If you’re taking the time to read this blog post, the chances are you’ve already heard of maritime cyber security.
By definition, it’s the application of technologies, processes and controls that protect maritime systems, networks, programs, devices and data from cyber attacks.
In January 2021, the International Maritime Organisation (IMO) introduced a new resolution for maritime cyber security standards. The consequences of non-compliance are can be severe to for any commercial maritime business.
In this post, we explain everything you need to know about maritime cyber security and the simple steps that can be taken to protect maritime vessels and systems.
We will also describe the most straightforward way to prove compliance with the IMO’s cyber security resolution.
So, what is maritime cyber risk?
The IMO defines maritime cyber risk as “a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised”.
In simpler terms, it refers to how likely your vessel is to come under a cyber attack and the potential damage that could occur if it did.
…and why is cyber security important?
The increasing amount of maritime platform digitisation improves the efficiency of business and personal communications. But the convenience of connected data also provides a hacker with greater access to your vessel’s information technology (IT) and operational technology (OT) systems.
Maritime cyber security focuses on protecting the electronic assets you use to store and transmit information to try and stop any unauthorised access happening. It reduces your vessel’s cyber risk.
Good cyber security is essential. Not only to the IMO but to also your business and your personal security on board.
But what aspects of a maritime platform require cyber security?
Maritime cyber security in practice
Security professionals often group cyber security into different categories, all relevant to the maritime environment, and consider all aspects of cyber when making a security assessment.
The most common types are:
- Critical infrastructure security – Critical infrastructure refers to the physical and cyber systems and assets that are so vital for the functioning of a vessel that their incapacity or destruction would be debilitating. Critical infrastructure security protects these.
- Application security – This is the process of making system apps more secure by finding, fixing and enhancing the security of your software.
- Network security – Network security refers to the practices and technology a business puts in place to protect its IT infrastructure.
- Cloud security – A discipline of cyber security that protects cloud-based computing systems. It includes keeping data private across on-line based infrastructure.
- Internet of things (IoT) security – The act of securing internet devices and the networks they’re connected to from threats and security breaches.
Evolution of cyber security
As the internet and digitally dependent operations evolve and develop, so does their security. According to the University of North Dakota, there are two main areas attracting attention by cyber security experts: IoT and the explosion of data.
Internet of things
Any devices that connect to a network give hackers an opportunity to exploit them. In a maritime environment, this may be as simple as a crew member connecting a smartphone to a vessel’s internet. Once a hacker has compromised a network, they can gain access to a user’s credentials and other data.
Data explosion
Any device that stores data is a potential network target for hackers. The amount of information stored on devices such as laptops and smartphones is mindblowing and is becoming increasingly vulnerable to cyber attack.
Businesses especially need maximum cyber security to protect their operations. However, the security process must continually evolve as the threat develops – a process of cyber cat-and-mouse.
However, the cyber security process is holistic, not only limited to ‘things’, and should consider three further aspects.
The 3 components of holistic cyber security
1. Humans
Make mistakes! In the cyber world, these can be as simple as clicking on a link in a suspicious email, not setting a strong password, using business devices for personal shopping or social media, not backing up data , or leaving a device unattended.
Most of the time, crew members don’t take these actions intentionally, and an effective Cyber Awareness Training program can significantly improve a crew’s security.
2. Processes
Once a team understands its part in a vessel’s cyber security, a dedicated person, or people, can focus on further protection, such as detecting and identifying threats and responding to cyber incidents.
A good set of processes ensures your vessel gives itself the best chance of survival in the evolving world of cyber ‘cat-and-mouse’.
And if an attack happens, despite your best efforts, referencing well-documented processes will save your business time, money and reputation.
3. Technology
This is the cyber security toolbox. It covers the technology used to prevent cyber attacks, such as DNS filtering and firewalls. It also includes the technology that data is stored on – like smart devices and networks.
All three components are required for a comprehensive maritime cyber security plan that will stand up to cyber security threats.
Common maritime cyber security threats
There are many cyber threats that can pose a risk to vessels. Some of the most common are listed below.
Malware
This is malicious software, such as a virus, activated when a user clicks on a malign link or attachment.
In 2017, the NotPetya malware targeted shipping giant Maersk, halting operations. The attack destroyed laptops, print capability, and servers, made applications inaccessible, rendered communications inoperable, and wiped Outlook contacts.
The malware exploited not only technological weaknesses, but also procedural and behavioural ones. According to its Chairman at the time, the whole incident cost Maersk between $250 million and $300 million to fix.
Denial of service (DoS)
DoS floods a computer or network so it cannot respond to requests, disabling its ability to function.
In an interview with law firm Bargate Murray, Malcolm Taylor, Head of Cyber Security at G3, recounts one such attack. A yacht about to go on charter discovered ransomware affecting its entertainment and yacht management systems. This rendered the yacht almost immobile.
Taylor adds that a well-defended network, including regular back-ups and a good software patching regime, would have reduced the impact significantly.
Man-in-the-middle (MITM)
A MITM attack occurs when hackers interrupt data traffic, filter and steal information by inserting themselves into the middle of a two-party transaction. It’s a common form of attack in unsecured WiFi networks.
According to Lloyds Register, in an interview with Superyacht News, an unsuspecting crew member can execute this type of attack by connecting their device to the crew network and downloading malware. If engineers don’t segregate the network properly, the malware could infect other systems on board.
Phishing
Many people will have heard of phishing attacks. Fake communications are used to deceive people into following the hacker’s instructions. The goal is often to steal sensitive data.
G3’s Malcom Taylor, provides an example of this in his interview with Bargate Murray. He tells of a family office losing a considerable sum of money in an email scam.
