As shipping becomes more reliant on connectivity, having a proactive approach to cyber risk – both in terms of technology and people – can only grow in importance
When most people in shipping hear about IMO requirements, they immediately think of the 2020 sulphur cap that has dominated headlines lately, but there is another deadline coming up that requires consideration too – the requirement for cyber security to be addressed in safety management systems by January 2021.
And while there is undoubtedly a growing awareness of the need to have systems in place to handle cyber attacks, there is still a lot of work to be done. The normally safety-conscious maritime industry appears to have something of a blind spot when it comes to cyber security, with US-based law firm Jones Walker LLP’s 2018 Maritime Cyber Security survey revealing troubling statistics, including that 92% of small companies and 69% of midsize companies surveyed had no cyber insurance, and that only 36% of respondents believed their business was prepared to respond to cyber attacks.
New York-based consultancy Eurasia Group identified cyber security as one of the top risks the world faces in 2019. As well as state actors, there is a threat from those acting on their own, the consultancy noted in its Top Risks 2019 report. It warned “Many of the world’s most destructive cyber actors are non-state actors who have less to lose from taking their chances on offence.”
The report also noted that the National Security Agency tools used in the 2017 NotPetya attacks, which famously cost Maersk $300M, are being updated for current software systems.
The human factor is a key ingredient in cyber security, and Lloyd’s Register (LR) has recognised this by launching a cyber resilience service.
Set up in partnership with UK-based best practice qualification specialist Axelos, LR’s offering aims to make employees more cyber aware.
LR’s cyber security product manager Elisa Cassi said “In the marine industry there is not enough being done to address cyber awareness training and digital skills for seafarers and other staff.
You could deploy technologies, a firewall and an intrusion prevention system to prevent a breach from happening, but what you cannot do is prevent people who are not trained opening the door to the attacker
“You could deploy technologies, a firewall and an intrusion prevention system to prevent a breach from happening, but what you cannot do is prevent people who are not trained opening the door to the attacker.”
The class-society’s head of cyber security business development, JP Cavanna said “Cyber attackers target people not systems.
“Any organisations’ ability to mitigate and better manage their cyber risks must include effective awareness training as part of a coherent risk strategy that includes technical control management, threat assessment and vulnerability management, incident response and strong governance, risk and compliance.
Axelos’ Resilia Frontline awareness training, which the LR offering is based around, was developed with information security experts and behavioural psychologists and offers short, story-based training designed to engage the workforce while developing cyber resilient behaviours.
Ms Cassi added “Through this partnership LR and Axelos are transforming cyber security training from what is seen as a mundane box-checking exercise to an innovative approach that helps employees grasp some basic concepts and more importantly, change their habits.”
Elsewhere, US-based class society ABS has been contracted by shipmanager Fleet Management Ltd to implement cyber security across a fleet of 220 liquid cargo carriers.
ABS Advanced Solutions vice president Russell Medeiros said “Working together, we will provide a comprehensive cyber security solution to assist in ensuring compliance with the International Maritime Organization (IMO), as well as additional cyber-security related guidelines and requirements – creating a safer fleet.”
Meanwhile, Denmark-based shipping association BIMCO has, in collaboration with partners from both the maritime and cyber security worlds, published an updated version of its Guidelines on Cyber Security Onboard Ships with the goal of meeting IMO’s 2021 safety requirements.
New to the third edition is guidance on carrying out proper risk assessments and including measures in safety management systems to ensure cyber security.
Another expansion to the guidelines concerns operational technology – systems that control physical processes. BIMCO’s cyber security working group chair and Columbia Ship Management director Dirk Fry explained “On a ship, the job may be less focused on protecting data, while protecting operational systems working in the real world has direct safety implications.
“If the ECDIS system or software controlling an engine are hit with malware, or if it breaks down due to lack of compatibility after an update of software, it can lead to dangerous situations.”
The guidelines contain anonymised examples of actual incidents to illustrate the kinds of risks to operational technology.
The risk of malware infections spreading to shipboard systems is another new focus area, as a result of the increasingly connected nature of vessels and the many parties associated with a ship that may have access to their systems.
Mr Fry said “The ships are not just sitting there in the middle of the ocean. More and more ships are also closely connected to security systems in the companies’ offices, shippers’ offices and agents’ offices.”
Along with underlining that vessels must be able to quickly and effectively disconnect from shore-based networks, operators are advised on how to evaluate service providers' security based on a minimum set of requirements for managing supply chain and third-party risks, and formalising cyber risk agreements.
The third edition in as many years, the new guidelines are available on BIMCO’s website and were produced with input from Anglo Eastern, Columbia Ship Management, Maersk Line and Moran Shipping Agencies on the marine side, and NCC, SOFTimpact, Templar Executives and Cyber Keel on the cyber security side. Organisations including InterManager, Intercargo, Intertanko, the International Chamber of Shipping, the International Union of Marine Insurance, Oil Companies International Marine Forum and the World Shipping Council also contributed.
Denmark’s Ministry of Industry, Business and Financial Affairs has launched a new maritime cyber security strategy, part of a national push for improved cyber security and information security.
The strategic aim of the document, which is available online, is ensuring cyber attacks do not compromise the safety of Danish vessels or those operating in Danish waters. The plan contains eleven key elements:
The first of these, establishing the Danish Maritime Cybersecurity unit, took place in mid-2018. Among other functions, the unit serves as an exchange point between the maritime sector players and the CFCS. Its primary responsibilities will be to advise, communicate, procure, create and validate IT security-related information between maritime sector players.
Other responsibilities will include training, co-ordination tasks and organising professional workshops and conferences related to specific IT security issues in the maritime sector.