Digitalization creates new opportunities but also brings the risk of cyberattacks and are a real threat to the maritime industry. A recent report issued by Lloyd’s Market Association identified cyberthreats and lack of preparedness as a growing concern for the shipping industry. It also found that 60% of maritime companies are not ready for a cyberattack.
There is growing concern about the security of vessels and their operations. In fact, successful cyberattacks could affect the safety and possibly even the lives of crew and passengers. The problems that the maritime industry is facing at the moment are new and they are complex.
Now, cyber security is a regular requirement for the maritime industry. National and International regulations are getting involved as well as the IMO regulations on cyber security. There is a range of regulations on a national and regional level in addition to there a further requirement that relate to cyber security and data privacy this means that you should ensure that you are up to date on specific national and international requirements relevant for you furthermore there are commercial requirements which are important to follow to reduce financial risk and ensure you stay reputable.
According to International Maritime Organization (IMO), the process of identifying, analyzing, assessing, and communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level, taking into account the costs and benefits of actions taken to stakeholders, is known as cyber risk management for which the IMO developed the following guidelines.
IMO GUIDELINESS ON CYBER SECURITY ONBOARD SHITPS
1) Cyber Security and Risk Management –
2) Identification of Threats
3) Identification of Vulnerability
4) Assessing the likelihood
5) Impact Assessment
6) Risk Assessment
7) Development of Protection Measures
8) Development of Detection Measures
9) Establishment of Contingency Plans
10) Respond to and Recover from Cyber Security Incidents
A threat is the potential that a given threat actor will damage a system, or the likelihood that such damage will occur. It is dangerous to underestimate either the capability of, or opportunity provided by, a given threat actor. When assessing risk, some threat actors will not warrant any attention at all due to their lack of capability, opportunity or intent. An organization must also consider their own capabilities in order to realize how likely it is for them to be able to defend against threats or flaws in their own systems Basically, there are 2 types of threats in maritime cybersecurity,
Intentional Cyber Threat includes hacking or malicious software known as malware, which can be carried out by malicious hackers/malcontent employees. It represents threats that are a result of a harmful decision. e.g. (purposely damages property or information and processes). It may also include social engineering, viruses, denial of service attacks (DoS) , theft of data, sabotage and destruction of resources.
Unintentional Cyber Threat are commonly the incidents that is a result of unawareness, misuse or design flaws which includes software maintenance, software bugs due to lack of testing, inappropriate use of permissions that usually come from human mistake.
THREATS AGAINST I.T AND O.T SYSTEMS
Information Technology (IT) system manages data and supports business functions, whereas Operational Technology (OT) System refers to management, control and monitoring of industrial operations that focuses on the physical devices/hardware.
Threats to IT Systems are often easier to assess because there is far more evidence of incidents in the maritime industry, both generally and particularly. IT system failure is rarely thought to be the source of possible harm to people, the environment, assets, or cargo.
However, in OT Systems the scarcity of statistics concerning occurrences and their consequences makes cyber risk management more difficult than in other areas of safety and security, where historical evidence is available. According to indications, assaults targeting OT systems are widespread and, in many cases, not publicized.
The majority of OT systems in the marine industry are still not connected to external networks. Many monitoring devices (for example, devices that monitor engine performance) are connected to the internet and, in comparison to IT or even OT systems, usually have minimal cyber security controls in place. Threat actors can scan for these systems and use them as an entry point into a ship network, pivoting from there as previously described. As a result, these systems’ risks must be assessed and should not be overlooked. Attacking OT systems puts the victims’ safety at risk, which may act as a deterrent for some cybercriminals.
Incident on Maritime IT and OT
Worm spread via USB Devices
A ship was equipped with a power management system that could be connected to the internet for software updates and patching, remote diagnostics, data collection, and remote operation. The ship was built recently, but this system was not connected to the internet by design. The IT team discovered a dormant worm that could have activated itself once the system was connected to the internet and this would have had severe consequences. The worm was spread via USB devices which executes a program into the memory and is designed to communicate with its command and control server to collect its next set of instructions.
The impact of this worm would have been severe once the vessel was underway because it would have had network access and introduce additional security risks that could be exploited if the ship was connected to the internet.
Other potential source of vulnerabilities and threats in Maritime OT and IT:
Physical Security (such as exposed USB ports on bridge systems)
Satellite and Radio Communication (A satellite terminal normally has an unprotected LAN port for connection to the ship’s networks which leaves different options open for protection depending on the threat.)
In the Ship Security Plan such areas will be defined as Restricted Areas as required by the ISPS Code Part A section 9.4.1 taking into account the guidance in the Code’s part B.
