Distributing cyber threat intelligence is vital for risk management
National cyber-security centres could be central to the maritime industry’s defence against online threats to shipping and ports, sharing threat intelligence, assisting in cyber-security implementation and responding to defence breaches.
A panel of technical experts discussed the advantages of cyber-security centres during Riviera Maritime Media’s Maritime’s zero-day exploit: port cyber security webinar held on 17 March 2021 as part of Riviera’s Cyber Security Webinar Week.
University of Plymouth research fellow for cyber security Dr Kemedi Moara-Nkwe summarised the threats and vulnerabilities shipping and ports face. Cyber threats could affect operational technology (OT) such as supervisory control and data acquisition (SCADA) systems and IT networks. “Potential consequences are disruptions to port operations and to supply chains,” he said. “Communications and access to online services could be lost, as could access to electronic devices used for navigation or for safety purposes on ships,” said Dr Moara-Nkwe.
He said countermeasures include direct approaches such as hardening IT and OT systems, improving personnel training and regulatory changes to reduce vulnerabilities.
“There are also indirect approaches such as risk sharing, and projects such as Cyber-MAR, with the aim of quantifying the effects of cyber attacks and proposing risk models that would aid risk mitigation,” said Dr Moara-Nkwe.
Countermeasures for intelligence sharing include investing in national cyber-security centres (NCSCs). “These help to monitor and assess threats, and promote and educate stakeholders on current best practices,” said Dr Moara-Nkwe. In the UK, its NCSC provides regular cyber-security guides and bulletins on security landscapes.
“NCSCs can play a big role in better standardisation of cyber-security assessments in ports, of cyber-security plans and frameworks for identifying attack mitigation measures,” he said.
These sentiments were confirmed by Norwegian Maritime Cyber Resilience Centre (NORMA) managing director Lars Benjamin Vold. He explained that NORMA’s purpose is to build unified resilience against cyber threats for Norway’s maritime sector. “We are finding new ways to collaborate, share best practice and technical information,” he said. “We need to find a holistic way in the industry to tackle cyber threats.”
NORMA was established on 1 January 2021 after more than 18 months of interviews and meetings with shipowners, operators and other stakeholders. They agreed the sector needs to collaborate to reduce the risk of successful cyber attacks.
“Several organisations are willing to move forward and invest time and money in collective cyber resilience,” said Mr Vold. “New technology has been developed for cyber defence purposes, while existing structures and organisations can be built on.”
NORMA provides an intelligence and information-sharing service and an incident response and crisis-support service. “From 1 June 2021, we will be a security-operations centre, with services tailored for the shipping and maritime sector,” said Mr Vold.
NCSCs can provide information on the latest regulations and guidance from national and international authorities covering cyber-risk management on ships and in ports.
McDermott Will & Emery partner Paul Ferrillo provided an update on the regulatory framework and changes in the US, including the National Maritime Cyber Security Plan. The focus of this plan is to establish who oversees maritime security, mostly the US Coast Guard in US continental waters.
Other aims are developing maritime standards and best practice for IT and OT technologies, and strengthening port cyber security best practice through contractual requirements.
“Developing procedures to identify, prioritise and mitigate cyber-security risks for ports and vessels includes developing a framework for ports and vessel assessments to follow,” said Mr Ferrillo.
“Better information sharing, more timely sharing of cyber-security threat intelligence and increased educational training to produce more cyber-security specialists for ports and vessels” would also be in the plan.
Mr Ferrillo spoke about the role of the US Coast Guard as the chief maritime law enforcement agency in the US. He said the national maritime cyber-security plan “rides side-by-side with US Coast Guard’s guidelines for addressing cyber risks” at Maritime Transportation Security Act (MTSA)-regulated facilities (NVIC).
“Which generally require these ports to address and document network and cyber-security vulnerabilities,” said Mr Ferrillo. MTSA requirements are mandatory, while US Coast Guard’s NVIC guidance reminds port facilities of the need to comply with MTSA regulations.
To identify cyber-security vulnerabilities, ports and regulated facilities need to conduct a security assessment and plan to address vulnerabilities.
Ship operator survey
Shipping companies are increasing their response to potential online threats following IMO’s 2021 guidance to incorporate cyber-risk management in all shipboard safety management systems, no later than a vessel’s first annual Document of Compliance audit in 2021.
During Riviera’s Safety first: maritime cyber security webinar, held on 18 March, CyberOwl chief executive Daniel Ng explained how his company’s recent survey of 50 fleet operators found good implementation of some IMO 2021 requirements and cyber-risk management.
He said owners, operators and managers had started training employees and set up “aspects of emergency plans” but much remains to be done. “Shipping companies are still struggling with incident readiness and are not monitoring for attacks on shipboard systems,” Mr Ng said.
Some shipowners do not have people in place to deal with cyber security and are not performing drills or stress tests.
Another worrying issue is the number of onboard systems still connected to vessel satellite communications. “OT that should be air-gapped is unknowingly connected to the vessel business network,” he said. This includes loading computers, closed-circuit television systems and engine-monitoring and alarm systems.
“These are critical systems with loading computers linked to the ballast system for example,” Mr Ng said. “Controls need to be in place. Engine-monitoring systems should be air gapped.”
CyberOwl also examined shipboard computers looking for unwanted and potentially dangerous programs, which are regularly installed. “The top offender is PDF editing software,” according to Mr Ng.
“In shipping, many documents are in PDF format and need to be edited and sent back to offices,” he said. If owners have not installed official software for PDF editing, crew will seek to upload free and potentially hazardous programs “just for the job they need to do” he commented.
Other unwanted programs found in onboard computers have been gaming, image editing and messaging software. “These do not have [adequate] levels of security and could be back doors for malware,” Mr Ng said.
Another worrying finding was the main communications channel shipping companies use. “Surprisingly, more than 70% rely on email for distributing information about cyber attacks, but email could be taken down if cyber risks arise,” he said.
Riviera Maritime Media will provide free technical and operational webinars in 2021. Sign up to attend on our events page