Two case studies conducted by the Cyprus Shipping Chamber demonstrate how vulnerability management and cyber security should be implemented
Cyprus Shipping Chamber has conducted two case studies of shipping companies to identify how they manage cyber vulnerability and security and to provide guidance to its members. The results of these case studies were presented by Cyprus Shipping Chamber chairman of the ICT committee Adonis Violaris, who is also a director of Interorient Shipmanagement, at an event in London in September.
The cyber security case study investigated the need for protection and security enforcement, mitigating online threats, developing guidelines to support secure cyber operations, contingency planning and assigning security responsibilities.
The case study demonstrated how a major owner implemented cyber security for their ships with online connectivity. It was conducted with an unnamed Cyprus-based shipowner and shipmanagement company that operates more than 100 ships, including tankers, bulkers and container ships and employs more than 3,000 people at its seven shore bases.
Cyprus Shipping Chamber posed several questions to this company to evaluate how it viewed cyber security and was allocating its staff and budget.
Why is your company implementing cyber security in its fleet?
The company is currently undergoing a transition from FleetBroadband communication services to a higher broadband capable VSAT system. This ‘open to the internet’ situation will drive the company towards more vigilance and the need for a cyber security programme to be put in place.
How does VSAT broadband change your view of ship cyber security?
The VSAT broadband allows ships to have a direct connection to the internet, therefore exposing them to its dangers. As a result of this, and because of the increasing cyber attack incidents around the world, this is motivating this company to be more vigilant.
What are your thoughts and what are you doing to keep antivirus software, computer patches, and systems updated on board?
A system, to be the least vulnerable possible, needs to be as up-to-date as possible. For the time being not all our vessels have internet access, therefore we update our computers by sending CDs with updates, links with updates to port agents or during attendance by the communication team members. Once a VSAT broadband solution has been installed on board, the updates will be pushed to the vessels from the communication department via the internet.
Describe how you will be using antivirus and updates?
The antivirus solution will be updated automatically using auto-update function.
Are you using the satellite communication/ISP provider as your cyber security provider?
Our satellite communications providers will take part in enforcing our cyber security policy, by blocking specified sender domains, providing email filters, filtering websites, etc.
How does your company control and monitor safe crew internet use?
Internet usage and access will be controlled and supervised by our ISP according to our policies whether the crew are paying for these services or not. In the interest of our company’s security and integrity, we will decide what access they have. Crew access to the internet is a privilege not a right (at the moment).
Cyprus Shipping Chamber’s vulnerability management case study was with another shipmanagement company, which operates more than 600 vessels and has 1,200 people in its shore offices. The aim and scope of this was to provide guidance to its members on effective cyber security and vulnerability management, both on board and ashore.
What are your reasons for implementing vulnerability management on your fleet?
Our intention is to comply with recent marine organisation guidelines for future regulations. With VSAT installation every crew member has access to the internet. We therefore have to monitor and strengthen vessel networks.
Are you presently performing or planning to perform onboard vulnerability scanning or management?
We are currently using onboard vulnerability scanning of computers and the network.
How often do you conduct scanning as part of your vulnerability management process?
We scan our vessel networks daily for vulnerabilities because new vulnerabilities may arise daily.
What are the biggest challenges with onboard vulnerability remediation and how do you address them?
Our biggest challenge is internet access. Most issues would be Microsoft Windows updates or application updates. None of the computers have continuous internet access unless the user connects to the internet with his account.
We send Windows and application updates with update packages on DVDs or send internet USB dongles to the next vessels for the crews to update the computers.
We test software that will have a relay server on the vessel, distribute the updates from the office to the relay server and the relay server will update all vessel computers. This saves us internet access costs.
How do you view the risk of intentional/criminal tampering with existing data? How do you identify and deal with these incidents?
There is the possibility that company personnel, on board and ashore, could compromise cyber systems and data. In general, the company should be prepared that this may be unintentional and caused by human error when operating and managing IT and operating technology systems. Or failure to respect technical and procedural protection measures.