ISPS code part A/9.4 gives the minimum points that must be included in the ship security plan. Ship security plan need to be approved by flag state of the vessel or by Recognized security organization (RSO) on behalf of flag state. RSO is usually the classification society of the vessel
According to THE GUIDELINES ON CYBER SECURITY ON-BOARD SHIPS, produced and supported by BIMCO, Chamber of Shipping of America, INTERCARGO, ICS, World Shipping Council and other International shipping associations.
These are some of the potentially vulnerable and target systems, equipment and technologies:
1) Access control systems
2) Administrative and crew welfare systems
3) Cargo management systems
4) Passenger or visitor servicing and management systems
5) Core infrastructure systems
Virtual LAN(s) (VLAN), security gateways
6) Communication systems
public address and general alarm systems, Voice Over Internet Protocols (VOIP) equipment, integrated communication systems
7) Bridge systems
systems that interface with electronic navigation systems and propulsion/maneuvering systems, Automatic Identification System (AIS), Bridge Navigational Watch Alarm System (BNWAS)
8) Propulsion, machinery management and power control systems
power management, bilge water control system, other monitoring and data collection systems eg fire alarms, integrated control system.
PROCEDURAL PROTECTION MEASURES
It is clear that effective cyber risk management training and awareness have to become a priority for both companies and the industry in order to offer adequate protection against the ever-increasing threat of cyber-attacks. The STCW Convention16 requires companies to ensure that seafarers are familiarized with “all ship arrangements, installations, equipment, procedures and ships characteristics that are relevant to their routine or emergency duties”.
Training and awareness include but not limited to the following:
1) Risks related to installing and maintaining software on company hardware using infected hardware (removable media) or software (infected package)
2) Detecting suspicious activity or devices and how to report a possible cyber incident. Examples
of this are strange connections that are not normally seen or someone plugging in an unknown
device on the ship network
3) Procedures for protection against risks from service providers’ removable media before
connecting to the ship’s systems.
In addition, personnel need to be made aware that the presence of anti-malware software does
not remove the requirement for robust security procedures, for example controlling the use of all
Case Study: Bunker surveyor’s access to a ship’s administrative network
A dry bulk ship in port had just completed bunkering operations. The bunker surveyor boarded the ship and requested permission to access a computer in the engine control room to print documents for signature. The surveyor inserted a USB drive into the computer and unwittingly introduced malware onto the ship’s administrative network. The malware went undetected until a cyber assessment was conducted on the ship later, and after the crew had reported a “computer issue” affecting the business networks. This emphasizes the need for procedures to prevent or restrict the use of USB devices onboard, including those belonging to visitors.
The physical security of the ship is enhanced by compliance with the security measures addressed in the ship security plan (SSP) required by the ISPS Code. Measures should be taken to restrict access and prevent unauthorized access to critical system network infrastructure onboard.
Removable media can be used to get around security layers and attack systems that aren’t connected to the internet. A clear policy for the use of such media devices is critical; it must ensure that media devices are not routinely used to transfer data between uncontrolled and controlled systems. There is always a risk of introducing malware when moving data from uncontrolled to controlled systems.
LOSSES ARISING FROM A MARITIME CYBER INCIDENT:
- Economic Loss
- Personal Injury/Loss of life
- Loss/Damage to Cargo
- Business Interruption
- Loss of Reputation
- Loss of Data
- Loss of Production
The truth is global maritime industry is vulnerable to the cyber threat. Maritime cyberattacks are growing at an exponential rate. More and more attacks are becoming public knowledge, revealing the extent of the damage done. As for the future of cyberattacks on the maritime industry, there’s no telling what might happen, but with tens of thousands of vessels at sea, all of them constantly connected to one another, keeping that safety and security from breach is a monumental challenge that must be addressed in short order.
SMARTKEEPER IS THE SOLUTION TO PREVENT THESE CYBER THREATS
SMARTKEEPER is specialized in offline Cyber Security. SMARTKEEPER can provide simple and affordable security solutions in protecting single workstation, including but not limited to desktop, laptops, servers and network ports.
If you have any inquiries, you may Contact us and we’ll be happy to assist you.
SMARTKEEPER locks for workstation
|USB PORT LOCK
|CF PORT LOCK
|SERIAL PORT LOCK
|PARALLEL PORT LOCK
|E-SATA PORT LOCK
|USB -C PORT LOCK PLUS
|HDMI PORT LOCK
SMARTKEEPER FOR NETWORK
|NETWORK PORT LOCK PLUS
|QSEF PORT LOCK
|FIBER OPTICS LOCK
|LAN CABLE LINK LOCK
|NETWORK MODULE LOCK
|LAN CABLE LOCK PLUS
If our products do not fit your requirements, please contact us and we will work out a solution for you!