Maritime industry needs to adopt appropriate steps for cyber risk management of systems, infrastructure

Increased digitization across the maritime industry has led to increased prioritization of cyber risk management to protect connected systems and infrastructure from potential cyber threats. As the industry becomes more digitized and interconnected, cyber attacks on maritime systems can have severe consequences, including disruption of operations, compromising safety, environmental damage, financial losses, and even physical harm to crew members.

Maritime asset owners and operators must conduct a risk assessment to identify potential cyber risks in the industry. They must develop cybersecurity policy, implement security measures, train employees, and foster collaboration and sharing; while implementing robust solutions like firewalls, intrusion detection systems, encryption, multi-factor authentication, and software updates. 

Furthermore, the maritime industry must provide employee training and awareness programs covering cybersecurity risks and protocols. They must also engage with organizations like the International Maritime Organization (IMO) to share best practices, and while working towards preventing and appropriately responding to cyber threats.

Such measures will prepare the maritime industry to proactively manage cyber risks, bolster system security, and ensure the safe and smooth functioning of its operations while minimizing potential damages from cyberattacks.

In the first part of this series, experts from the maritime industry discussed the types of cybersecurity threats faced by vessels across the sector. They also analyze the impact of integrating IT and OT on the cybersecurity posture of shipowners, as well as how the increasing digitization and connectivity in the maritime industry affect cybersecurity. They also look into the role that human error plays in maritime cybersecurity when it comes to dealing with vessels, and how proper crew training can mitigate this risk.

The executives now address the latest guidelines that the IMO has released for maritime cybersecurity when it comes to risk management around vessels. They also assess how maritime asset owners and operators have been able to meet these guidelines. 

Andrew Clarke, technical officer in the IMO Maritime Safety Division, told Industrial Cyber that cyber technologies have become essential to the operation and management of numerous systems critical to the safety and security of shipping and protection of the marine environment. “In some cases, these systems are to comply with international standards and flag administration requirements.”   

The International Ship and Port Facility Security Code (ISPS Code) requires ships and port facilities to conduct comprehensive assessments and to prepare effective security plans to deal with any potential security threat, according to Clarke. 

“SOLAS contracting governments, port authorities, and shipping companies are required, under the ISPS Code, to designate appropriate security officers and personnel, on each ship, port facility, and shipping company,” Clarke said. “These security officers, designated Port Facility Security Officers (PFSOs), Ship Security Officers (SSOs), and Company Security Officers (CSOs), are charged with the duties of assessing, as well as preparing and implementing effective security plans that can manage any potential security threats.”

The IMO convention, International Convention for the Safety of Life at Sea (SOLAS) is an international maritime treaty that sets minimum safety standards in the construction, equipment, and operation of merchant ships. It requires signatory flag states to ensure that ships flagged by them comply with at least these standards. 

Clarke added that in part B of the ISPS code (guidance), there is a specific reference to addressing computer systems in the security assessment and to drawing on expertise in computer systems, as well as radio and telecommunications systems, etc. 

“IMO Guidelines on Maritime Cyber Risk Management provide high-level recommendations for maritime cyber risk management,” Clarke highlighted. “They are primarily intended for all organizations in the shipping industry. Users of the Guidelines should also refer to Member Governments’ and Flag Administrations’ requirements, as well as relevant international and industry standards and best practices (links to some of which are included in the IMO Guidelines).”   

He also added that IMO’s Maritime Safety Committee agreed at its recent meeting (MSC 107, 31 May-7 June) to add to its work program a revision of the Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3/Rev.2). 

“Interim guidelines for trials of Maritime Autonomous Surface Ships (MASS) were approved in 2019,” according to Clarke. “They say that appropriate steps should be taken to ensure sufficient cyber risk management of the systems and infrastructure used when conducting MASS trials. Work is ongoing to develop a goals-based non-mandatory MASS Code. The aim is to adopt it to take effect in 2025, and for it to form the basis for a mandatory goal-based MASS Code, expected to enter into force on 1 January 2028.”

The IMO published its Guidelines on Maritime Cyber Risk Management in 2017, issuing an update in 2021, aimed at improving cyber security across the industry, Svante Einarsson, head of cyber security maritime at DNV, told Industrial Cyber. “These are more than guidelines: they make it practically mandatory to include cyber risk management into the safety management of vessels. These guidelines institute a risk-based requirement and demand that shipping companies complete cyber risk assessments, set out policies and procedures, define roles/responsibilities on cyber risk management, and put in place training,” he added.

“These guidelines make recommendations for shipping companies to follow international best practices, but they do not prescribe what each ship manager/owner needs to do,” Einarsson said. “The reality is that ship managers and owners have handled these requirements differently. Some only do the bare minimum and only include a few references to cyber security in their risk management and undertake limited training for crew. Others have updated their integrated management systems and sought certification against standards like IOS 27001 and DNV’s cyber secure class notation.”

Einarsson added that the IMO is not the only source of cyber security regulations affecting the maritime industry. 

“The International Association of Classification Societies (IACS) is adopting new requirements around the integration of IT and OT, and the systemic integrity of third-party suppliers, for example,” according to Einarsson. “And the revised EU Directive on Security of Network and Information Systems (NIS2) is tightening cyber security requirements on operators of essential services within EU critical infrastructure, which includes areas of the maritime sector such as ports, floating storage regasification units, and the largest shipping companies.”

He added that in the US, “we have the National Cyber-Informed Engineering Strategy from the Department of Energy – a bi-partisan plan to raise standards.”