We have created a policy for unauthorised access for computers, servers and data. We have restricted user access for any crew member to computers and data access.
Production computers and servers are backed up daily to a central storage system. Vessels’ important data is replicated live to shore using dedicated software for replication. Key operation data is stored in a secure database.
BIMCO recommended actions
Cyprus Shipping Chamber then asked this shipmanagement company how it perceives and implements BIMCO’s guidance and five-stage recommendations on cyber security – these being identify, protect, detect, respond and recover.
The shipmanagement company said it needed to identify threats as a vessel may be targeted by activists, criminals or terrorists, but the biggest threat was from the crew members. “Most of the time this relates to unawareness. A user may have an infected USB and plug it in on a vessel computer and this will infect it.”
The company said it was using vulnerability management software to identify application and operating system vulnerabilities. “In addition, we are in direct contact with hardware vendors for firmware upgrades. Further, we have initiated penetration testing to the vessel to expose our vulnerability and security breaches.”
It has created a vessel IT cyber security team responsible for educating crew, strengthening vessel security and creating policies.
In addition, risk assessment documentation was written for every vessel to develop protection and detection measures.
To establish contingency plans, the company created risk assessment documentation which clarifies how a ship’s captain must react to each threat. The company’s local IT department is always on call for security issues if required.
“In addition, our antivirus provider is available to resolve any malware issue if advanced assistance is required,” the company said. “Our supplier will provide remedial action to the crew if physical assistance is required.”
To report a cyber security incident, its antivirus will export a report from the cloud portal. The company’s threat intelligence platform will also export a report for any threat/breach found in the network.
To remediate a cyber security incident, the company will take the following actions:
Mr Violaris said these were examples of how shipping companies are reacting to and implementing vulnerability management and cyber security. He expects others in the Cyprus Shipping Chamber to follow these leads.
“State-of-the-art thinking in developing a good cyber defence today is to use a top-down risk-management driven approach,” he explained. It starts with an evaluation of the potential threats and system vulnerabilities, prioritising assets and associated risks to them and deploying a defence-in-depth physical and cyber security solution.
“Through continual testing of vulnerabilities and vigilant attention to evolving threat vectors, the solution is then adjusted and optimised in a true feedback control manner,” Mr Violaris said.
“We need to take this challenge seriously as an industry and not wait for an unexpected event to push us into action.”
Recommended protection and detection measures
Stamco deploys cyber defence mechanism
Piraeus-based Stamco Ship Management is implementing cyber security from Naval Dome on car carriers chartered to Wallenius Wilhelmsen Lines.
It has installed the first endpoint maritime cyber defence system on a 57,692-gt pure car and truck carrier. This is a multi-layered cyber defence solution that prevents hackers from penetrating key ship systems.
Naval Dome tailored this endpoint protection to suit the vessel’s specific systems and operational profile. Its installation took one hour during a scheduled port stay in Piraeus, Greece. Naval Dome has started preparing the bespoke technology for installation on 54 other vessels in the Stamco fleet.
Stamco’s head of operations said Naval Dome’s endpoint would ensure the company was prepared to prevent any unauthorised access to its ships’ systems. “We cannot underestimate the operational, financial and safety implications a cyber-related incident – whether by design or by default – would have on operations, especially given the high-value cargo our ships transport,” he said.
Gaslog invests in simulation training centre
Gaslog has ordered a suite of training simulators from Kongsberg Digital for its technical management headquarters in Piraeus, Greece. This suite will cover training in navigation, engineroom operations and cargo-handling for crew on LNG carriers.
Kongsberg will deliver a K-Sim DNV class A ship’s bridge simulator and a K-Sim engineroom desktop simulator. This will include programs for steam plant in a dual-fuel LNG carrier and for diesel electric in a dual-fuel DE21 LNG model.
These engineroom models will be interfaced to a corresponding K-Sim cargo LNG carrier-M cargo handling simulator. GasLog operates 27 LNG vessels and has seven ships on order.