The office received an email allegedly from a family member. It asked for a sum of money to be transferred to a company the office had used before. The email also contained bank account details. As instructed, the office made the payment using these details. A few weeks later, it realised the email was a scam – the money was never located.
In another example given by Taylor, a UHNWI had private photographs stolen by a hacker. The photos may eventually be retrieved but prevention of the initial theft would have been easier.
These are some of many cyber threats currently faced by the maritime industry. In addition, over the last few years, there has been an increase in the number of targeted attacks on the maritime industry, both in shipping and offshore.
Why is the maritime industry vulnerable to cyber attack?
There are many reasons why the maritime industry is an easy target for hackers. The three most common reasons are listed below:
1. Increasing digitisation
As mentioned before, automation makes our businesses more efficient. But it brings risks with it; and these require mitigation. Two examples are the Electronic Chart Display and Information System (ECDIS) and Automatic Identification System (AIS).
ECDIS
Like any other PC, these systems can be tampered with. Many will run with administrative rights and no password protection. With physical access, malicious information can be uploaded via a USB stick.
AIS
According to Deloitte, these systems do not employ identification or integrity checks. Moreover, communications are made via RF that can be listened to.
2. Lack of encryption
Global insurer Marsh McLennan has commented that many navigation systems do not contain inbuilt encryption or authentication code. This is fairly common knowledge and could add to the attractiveness of the industry to hackers.
3. Crews have a lack of maritime cyber security awareness
Peter Sponer of Lloyd’s Register notes that many superyacht crews lack sufficient cyber security awareness training that would help to incorporate best practices. Many yachts will implement technical security controls but will disregard the other aspects – processes and people.
4. Cyber security is seen as an onshore issue
To date, experts believe that attackers have launched most cyber attacks from shore, which adds to the perception that vessels don’t consider it as important. However, growing interconnectivity between on- and off-shore systems means the opportunities for hackers are increasing.
5. Complexity of systems
The complexity of IT and OT systems – especially on superyachts – make sea-faring vessels susceptible to cyber attack. If operators don’t properly implement security controls, they increase vulnerabilities and opportunities for hackers.
It is essential that someone with in-depth knowledge of these systems must complete a maritime cyber security risk assessment.
What is the purpose of cyber security onboard a ship?
There are two aims for cyber security onboard:
- To protect IT systems to prevent losses to finances and reputation.
- To protect OT systems to safeguard vessel, crew and passenger safety.
Every vessel has a bespoke system set-up and needs an individual maritime cyber security risk assessment.
Maritime cyber risk assessment and mitigation
According to the IMO, cyber risk management means “the process of identifying, analysing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders”.
It’s overall objective is to support safe and secure shipping, operationally resilient to cyber risks.
However, to fully comply with this aim and avoid introducing vulnerabilities into complex systems, specialists with maritime knowledge and experience must conduct cyber assessments onboard marine vessels.
Pete Rucinski, Managing Director of Assure Technical, a maritime cyber security company, highlights this:
“You have to live and breathe it. It takes years to learn how all the maritime systems work and interface with each other. Only by understanding how the specialist systems work, and how they work together, do you know the relevant questions to ask in a maritime cyber security audit.”
Each assessment is bespoke to the vessel and crew. Pete conducted previous superyacht security audits remotely, which took him about a week.
Assure’s maritime cyber security risk assessments comply with the IMO’s guidelines on maritime cyber risk management. They can be incorporated into existing risk management processes and are complementary to other IMO safety and security management practices.
IMO’s 2021 cyber security resolution
The IMO adopted Resolution MSC.428(98) in 2017 to encourage the maritime industry to properly address cyber risks.
As a result, since January 2021, commercial vessels, including superyachts over 500GT, must demonstrate the implementation of maritime cyber risk management in their Document of Compliance.
In addition, many flag states are getting serious about maritime cyber security and non-compliance is a major issue.
The United States Coast Guard (USCG) is one such organisation. It considers compromised IT or OT in shipping vessels as a direct threat to critical national maritime systems.
Consequently, the USCG enforces the international requirement for a vessel to hold a cyber security plan and conducts spot checks on vessels wishing to use its ports. Lesser penalties for non-compliance include resolving issues before a vessel departs. However, more severe sanctions may include vessel detainment.
As more and more ports upgrade their own cyber security, there is an increasing pressure on vessel owners to do likewise.
Richard Young, marine underwriter and Head of Hull at Beazley insurers told Superyacht News:
“Following guidelines introduced by the International Maritime Organization (IMO), the onus is now greater on vessel owners and operators to demonstrate robust cyber risk management and to understand, assess, and manage risk to improve overall operational resilience in shipping.”
How to Comply with the IMO cyber security directive
Until recently there has not been a specific maritime cyber security certification to ensure a vessel will comply with IMO Resolution MSC.428(98). However, the recently launched Maritime Cyber Baseline certification has been created to directly address maritime cyber technical controls.
Coupled with a thorough and bespoke maritime cyber security risk assessment this approach can demonstrate competence to IMO guidelines.
And perhaps more importantly, it optimises onboard cyber security, keeping the vessel, its crew and its passengers protected.
In Summary
Maritime cyber security is a holistic cyber security and safety management system that protects vessels, crews and passengers from cyber attack.
The key to success is treating your vessel as any other network. The technology must work. The processes need to be in place. And crews require training.
Consequences of non-compliance with the IMO Resolution MSC.428(98) could be severe.
Assure Technical offer a comprehensive Maritime Cyber Security service. From advising on basic maritime cyber security principles through to ensuring compliance with IMO Resolution MSC.428(98).
Maritime cyber security doesn’t have to be a painful process. Assure Technical make the process simple with our pragmatic, people-first approach.