As marine assets aim to benefit from digitalized operations, the challenges of keeping them safe and secure from maritime cyber risk has also increased. Spread across a vast network of vessels, ports, logistical and administrative infrastructure, about 90 percent of the goods moved worldwide are carried across the seas.
Like most industries, maritime has become increasingly automated, connected and remotely monitored, according to a blog post from industrial cybersecurity firm, OTORIO. “Not surprisingly, maritime trade has also become a prime target for cyber-attackers. The sector is especially vulnerable owing to its dependence on technology for navigation, communication, and logistics.”
Port and maritime employees often lack the skills to deal with common cyberthreats, leaving them open to social engineering attacks like phishing emails. “Moreover, the legacy OT [operational technology] networks that control the operations of many of the world’s ports are frequently not updated and thus unprepared to meet a concerted cyber onslaught by a well-funded attacker. Through exploiting exposed services like websites, email logins or VPN gateways, attackers can easily gain remote access,” OTORIO added.
The International Maritime Organization (IMO) has also developed various international treaties and other legislation concerning safety and protection of cyber assets, and to reduce maritime cyber risk. “The overall goal is to support a safe and secure shipping industry that is operationally resilient to cyber risks,” said Gisela Vieira, acting head for maritime security at the IMO, in a post published on the ABB website. The IMO is a United Nations agency responsible for regulating the shipping sector.
The IMO identifies common cyber vulnerabilities found onboard existing ships, and on some newbuilds, include obsolete and unsupported operating systems, outdated or lacking antivirus software and protection from malware, and inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts or passwords.
In addition, shipboard computer networks may lack boundary protection measures and so-called segmentation. Safety-critical equipment and systems are not always connected to shore operations, and adequate access controls for third parties including contractors and service providers may be lacking as well.
“As with maritime accidents and casualties in general, you cannot prevent every incident, but you can prepare and have procedures in place to prevent attacks as far as possible and mitigate impacts,” said Vieira. “The key lies in preparation and risk management, taking into account applicable guidelines, and making sure the right people have responsibility for cyber risk management in shipping companies and ports.”
The IMO has also issued MSC-FAL.1/Circ.3 guidelines on maritime cyber risk management to provide high-level recommendations that help to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes, and are complementary to the safety and security management practices already established by IMO.
To raise awareness on maritime cyber risk threats and vulnerabilities, companies are required as of Jan. 1, 2021 to demonstrate compliance with IMO Resolution MSC 428(98), documenting that cybersecurity is an integral part of the safety management system.
The Maritime Safety Committee (MSC) also identifies that administrations, classification societies, shipowners and ship operators, ship agents, equipment manufacturers, service providers, ports and port facilities, and all other maritime industry stakeholders should expedite work towards safeguarding shipping from current and emerging cyber threats and vulnerabilities.
To mitigate these and other shortcomings, the IMO advises on practical steps in assessing the cyber risk that companies can take in order to comply with the new resolution. Best practices include identifying the threat environment in order to understand external and internal cyber threats to the ship, clarifying vulnerabilities by developing complete and full inventories of onboard systems, and understanding the consequences of cyber threats to these systems.
Assessing risk exposure by determining the likelihood and impact of vulnerability exploitation by any external or internal hacker is another key step, along with developing protection and detection measures to reduce the likelihood and impact of exploitation. The IMO also recommends establishing prioritized contingency plans and having these at the ready in order to respond to and recover from cyber incidents.
Relating specifically to autonomous vessels, including data sharing between stakeholders, the IMO has issued guidelines for trials of MASS (Maritime Autonomous Surface Ships) in its circular MSC.1-Circ.1604. “Among other things, the guidelines stipulate that appropriate steps should be taken to ensure sufficient cyber risk management of the systems and infrastructure used when conducting MASS trials,” Vieira added.
The recent incident of one of the largest container ships in the world, Ever Given, getting lodged across the Suez Canal, is a “powerful example of the fragility of global supply chains that are vital to the world economy,” wrote Jennifer Bisceglie, CEO and founder of Interos in a blog post. “These crises point to the need for government agencies and private sector organizations to prioritize operational resilience – the state of fortified, redundancy and intelligence-driven stability created through smart supply chain risk management,” she added.
Earlier this year, the U.S. released its National Maritime Cybersecurity Plan to promote prosperity through information and intelligence sharing and preserving and increasing the nation’s cyber workforce. It aims to defend the American economy through enhanced cybersecurity coordination, policies and practices, aimed at mitigating risks to the maritime sub-sector.