Cyber secure: accommodating digitalisation in the maritime industry
Like many industries, the maritime industry is moving into a digitalised era, a shift which is taking place at sea, in port, and on land. Vessels are undergoing digitalisation: Bridges are equipped with ECDIS systems, sensors are installed onboard to measure various aspects of vessel performance, connectivity is boosted to support real-time monitoring and optimisation of the whole fleet, and IT and OT systems* are interconnected to bridge the gap between business and maritime management. On many fronts, the digital revolution enables swifter, more intelligent and interconnected procedures.
However, the forward momentum of digitalisation comes with new challenges, one of which is establishing ways to avert risks associated with new technological infrastructure. While some maritime actors’ skills and policies are up to speed, others have yet to address this pivotal issue.
Some reasons for lack of cyber security prioritisation are:
- Shortage of cyber security knowledge
- Insufficient resources and/or support for IT, OT, and cyber security
- Complex IT and OT systems
What is cyber security and who is at risk?
Generally, cyber security (also known as information technology security) refers to the practice of defending computers, servers, mobile devices, electronic systems, networks, and data against malicious attacks. In a maritime context, cyber risk refers to the probability of technological equipment being intentionally affected in a way that may result in operational, safety, or security failures. Such failures may include lost, corrupted, or compromised information or systems. A well-known example of a costly cyber security breach is the Not Petya attack on Maersk in 2017. The company became an indirect victim of a malware attack which rendered their IT systems inaccessible and ultimately resulted in nine-figure damages.
As operational and managerial processes become increasingly interconnected and automated, maintaining effective cyber security needs to be an activity that spans the entire organisation, cooperatively both shoreside and onboard. It is a mindset which must be adopted in marine operations and management alike. Since allocating enough resources to cyber security is crucial for long-term success, top management must be engaged and have a thorough understanding of the issues at hand.
By identifying some of the main motives of threat actors, we can understand that all organisations in the maritime industry are at risk. Motives differ depending on the threat actor profile; however, common motives are financial, political, technical, or even military agendas. For disgruntled employees or customers, revenge is another motive. When it comes to financial motives, even small maritime industry actors maintain personal data banks that may be commercialised for the use of thousands of criminal actors. Depending on the motive, common attack methods include phishing, spoofing, denial-of-service (D-Dos), malware, and social engineering. The risk of becoming an indirect target is often greater than that of becoming a direct target. However, even an indirect attack can cause considerable damage, as seen from the 2017 Maersk case where the company was forced to operate at significantly reduced efficiency and lost a vast amount of money.
Industry regulations and guidelines for promoting cyber security
Although cyber security within the maritime industry has been developing for decades, the famous Not Petya attack on Maersk in 2017 was a pivotal turning point. Prompted by the incident, the International Maritime Organization (IMO) identified the industry’s security challenges and made regulations and guidelines for cyber risk management onboard ships mandatory as of 2021. Cyber risk management is now included in the Safety Management System (SMS) and has been a part of the annual Document of Compliance (DOC) audit since the 1st of January 2021.
Of the many guidelines available, shipping companies should prioritise the Bimco guidelines, which offer a complete list of cyber security actions to be carried out. In addition to the IMO resolution, these guidelines incorporate knowledge from the NIST (National Institute of Standards and Technology) Cybersecurity Framework.
How to get started
In a labyrinth of information, it may be difficult to understand where to start when it comes to gearing-up for cyber security measures within your organisation. Alandia has collaborated with experts at Deductive Labs (now Sofecta Labs), an experienced partner in cyber security, to offer a workshop on maritime cyber risks (see link). Today, those in the maritime industry are aware of the IMO’s regulation (Resolution MSC.428(98) regarding Maritime Cyber Security, but it can be helpful to have a simple list of the practical tasks that should be considered by all shipping companies and mariners:
1. Get top management support for cyber security
Top management support is essential for implementing an organisation-wide cyber security programme. Without the support and budget from top management, the chances of success are low.
2. Identify and assess the cyber security risks in your environment
To know what needs to be done, the risks in the environment need to be identified and assessed so that a comprehensive action plan can be created.
3. Create an action plan to mitigate risks
The action plan, which is based on the identified risks, will be the top management-approved strategy for how the organisation will address and mitigate the identified risks.
4. Create a management system for governing cyber security efforts
There are existing frameworks and standards that can be used to build the cyber security programme so that you do not have to do everything from scratch yourself. Use standards like ISO27001, NIST Cybersecurity Framework and ISO/IEC 62443 as a baseline for your cyber security programme so that you can rest assured that you have an industry-based standard to establish your work on that is also recognised by third parties, customers, regulators and is auditable.
5. Train all employees in cyber security
Employee support and understanding are key to any successful project. Ensure that your employees, from top management to crew, know what cyber security means and what they can do to ensure that your environment is kept secure. This can be done by cyber security awareness efforts, training, courses, and webinars, as well as through internal communications from those responsible for cyber security in your organisation.
6. Get external help from an expert partner
Cyber security is a complex endeavour that requires specialised knowledge that is hard to find. Your IT and OT teams are most likely already working hard with their regular tasks and projects, and it can be easier and cheaper to get help from knowledgeable third parties specialising in maritime cyber security instead of hiring hard-to-find experts to work in your organisation.
When it comes to cyber security, getting the organisation on board and the systems up and running is only the kick-off. Tasks related to maintenance must be incorporated into the continuous working scheme of the company. While the tasks that need to be carried out may vary depending on organisational and operational structures, the following components should be included when compiling a cyber security checklist:
- Carry out a current state analysis on technical structures, systems and devices, policies and procedures, organisation, and management both ashore and on board.
- Identify risks in IT and OT systems, assets, and data to categorise them in relation to the risks they pose for operations and safety.
- Implement technical and procedural measures to manage identified risks and to detect, protect against, and respond to cyber threats and risks.
- Ensure that there is adequate cyber security training and raise awareness within the organisation.
Once the cyber security management within your organisation has reached a degree of maturity, it may be time to test its strength. Penetration testing (also called pen testing or ethical hacking) is when you “book a hacker” to test your computer system, network, or web application to find security vulnerabilities that could be exploited by an attacker with malicious objectives.
- Bimco Guidelines
- Digital Container Shipping Association’s (DCSA) “DCSA Implementation Guide for Cyber Security on Vessels v1.0”.
- The International Association for Classification Societies (IACS) has issued a “Recommendation on Cyber Resilience (No. 166)”.
*In a maritime context, the distinction between Information Technology (IT) and Operational Technology (OT) systems should be noted. IT systems refers normally to the traditional company IT and business systems. OT systems, on the other hand, refers to the operational systems and equipment onboard vessels. OT systems are usually less familiar than IT systems and are more often managed by vendors.