THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS
Ships are increasingly using systems that rely on digitisation, digitalisation, integration, and automation, which call for cyber risk management on board. As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are being networked together – and more frequently connected to the internet.
This brings the greater risk of unauthorised access or malicious attacks to ships’ systems and networks. Risks may also occur from personnel accessing systems on board, for example by introducing malware via removable media.
To mitigate the potential safety, environmental and commercial consequences of a cyber incident, a group of international shipping organisations, with support from a wide range of stakeholders (please refer to annex 5 for more details), have participated in the development of these guidelines, which are designed to assist companies in formulating their own approaches to cyber risk management onboard ships.
Approaches to cyber risk management will be company- and ship-specific but should be guided by the requirements of relevant national, international and flag state regulations. These guidelines provide a risk-based approach to identifying and responding to cyber threats. An important aspect is the benefit that relevant personnel would obtain from training in identifying the typical modus operandi of cyber attacks.
In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The Resolution stated that an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code. It further encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. The same year, IMO developed guidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
The commitment of senior management to cyber risk management is a central assumption, on which the Guidelines on Cyber Security Onboard Ships have been developed.
The Guidelines on Cyber Security Onboard Ships are aligned with IMO resolution MSC.428(98) and IMO’s guidelines and provide practical recommendations on maritime cyber risk management covering both cyber security and cyber safety. (See chapter 1 for this distinction).
The aim of this document is to offer guidance to shipowners and operators on procedures and actions to maintain the security of cyber systems in the company and onboard the ships. The guidelines are not intended to provide a basis for, and should not be interpreted as, calling for external auditing or vetting the individual company’s and ship’s approach to cyber risk management.
Like the IMO guidelines, the US National Institute of Standards and Technology (NIST) framework has also been accounted for in the development of these guidelines. The NIST framework assists companies with their risk assessments by helping them understand, manage and express the potential cyber risk threat both internally and externally. As a result of this assessment, a “profile” is developed, which can help to identify and prioritise actions for reducing cyber risks. The profile can also be used as a tool for aligning policy, business and technological approaches to manage the risks. Sample framework profiles are publicly available for maritime bulk liquid transfer, offshore, and passenger ship operations. These profiles were created by the United States Coast Guard and NIST’s National Cybersecurity Center of Excellence with input from industry stakeholders. The profiles are considered to be complimentary to these guidelines and can be used together to assist industry in assessing, prioritizing, and mitigating their cyber risks.
1.Cyber security and safety management
Both cyber security and cyber safety are important because of their potential effect on personnel, the ship, environment, company and cargo. Cyber security is concerned with the protection of IT, OT, information and data from unauthorised access, manipulation and disruption. Cyber safety covers the risks from the loss of availability or integrity of safety critical data and OT.
Cyber safety incidents can arise as the result of:
-- a cyber security incident, which affects the availability and integrity of OT, for example corruption of chart data held in an Electronic Chart Display and Information System (ECDIS)
-- a failure occurring during software maintenance and patching
-- loss of or manipulation of external sensor data, critical for the operation of a ship – this includes but is not limited to Global Navigation Satellite Systems (GNSS).
Whilst the causes of a cyber safety incident may be different from a cyber security incident, the effective response to both is based upon training and awareness.
1Cyber risk management should:
--identify the roles and responsibilities of users, key personnel, and management both ashore and on board
--identify the systems, assets, data and capabilities, which if disrupted, could pose risks to the ship’s operations and safety
--implement technical and procedural measures to protect against a cyber incident and ensure continuity of operations
--implement activities to prepare for and respond to cyber incidents.
Some aspects of cyber risk management may include commercially sensitive or confidential information. Companies should, therefore, consider protecting this information appropriately, and as far as possible, not include sensitive information in their Safety Management System (SMS).
Development, implementation, and maintenance of a cyber security management program in accordance with the approach in figure 1 is no small undertaking. It is, therefore, important that senior management stays engaged throughout the process to ensure that the protection, contingency and response planning are balanced in relation to the threats, vulnerabilities, risk exposure and consequences of a potential cyber incident.
