Home  »  Maritime Cyber Security

Maritime Cyber Security

The traditional image of the seafaring vessel with captain and crew using the stars for navigation and the wind for propulsion is a distant memory from the past. Today’s commercial ships and superyachts are often huge floating computer systems relying on complex IT and OT infrastructure to operate everything from navigation systems, cargo management, propulsion, security, passenger and bridge systems.

While ships might not seem a likely target for cyber attacks, this almost complete reliance on such sophisticated digital technologies – which result in hugely improved operational efficiencies – can mean that such vessels are left exposed if these systems are not managed correctly.

The implications of a maritime cyber attack are also huge, in many cases much more significant than an attack on a conventional computer network such as a land-based office environment. Any maritime professional is aware that ballast system failure or infiltration could result in a ship sinking. And cargo management systems often have to keep transported produce such as fruits at a specific temperature for the cargo to retain its value during a long sea journey.

Despite published statistics showing a huge increase in the number of maritime cyber attacks – An increase of 900% in three years – coupled with a shift in industry attitude that a recent BIMCO Maritime Cyber Security Survey described as an evolution from “awareness to preparedness”, there is still a perception that maritime cyber security is not being given the full attention and focus that is required. This can be in part due to ship owners not wanting to share or officially log such incidents for fear of reputational damage. Also, crew members or operators mistakenly thinking that an anti-virus system installed on e.g a Bridge navigation system means that that the ship’s systems are protected, without understanding that IT system protection does not mean that OT systems such as vessel berthing and cargo handing systems are also protected. Attacks on such OT systems can be mistakenly logged as system failures and the inadequacies of these systems are then never addressed.

Both IT And OT Sytems Are Essential

IT systems manage the ship’s data, as data technologies have improved, these systems have naturally evolved with them and generally work seamlessly with commonly known operating systems. As such, securing these systems can be relatively straightforward, installing a high-end anti-virus and firewall system can make life harder for a potential attacker as part of a risk-based information security management approach that incorporates the identify, protect, detect, respond and recover principles.

OT systems are hardware and software that directly control physical devices such as cargo handling and safety systems, they, therefore, have a real impact on the physical world, and so safety is crucial.
Operational technology is often built on bespoke, proprietary operating systems without in-built security software. Installation of basic protection applications is therefore not straightforward and software upgrades and improvements usually have to be made by the software vendors. Such legacy systems also may not have the computational resources to support the addition of security patches or upgrades.

The International Maritime Organisation (IMO) defines maritime cyber risk as “A measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety, or security failures as a consequence of information or systems being corrupted, lost or compromised”.

Address Your Ships Cyber Risks Today

Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. Are you prepared?

1. Leadership and Culture

Has your organisation recognised the need to integrate procedures for the control of cyber risks into your existing Safety Management System (SMS)?

maritime cyber security

2. Risk Management

Have you determined your critical assets (both IT and OT), and do you have a view of the threats and vulnerabilities they are exposed to?

ships ot and it system vulnerabilities

  • Vessel connected to shore-based systems – Shore-based connected security systems introduce data integrity and attack surface vulnerabilities, which impact their availability.
  • Outdated/missing anti-virus software on Bridge systems – GPS/ GNSS disruptions (through spoofing or other attacks) can have a devastating impact on positioning, navigation, and timing.
  • Low strength password on Wifi/LAN internet – Poor access management and password protocol introduces privileged user exploitations (ransomware incidents, malware contamination etc.), which may result in data corruption, data leakage or worse…
  • Obsolete OT cargo management systems – EoL cargo management systems failures may lead to ineffective monitoring of critical systems with repercussions ranging from unaccounted cargo through to endangering onboard safety.
  • Unrestricted 3rd party access – Communication system failures, due to human error or cyber breach, can catastrophically impact safe ship protocol, and the enactment of contingency plans in an emergency.
  • Inadequate security configurations on engine systems – Inadequate security configurations on propulsion, alarm and power management systems could introduce human error jeopardising a voyage, and impacting critical maintenance schedules.
3. Security Control Framework

Recognising your critical assets and the threats and vulnerabilities discussed earlier, using a framework such as NIST or ISO 27001, has your organisation established the appropriate protection and detection measures?

A sensible approach is to consider the different security zones and apply a defence in depth approach as illustrated below:

Ship Cyber Security Control Zone Areas

Maritime Security Controls for the specific zones should include both Cyber and Physical considerations:

Restricted Security Zone

  • Controlled use of administrative and privileged user access, separation of duties, and robust access management including MFA.
  • Systems should be subject to a high degree of scrutiny with regards to patch management and endpoint security.
  • Particularly for OT systems, control of ports, protocols and services.

Private Security Zone

  • Strong access controls, both physical and cyber, which are managed and monitored.
  • Continuous vulnerability scanning and reporting.
  • Surveillance and logging capability.

Semi Private Zone

  • Limited to most legitimate users of the vessel, via prior authorisation.
  • Dormant account monitoring and control.
  • Internet DMZ with firewall considerations to filter incoming and outgoing traffic.
  • Monitoring of unauthorised hardware and software.
4. Response

Do you have a mechanism for monitoring and controlling your security environment, and when things go wrong, do you have documented and exercised contingency plans in place?

5. Communications

Do all of your stakeholders (including employees, contractors and suppliers) and customers understand your approach to managing cyber risk, and the roles they are expected to take?

If you are not comfortable that you can answer all of these questions comprehensively, then Vassallo Associates can steer you towards a practicable solution and ensure you can demonstrate compliance with Resolution MSC.428(98) in a timely fashion.

We can help you implement and document the appropriate controls to comply with IMO requirements, and we can provide your stakeholders with the assurance they need.

Contact us now to arrange a pro bono (no obligation) consultation to discuss your Maritime Cyber Security requirements.

Your contact for Cyber Security advice:

Dan Breger
Principal Consultant
Mobile: +44 (0) 797 167 8039
dan.breger@hvassallo.com