Leading shipping organisations have together launched guidelines to help the shipping industry minimise the risk of cyber attacks on vessels. The guidelines should help shipping companies take a risk-based approach to cyber security to prevent hackers from attacking networks and viruses from entering IP systems. Some shipowners are already working on improving cyber security, but many have not yet started, so these guidelines will bring some welcome support to the industry.
The guidelines for cyber security on board ships were developed by international shipping associations Bimco, Intercargo, Intertanko, the International Chamber of Shipping and Cruise Lines International Association. The guidelines are available to download free of charge for members of these organisations, and will be regularly updated as different cyber threats emerge, and to ensure shipping companies have the latest information available. “The guidelines launched today should help companies take a risk-based approach to cyber security that is specific to their business and the ships they operate,” said Bimco secretary general Angus Frew. “The aim is to provide the shipping industry with clear and comprehensive information on cyber security risks to ships, enabling shipowners to take measures to protect against attacks and deal with the eventuality of cyber incidents.”
The guidelines highlight the point that approaches to cyber security should be company and ship specific. Shipowners should be guided by appropriate standards and the requirements of relevant national regulations. The report said that cyber risk management should be seen as complementary to existing security and safety risk management requirements contained in the International Safety Management Code (ISM Code) and the International Ship and Port Facility Security Code (ISPS Code).
Cyber security should be considered at all levels of the company, from senior management ashore to crew on board, for safe and secure ship operations. The guidelines suggest that owners should identify the threats to, and vulnerability of, their fleet. Onboard systems that could be vulnerable include:
Shipowners should use their knowledge of the vulnerabilities to develop a cyber security strategy to reduce the risk of a cyber attack and minimise any losses or damage. At a technical level, this should include the actions that need to be implemented in order to establish and maintain an agreed level of cyber security. There should also be procurement controls for items that contain sensitive information that should be kept confidential, to ensure they are handled according to company policies.
Owners should also develop appropriate contingency plans, to which ship masters have access, so that companies can respond effectively to cyber incidents. If the response is beyond the competencies held within the company, then external expert assistance should be made available. Without a contingency plan, decisions and actions may be made that inadvertently make recovery work more difficult and that compromise evidence.
The Lloyd’s Market Association’s Joint Hull Committee published a report in September 2015 that identified the fact that shipping could be at risk from cyber attacks, as ships are more exposed to the internet. Report author Rod Johnson, marine manager with Stephenson Harwood’s marine insurance casualty response team, said ships could become exposed to the cyber risks that are already faced by the retail and banking sectors. There could be greater risk if IMO’s plan to introduce e-navigation, either regionally or globally, is fulfilled. “As the IMO e-navigation programme gains momentum, the technologies required, as well as the aligned commercial demands of an ever more interconnected world, will increase the exposure to loss as a result of a cyber attack or intrusion,” he wrote in the report.
The report said the risk of loss or damage caused by a cyber crime may well depend on the vessel type. Mr Johnson said the risk is currently low for dry bulk and general cargo shipping. “But it is higher for specialised, or technically advanced, ships engaged in oil and gas exploration and exploitation by reason of remote systems access and the potential vulnerability of dynamic positioning [DP].”
This view was mirrored by C-Mar Group director and chief operating officer Peter Aylott, who said drilling rigs and offshore support vessels and shuttle tankers are vulnerable through the positioning systems. “Any hacker could take control of rigs and vessels using the DP and cause environmental damage,” he added.
Mr Johnson argued that ships could still operate during a cyber attack, even if electronic navigation systems were disabled. “A ship would still be able to manoeuvre, and could either anchor or navigate using more traditional means, provided that the skills to do so exist on board. There is time for owners and operators to plan and ensure that computer systems on board ship and ashore are as secure as is reasonably practicable,” he wrote in the report.
The defences against cyber attacks fall into two broad categories – people-based, and design-based. “People-based defences are generally easier to implement, unless the design defences can be incorporated when ships are built. The concept is that multiple defences from both categories should be deployed to offer defence in depth. There is no single solution to the security problem,” said Mr Johnson in the report.
Despite the potential for security breaches, the shipping industry has only recently become aware of the problem and sought solutions. The Association of Maritime Managers in Information Technology and Communications (AMMITEC) has established a working group to define and confront cyber security issues. AMMITEC chairman and IT manager for Andriaki Shipping Co Dimitris Makris said cyber security should be given top priority. “For years to come it will undoubtedly be an everyday reality that needs to be regulated, efficiently handled and governed by the shipping company and the IT managers or chief information officers,” he said.
“Cyber security challenges in the shipping sector will have to be approached from a different perspective, compared with other industries.” He said this was because there was insufficient software security and assurance during the analysis and design phases, and because of the lack of cyber security regulatory frameworks. Other reasons were the slow nature of satellite communications to ships and IT troubleshooting difficulties that owners encounter. Mr Makris added that Andriaki Shipping was in the process of developing an information security management system.
Thenamaris (Ships Management) is also in the process of developing a cyber security strategy. IT and technical operations supervisor Konstantinos Stais said cyber security on vessels is unique and should be approached differently from other industries. “We have planned to carry out a vessel IT security assessment in 2016,” he said. “There are more and more systems with access to the internet, which results in increased risks that we would like to recognise as soon as possible.”
Members of the AMMITEC cyber security working group include IT managers and chief information officers from Navios Maritime, TMS Tankers, Costamare, Gaslog, Eletson Maritime, Maran Tankers, Andriaki Shipping and Gourdomichalis Maritime.
© 2023 Riviera Maritime Media Ltd.