On 28 September 2020, the French shipping giantCMA CGM announced that it has been hit by Ragnar Locker ransomware attack, taking down its worldwide shipping container booking system. What is amazing is that now all four biggest maritime shipping companies in the world have been hit by cyber-attacks in the past four years.
– APM-Maersk was taken down for weeks by the NotPetya ransomware in 2017.
Ships are increasingly using systems that rely on digitalization, integration, and automation. While the IT world includes systems in offices, ports, and oil rigs, the OT world is used for a multitude of purposes, such as controlling engines and associated systems, cargo management, navigational systems, administration, etc.
The OT systems used aboard include:
Vessel Integrated Navigation System (VINS)
Global Positioning System (GPS)
Automatic Identification System (AIS)
Radar systems and electronic charts
Increased cyber safety risks
Until recently these systems were isolated from each other and from any external shore-based systems. However, the evolution of digital and communications technology has allowed the convergence of these two worlds.
While these technologies and systems provide significant efficiency benefits for the shipping industry, they also present risks to critical systems and processes linked to the operation of systems integral to shipping. These risks may result from vulnerabilities arising from inadequate operation, integration, maintenance, and design of cyber-enabled systems, and from intentional or unintentional cyber threats.
When addressing these threats, it is important to consider the uniqueness of OT systems. OT systems control the physical world and IT systems manage data. Disruption of the operation of OT systems may impose significant risk to the safety of the crew, the passengers, and the cargo on board. Considering that many ships carry harmful substances, a cyber incident might have severe environmental consequences or might lead to hijacking the ship to steal the cargo.
It is therefore apparent that cyber risks impact the safety and reliability of maritime operations. The Baltic and International Maritime Council (BIMCO) has defined a cyber safety incident any incident that leads to “the loss of availability or integrity of safety critical data and OT.”
Cyber safety incidents can be the result of:
a cyber security incident, which affects the availability and integrity of OT
a failure occurring during software maintenance and patching
loss of or manipulation of external sensor data, critical for the operation of a ship
The IMO Resolution for cyber resilience
Recognizing the urgent need to raise awareness on cyber risk threats and vulnerabilities to support safe and secure shipping, which is operationally resilient to cyber risks, the International Maritime Organization (IMO) adopted in 2017resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The Resolution mandates shipping owners and administrators “to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.”
This is a great development and a clear departure from non-compulsory requirements to address cyber risks. To support their Resolution, IMO developedguidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities.
The IMO guidelines dictate that effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization. They should also ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms. The recommendations to manage and mitigate cyber risks should be integrated in the existing risk management processes and are complementary to the safety and security management practices already established by IMO.
Guidelines for cyber resilience in the shipping industry
The IMO recommendations are aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and its core functions of:
Identify Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
Protect Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
Detect Develop and implement activities necessary to detect a cyber event in a timely manner.
Respond Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
Recover Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.
In addition to the IMO guidelines, BIMCO has also developed theGuidelines on Cyber Security Onboard Ships. The overall goal of these guidelines is to build a strong operational resilience to cyber-attacks. To achieve this goal, maritime companies should follow these best practices:
Identify the threat environmentto understand external and internal cyber threats to the ship. Threat actors might be activists or disgruntled employees, criminals, opportunists, and state-sponsored groups or terrorists. Threat vectors include phishing, brute force, or DDoS attacks.
Identify vulnerabilitiesby developing complete and full inventories of onboard systems and understanding the consequences of cyber threats to these systems. Common vulnerabilities might include obsolete or unsupported systems, outdated software and antivirus, inadequate security configurations, flat or not segmented onboard networks, inadequate access controls, and critical onboard systems always connected to shore systems.
Assess risk exposureby determining the likelihood and impact of a vulnerability exploitation by any external or internal actor. The assessment should evaluate the impact of a cyber incident to the Confidentiality, Integrity and Availability (CIA) of systems and data, as well as the impact to the safety of personnel and ship, the potential damage to the environment and the risks to non-digital control systems.
Develop protection and detection measuresto reduce the likelihood and the impact of a potential exploitation of a vulnerability. The defense-in-depth approach should include controls for the physical security of the ship, network segmentation, intrusion detection, vulnerability scanning, software whitelisting, access controls, policies for removable media and passwords, and personnel security awareness training programs.
Establish prioritized contingency plansto mitigate any potential identified cyber risk. The plan should address cyber incidents such as loss of availability of electronic navigational equipment or loss of integrity of navigation related data, loss of availability or integrity of external data sources, loss of essential connectivity with the shore, loss of availability of industrial control systems, including propulsion, and the event of a ransomware or denial or service incident.
Respond and recover from cyber incidentsusing the contingency plan to ensure operational continuity. An effective response should at least consist of initial assessment of the incident, recovery of systems and data, and incident investigation to prevent re-occurrence.
Maintaining effective cybersecurity is not just an IT issue but is rather a fundamental operational imperative in the 21st century maritime environment