1.1 Differences between IT and OT systems
OT systems control the physical world and IT systems manage data. OT systems differ from traditional IT systems. OT is hardware and software that directly monitors/controls physical devices and processes. IT covers the spectrum of technologies for information processing, including software, hardware and communication technologies. Traditionally OT and IT have been separated, but with the internet, OT and IT are coming closer as historically stand-alone systems are becoming integrated. Disruption of the operation of OT systems may impose significant risk to the safety of onboard personnel, cargo, damage to the marine environment, and impede the ship’s operation.
Typical differences between IT and OT systems can be seen in the table below.
There may be important differences between who handles the purchase and management of the OT systems versus IT systems on a ship. IT departments are not usually involved in the purchase of OT systems. The purchase of such systems should involve a chief engineer, who knows about the impact on the onboard systems but will most probably only have limited knowledge of software and cyber risk management. It is, therefore, important to have a dialogue with the IT department to ensure that cyber risks are considered during the OT purchasing process. OT systems should be inventoried with the IT department, so as to obtain an overview of potential challenges and to help establish the necessary policy and procedures for software maintenance.
Other industry sectors have seen the barrier removed between IT and OT, with management and procurement strategies all handled under the same regime.
1.2 Plans and procedures
IMO Resolution MSC.428(98) identifies cyber risks as specific threats, which companies should try to address as far as possible in the same way as any other risk that may affect the safe operation of a ship and protection of the environment. More guidance on how to incorporate cyber risk management into the company’s SMS can be found in annex 2 of these guidelines.
Cyber risk management should be an inherent part of the safety and security culture conducive to the safe and efficient operation of the ship and be considered at various levels of the company, including senior management ashore and onboard personnel. In the context of a ship’s operation, cyber incidents are anticipated to result in physical effects and potential safety and/or pollution incidents. This means that the company needs to assess risks arising from the use of IT and OT onboard ships and establish appropriate safeguards against cyber incidents. Company plans and procedures for cyber risk management should be incorporated into existing security and safety risk management requirements contained in the ISM Code and ISPS Code.
The objective of the SMS is to provide a safe working environment by establishing appropriate practices and procedures based on an assessment of all identified risks to the ship, onboard personnel and the environment. The SMS should include instructions and procedures to ensure the safe operation of the ship and protection of the environment in compliance with relevant international and flag state requirements. These instructions and procedures should consider risks arising from the use of IT and OT on board, taking into account applicable codes, guidelines and recommended standards.
When incorporating cyber risk management into the company’s SMS, consideration should be given as to whether, in addition to a generic risk assessment of the ships it operates, a particular ship needs a specific risk assessment. The company should consider the need for a specific risk assessment based on whether a particular ship is unique within their fleet. The factors to be considered include but are not limited to the extent to which IT and OT are used on board, the complexity of system integration and the nature of operations.
In accordance with chapter 8 of the ISPS Code, the ship is obliged to conduct a security assessment, which includes identification and evaluation of key shipboard operations and the associated potential threats. As recommended by Part B, paragraph 8.3.5 of the ISPS Code, the assessment should address radio and telecommunication systems, including computer systems and networks. Therefore, the ship’s security plan may need to include appropriate measures for protecting both the equipment and the connection. Due to the fast adoption of sophisticated and digitalised onboard OT systems, consideration should be given to including these procedures by reference to the SMS in order to help ensure the ship’s security procedures are as up-to-date as possible.
Systems like Tanker Management and Self Assessment (TMSA) also require plans and procedures to be implemented.
1.3 Relationship between ship manager and shipowner
The Document of Compliance holder is ultimately responsible for ensuring the management of cyber risks on board. If the ship is under third party management, then the ship manager is advised to reach an agreement with the ship owner.
Particular emphasis should be placed by both parties on the split of responsibilities, alignment of pragmatic expectations, agreement on specific instructions to the manager and possible participation in purchasing decisions as well as budgetary requirements.
Apart from ISM requirements, such an agreement should take into consideration additional applicable legislation like the EU General Data Protection Regulation (GDPR) or specific cyber regulations in other coastal states. Managers and owners should consider using these guidelines as a base for an open discussion on how best to implement an efficient cyber risk management regime.
Agreements on cyber risk management should be formal and written.
