risk assessments and certification services for maritime sector are now supporting compliance with present and upcoming IMO and BIMCO regulations.