Einarsson said that cyber regulation has evolved rapidly over the last decade. “From DNV’s Maritime Cyber Priority research, we see that just 36% of maritime professionals agree that complying with cyber security regulation is straightforward, and less than half (44%) say that their organization is lacking the in-house technical knowledge required. Two-thirds (66%) of maritime professionals say that cyber security regulation is seen as lower priority than other regulations governing the industry,” he added.

“Even where companies are keeping up with regulation, it only sets a baseline; it doesn’t guarantee security. Rather than taking it as the goal, the maritime industry should use regulation as a foundation on which to further improve and adapt to the changing threat landscape,” Einarsson said. “The preferred way forward is to apply cyber secure technical design rules in combination with tailored cyber risk management – striving for adaptation and continuous improvement. Compliance needs to be complemented by work to identify and manage new risks and weaknesses, such as through employing penetration testing and intrusion detection.”

Rick Tiene, vice president of smart cities, government, and critical infrastructure for Mission Secure told Industrial Cyber that last summer the IMO released updated guidance that incorporated elements of the NIST Cybersecurity Framework and other standards into its recommendations. “Some asset owners and operators are certainly taking action on it, but in general I think we’re in the early days of maritime cybersecurity. There’s still a lot of uncertainty about what’s required and what’s at stake, which unfortunately means there’s a lot of unmanaged risk,” he added.

“Many ship owners and operators that I have spoken with would actually welcome more stringent standards from the IMO,” Tiene identified. “That might seem strange but, since much of the shipping world operates on thin profit margins it is a very difficult decision to spend more money for greater cybersecurity than your competitors do. Many recognize that a higher minimum standard would level the playing field on cost while reducing risk for everyone.”

It started with IMO2021, which imposed a requirement on ship owners to implement cyber security measures, Nir Ayalon, CEO of Cydome, told Industrial Cyber. “But those requirements were quite general – the recent IACS Unified Requirements UR E26 and E27 took it a step (or two) further, with very specific requirements that we see as a paradigm shift in the industry as the URs require ship owners to be actively involved in implementing cyber protection measures in the ship design (and build) process (UR-E26), as well as specific requirements in what should the cyber security system provide (UR-E27) including, for example, real-time protection and a continuous compliance audit and certification process.” 

For example, Ayalon said that this means that the ship owners need to build test plans and documentation for the cyber security systems they implement – that’s very different from their business until today. 

“Although technically, the requirements take force only for ships contracted from January 2024, we believe it is going to become the industry standard for cyber protection in general,” according to Ayalon. “Also, it makes sense for ship owners to implement the same protection solutions for their entire fleet and not manage the new builds and old build separately. UR E26/27 are very complex, and we get many questions from our customers – we’re working with them by expanding our system to automate a lot of the processes and documentation required in the different phases and to ensure that our class-certified system complies with the regulation.”

Drawing from their experience, the executives offer guidance on common flaws in the maritime industry that make vessels more vulnerable to cyberattacks. Additionally, they explore how maritime asset owners can mitigate their risk by enhancing cybersecurity measures.

Clarke said that it is incumbent upon all stakeholders across the maritime sector to follow best practices and guidelines from bodies, such as IMO, as well as to adhere to any specific requirements of member governments and flag states to protect their systems and processes against cybercrime. 

“This is particularly important given the increasingly intertwined nature of information technology and operational technology which might be operated by different stakeholders, but which could act as a vector if a cyber-attack were to occur,” according to Clarke. “It is also important that member governments and/or flag states conduct regular inspections/audits of the security arrangements in place on ships and at port facilities, including cyber security regimes, to assist asset owners in reducing their vulnerabilities.”

Einarsson identified a few common flaws across owner/ship manager; shipyard; and vendor. When it came to owners/ship managers, he listed a lack of OT cyber security knowledge, a lack of cyber security training and incident response drills onboard vessels, a lack of complete overview of the systems interfaces onboard; and a lack of OT security ownership. 

Covering shipyards, Einarsson listed a lack of OT cyber security knowledge, lack of experience to deploy security by design into the new building process, and lack of own pen-testing experience to verify secure integration of OT systems. Moving to the vendor, Einarsson recorded a lack of OT cyber security knowledge at least for small and midsize vendors; operating legacy OT systems still running on Windows XP; and lack of certified (type approved) maritime OT systems. 

Tiene identified that maritime operators tend to overestimate the difficulty of attacking their vessels. “Very often there are vessel-to-cloud connections that no one onboard knows about, but hackers can use automated tools to find and exploit those connections without lifting a finger.” 

“The first step in reducing risk is visibility—you have to know what’s on the vessel and where the devices are communicating. Then it’s a matter of closing unsafe connections and monitoring for abnormal activity,” according to Tiene. “The good news is that operational technology cybersecurity has made rapid advances in the last few years, so much of the work can now be done automatically, at a cost that’s almost trivial compared to the value of a ship and its cargo.”

Ayalon outlined that with the complexity of maritime assets and implementation, “we believe that the approach should transition from the very traditional view of a firewall covering the network and anti-virus covering the computers, which really focuses on the ship’s assets, to designing protection around the relevant attack planes – assets, network, real-time anomaly detection and network/asset segregation (e.g., separate mission critical from more general IT networks, OT connectivity, etc.” 

He added, “That was our approach for a few years, and we’re happy to see that IACS adopted a very similar model in their E26/27 requirements.”