1.4 The relationship between the shipowner and the agent
The importance of this relationship has placed the agent as a named stakeholder, interfacing continuously and simultaneously with shipowners, operators, terminals, port services vendors, and port state control authorities through the exchange of sensitive, financial, and port coordination information. The relationship goes beyond that of a vendor. It can take different forms and especially in the tramp trade, shipowners require a local representative (an independent ship agent) to serve as an extension of the company.
Coordination of the ship’s call of port is a highly complex task being simultaneously global and local. It covers updates from agents, coordinating information with all port vendors, port state control, handling ship and crew requirements, and electronic communication between the ship, port and authorities ashore. As one example, which touches cyber risk management: Often agents are required to build IT systems, which upload information real-time into owner’s management information system.
Quality standards for agents are important because like all other businesses, agents are also targeted by cyber criminals. Cyber-enabled crime, such as electronic wire fraud and false ship appointments, and cyber threats such as ransomware and hacking, call for mutual cyber strategies and cyber-enhanced relationships between owners and agents to mitigate such cyber risks.
1.5 Relationship with vendors
Companies should evaluate and include the physical security and cyber risk management processes of service providers in supplier agreements and contracts. Processes evaluated during supplier vetting and included in contract requirements may include:
--security management including management of sub-suppliers
--software engineering and architecture
--asset and cyber incident management
--data and information protection.
Evaluation of service providers beyond the first tier may be challenging especially for companies with a large number of tier one suppliers. Third party providers that are collecting and managing supplier risk management data may be an option to consider.
Lack of physical and/or cyber security at a supplier within their products or infrastructure may result in a breach of corporate IT systems or corruption of ship OT/IT systems.
Companies should evaluate the cyber risk management processes for both new and existing contracts. It is good practice for the company to define their own minimum set of requirements to manage supply chain or 3rd party risks. A set of cyber risk requirements that reflect the company’s expectations should be clear and unambiguous to vendors. This may also help procurement practices when dealing with multiple vendors.
The cyber risk is specific to the company, ship, operation and/or trade. When assessing the risk, companies should consider any specific aspects of their operations that might increase their vulnerability to cyber incidents.
Unlike other areas of safety and security, where historic evidence is available, cyber risk management is made more challenging by the absence of any definitive information about incidents and their impact. Until this evidence is obtained, the scale and frequency of attacks will continue to be unknown.
Experiences in the shipping industry and from other business sectors such as financial institutions, public administration and air transport have shown that successful cyber attacks might result in a significant loss of services. Assets can also compromise safety.
There are motives for organisations and individuals to exploit cyber vulnerabilities. The following examples give some indication of the threats posed and the potential consequences for companies and the ships they operate:
The above groups are active and have the skills and resources to threaten the safety and security of ships and a company’s ability to conduct its business.
In addition, there is the possibility that company personnel, on board and ashore, could compromise cyber systems and data. In general, the company should realise that this may be unintentional and caused by human error when operating and managing IT and OT systems or failure to respect technical and procedural protection measures. There is, however, the possibility that actions may be malicious and are a deliberate attempt by a disgruntled employee to damage the company and the ship.
Types of cyber attack
In general, there are two categories of cyber attacks, which may affect companies and ships:
--untargeted attacks, where a company or a ship’s systems and data are one of many potential targets
--targeted attacks, where a company or a ship’s systems and data are the intended target.
Untargeted attacks are likely to use tools and techniques available on the internet, which can be used to locate, discover and exploit widespread vulnerabilities that may also exist in a company and onboard a ship. Examples of some tools and techniques that may be used in these circumstances include:
--Malware – Malicious software which is designed to access or damage a computer without the knowledge of the owner. There are various types of malware including trojans, ransomware, spyware, viruses, and worms. Ransomware encrypts data on systems until a ransom has been paid. Malware may also exploit known deficiencies and problems in utdated/unpatched business software. The term “exploit” usually refers to the use of a software or code, which is designed to take advantage of and manipulate a problem in another computer software or hardware. This problem can, for example, be a code bug, system vulnerability, improper design, hardware malfunction and/or error in protocol implementation. These vulnerabilities may be exploited remotely or triggered locally. Locally, a piece of malicious code may often be executed by the user, sometimes via links distributed in email attachments or through malicious websites.
