Shipping companies are reminded to remain vigilant of cyber threats as the industry prepares for key security recommendations coming into force, and another shipowner repairs its business following a successful cyber attack
Norwegian cruise and ferry operator Hurtigruten is recovering from a comprehensive ransomware virus data attack in mid-December. This forced the company to close down its servers and online booking services. Its websites were out of action, but were back in operation by 18 December.
This ransomware attack was the latest in a growing series of defence breaches at shipping companies and IMO’s headquarters in 2020. Other victims were Carnival Corp, CMA CGM and MSC.
Shipping companies need to react to the growing threats and be ready for IMO’s amendments to the ISM Code to include cyber risk management into ship safety management systems, which will be enforced from 1 January 2020 (IMO2021).
Norwegian navigational products supplier NAVTOR head of business development Arild Risholm Sæther said shipowners and equipment manufacturers must recognise their key roles in ensuring cyber security on board ships.
In an exclusive interview with Riviera Maritime Media, he warned of the possibility of “digital boardings by pirates capable of mounting cyber attacks” and keeping vessels hostage with no physical attack. “Some countries in the west of Africa are very developed when it comes to doing that,” he said.
Yet many equipment manufacturers do not promote their systems’ security and buyers generally focus on operational features such as performance, ease of use and cost, Mr Sæther said.
While the whole ship is vulnerable to cyber threats, it is its bridge systems that are particularly at risk because of their need for updates, he explained, so both manufacturers and their customers share responsibility for cyber secure bridge systems.
But Mr Sæther believes the lead must come from shipowners and managers, since they are responsible for specifying a vessel’s networks.
He welcomed the imminent entry into force of a 2017 IMO resolution that amends the ISM Code and “encourages administrations to ensure cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s document of compliance after 1 January 2021.”
Many equipment and service providers are already addressing the risks posed when their equipment is updated.
NAVTOR, for example, has supplied its NavBox to ships since 2013 so they can receive updates to charts, publications and other navigational data in a secure and automated way.
In September 2019, DNV GL granted NavBox cyber-secure certification against the International Electrotechnical Commission’s (IEC’s) 61162-460 Gateway standard.
NAVTOR chief business development officer Bjørn Åge Hjøllo said NavBox’s IEC certification confirms it can be relied on to transfer data securely to another system – such as an ECDIS – that also meets that standard. “We are removing, or at least reducing, the need for data exchange by USB stick,” Mr Hjøllo said.
He also spoke of the five-year CySiMS cyber security project for merchant shipping, which is supported by the Research Council of Norway, the Norwegian Maritime Authority and five other partners, including NAVTOR.
This project began in 2016 and is based on the Iris security project in aviation – a joint venture between the European Space Agency, Inmarsat and others – that began in 2014.
CySiMS uses public key infrastructure to encrypt and authenticate messages between ship and shore. Mr Hjøllo referred to an input paper about the project submitted to IMO’s FAL Committee in June 2018.
As a result of feedback from that committee, a service evaluation is now in progress to assess the cost of an operational service based on the CySiMS model, he said.
He is convinced CySiMS will provide a route to greater maritime cyber security and noted the principles behind it are “used successfully in aviation.”
Meanwhile, shipowners need to assert their responsibility for securing their onboard equipment and systems, Mr Sæther said. “They can set the rules” by insisting equipment meets standards such as those set by the IEC because otherwise, with the advent of the amended ISM Code, they face the possibility of failing a port state control inspection and the consequences of that, he pointed out.
And if that were not motive enough, he referred again to his main concern: imagine “the cost if the vessel were kept as a digital hostage,” Mr Sæther said.
GTMaritime commercial director Mike McNally highlighted how shipping companies can ensure they follow IMO2021 guidelines on maritime cyber risk management to prevent failing a port state control inspection.
These guidelines provide the framework for a safer, more secure and resilient cyber space for shipping operations. There are three ways companies can reduce the attack surface and minimise exposure to cyber-threats, said Mr McNally.
The first is to complete a cyber security audit. “Companies need to assess how they are currently managing cyber security then identify and define the roles and responsibilities required for cyber risk management,” said Mr McNally.
This includes identifying which systems, assets, data and capabilities could present a risk to each vessel’s operations if disrupted.
“When discussing cyber security, a lot of people focus on administrative systems (IT) as the source of data breaches,” said Mr McNally.
“However, the cyber threat to operational technologies (OT) is especially important as the maritime industry embraces digitalisation because breaches, can have an impact on crew and vessel safety.
“With this in mind, once a company has completed the audit it is then in a position to look at how it is going to protect, detect, respond and recover in the event of a cyber attack,” he explained.
Each step is important and there are a range of solutions available that can support robust cyber security management.
The next, and arguably an obvious area for vigilance, is to ensure that all software is up to date. “Just one piece of outdated software can offer cyber criminals the route to network infiltration,” said Mr McNally.
“It is not uncommon for individuals to ignore a software update notification, so having systems in place which can provide fleet-wide updates automatically is beneficial, especially given that third party systems interface with ship networks,” he explained.
“Hackers also look for vulnerabilities in software and rely on it not being updated.”
Having processes in place to automatically update and ensure all software is updated therefore significantly reduces the attack surface and ensures potential entry points are secure.
GTMaritime’s GTDeploy product, for example, allows companies to deploy software update patches to remote locations. It has been designed specifically for the maritime industry to meet the demands of satellite connectivity.
Managed through a dashboard it can be deployed across all vessels and computers to facilitate updating patch security holes, fixing and removing bugs and adding new features. Software such as GTDeploy makes what is usually a labour intensive and costly process simple by running in the background and allowing companies to prioritise and control updates remotely.
A third approach is ensuring systems’ vigilance is be matched by vigilance among users. “Ensuring employees are cyber aware is a key factor in preventing a cyber event and they are trained to respond if such an event occurs,” said Mr McNally.
“Seafarers whose contact with the outside world may rely disproportionately on the internet of things need to be especially vigilant regarding phishing emails, discouraged from clicking on links from unknown sources and understand the systems maintaining the cyber integrity of the vessel and its operations,” he recommended.
By reviewing current cyber risk management and addressing gaps, investing in systems which automatically update software and enhancing staff knowledge and understanding, companies can ensure compliance and reduce the risk of a cyber attack.