--Phishing – Sending emails to a large number of potential targets asking for particular pieces of sensitive or confidential information. Such an email may also request that a person visits a fake website using a hyperlink included in the email.
--Water holing – Establishing a fake website or compromising a genuine website to exploit visitors.
--Scanning – Attacking large portions of the internet at random.
Targeted attacks may be more sophisticated and use tools and echniques specifically created for targeting a company or ship. Examples of tools and techniques, which may be used in these circumstances, include:
--Social engineering – A non-technical technique used by potential cyber attackers to manipulate insider individuals into breaking security procedures, normally, but not exclusively, through interaction via social media.
--Brute force – An attack trying many passwords with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords until the correct one is found.
--Denial of service (DoS) – Prevents legitimate and authorised users from accessing information, usually by flooding a network with data. A distributed denial of service (DDoS) attack takes control of multiple computers and/or servers to implement a DoS attack.
--Spear-phishing – Like phishing but the individuals are targeted with personal emails, often containing malicious software or links that automatically download malicious software.
--Subverting the supply chain – Attacking a company or ship by compromising equipment, software or supporting services being delivered to the company or ship.
The above examples are not exhaustive. Other methods are evolving such as impersonating a legitimate shore-based employee in a shipping company to obtain valuable information, which can be used for a further attack. The potential number and sophistication of tools and techniques used in cyber attacks continue to evolve and are limited only by the ingenuity of those organisations and individuals developing them.
Stages of a cyber attack
In 2018, it took on average 140 days between time of infection of a victim’s network and discovery of a cyber attack. However, intrusion can go undetected for years. This figure is down from 205 days in 2015 and continues to drop because detection is getting better7. Cyber attacks are conducted in stages. The length of time to prepare a cyber attack can be determined by the motivations and objectives of the attacker, and the resilience of technical and procedural cyber risk controls implemented by the company, including those onboard its ships. When considering targeted cyber attacks, the generally-observed stages of an attack are:
--Survey/reconnaissance – Open/public sources are used to gain information about a company, ship or seafarer in preparation for a cyber attack. Social media, technical forums and hidden properties in websites, documents and publications may be used to identify technical, procedural and physical vulnerabilities. The use of open/public sources may be complemented by monitoring (analysing – sniffing) the actual data flowing into and from a company or a ship.
--Delivery – Attackers may attempt to access the company’s and ship’s systems and data. This may be done from either within the company or ship or remotely through connectivity with the internet. Examples of methods used to obtain access include:
• company online services, including cargo or container tracking systems
• sending emails containing malicious files or links to malicious websites to personnel
• providing infected removable media, for example as part of a software update to an onboard system
• creating false or misleading websites, which encourage the disclosure of user account information by personnel.
--Breach – The extent to which an attacker can breach a company’s or ship’s system will depend on the significance of the vulnerability found by an attacker and the method chosen to deliver an attack. It should be noted that a breach might not result in any obvious changes to the status of the equipment. Depending on the significance of the breach, an attacker may be able to:
• make changes that affect the system’s operation, for example interrupt or manipulate information used by navigation equipment, or alter operationally important information such as loading lists
• gain access to commercially sensitive data such as cargo manifests and/or crew and passenger/ visitor lists
• achieve full control of a system, for example a machinery management system.
--Pivot – Pivoting is the technique of using an instance already exploited to be able to “move” and perform other activities. During this phase of an attack, an attacker uses the first compromised system to attack otherwise inaccessible systems. An attacker will usually target the most vulnerable part of the victim’s system with the lowest level of security. Once access is gained then the attacker will try to exploit the rest of the system. Usually, in the Pivot phase, the attacker may try to:
• upload tools, exploits and scripts in the system to support the attacker in the new attack phase
• execute a discovery of neighbour systems with scanning or network mapping tools
• install permanent tools or a key logger to keep and maintain access to the system
• execute new attacks on the system.
The motivation and objectives of the attacker will determine what effect they have on the company or ship system and data. An attacker may explore systems, expand access and/or ensure that they are able to return to the system in order to:
--access commercially sensitive or confidential data about cargo, crew, visitors and passengers
--manipulate crew or passenger/visitors lists, cargo manifests or loading lists. This may subsequently be used to allow the fraudulent transport of illegal cargo, or facilitate thefts
--cause complete denial of service on business systems
--enable other forms of crime for example piracy, theft and fraud
--disrupt normal operation of the company and ship systems, for example by deleting critical pre-arrival or discharge information or overloading company systems.
It is recommended that a shipping company initially performs an assessment of the potential threats that may realistically be faced. This should be followed by an assessment of the systems and onboard procedures to map their robustness to handle the current level of threat. It may be facilitated by internal experts or supported by external experts with knowledge of the maritime industry and its key processes. The result should be a strategy centred around the key risks.
Stand-alone systems will be less vulnerable to external cyber attacks compared to those attached to uncontrolled networks or directly to the internet. Network design and network segregation will be explained in more detail in annex 3. Care should be taken to understand how critical shipboard systems might be connected to uncontrolled networks. When doing so, the human element should be taken into consideration, as many incidents are initiated by personnel’s actions. Onboard systems could include:
--Cargo management systems – Digital systems used for the loading, management and control of cargo, including hazardous cargo, may interface with a variety of systems ashore, including ports, marine terminals. Such systems may include shipment-tracking tools available to shippers via the internet. However, the tracking is usually done via the company’s systems connected to the ship and not directly between the shipper and the ship. Interfaces of this kind make cargo management systems and data in cargo manifests and loading lists vulnerable to cyber attacks.
--Bridge systems – The increasing use of digital, network navigation systems, with interfaces to shoreside networks for update and provision of services, make such systems vulnerable to cyber attacks. Bridge systems that are not connected to other networks may be equally vulnerable, as removable media are often used to update such systems from other controlled or uncontrolled networks. A cyber incident can extend to service denial or manipulation and, therefore, may affect all systems associated with navigation, including ECDIS, GNSS, AIS, VDR and Radar/ARPA.
--Propulsion and machinery management and power control systems – The use of digital systems to monitor and control onboard machinery, propulsion and steering makes such systems vulnerable to cyber attacks. The vulnerability of these systems can increase when used in conjunction with remote condition-based monitoring and/or are integrated with navigation and communications equipment on ships using integrated bridge systems.
--Access control systems – Digital systems used to support access control to ensure physical security and safety of a ship and its cargo, including surveillance, shipboard security alarm, and electronic “personnel-on-board” systems are vulnerable to cyber attacks.
--Passenger servicing and management systems – Digital systems used for property management, boarding and access control may hold valuable passenger related data. Intelligent devices (tablets, handheld scanners etc.) are themselves an attack vector as ultimately the collected data is passed on to other systems.
--Passenger facing public networks – Fixed or wireless networks connected to the internet, installed on board for the benefit of passengers, for example guest entertainment systems, should be considered uncontrolled and should not be connected to any safety critical system on board.
--Administrative and crew welfare systems – Onboard computer networks used for administration of the ship or the welfare of the crew are particularly vulnerable when providing internet access and email. This can be exploited by cyber attackers to gain access to onboard systems and data. These systems should be considered uncontrolled and should not be connected to any safety critical system on board. Software provided by ship management companies or owners is also included in this category.
--Communication systems – Availability of internet connectivity via satellite and/or other wireless communication can increase the vulnerability of ships. The cyber defence mechanisms implemented by the service provider should be carefully considered but should not be solely relied upon to secure every shipboard system and data. Included in these systems are communication links to public authorities for transmission of required ship reporting information. Applicable authentication and access control management requirements by these authorities should be strictly complied with.
The above-mentioned onboard systems consist of potentially vulnerable equipment, which should be reviewed during the assessment. More detail can be found in annex 1 of these guidelines.
3.1 Ship to shore interface
Ships are becoming more and more integrated with shoreside operations because digital communication is being used to conduct business, manage operations, and retain contact with head office. Furthermore, critical ship systems essential to the safety of navigation, power and cargo management have become increasingly digitalised and connected to the internet to perform a wide variety of legitimate functions such as:
--engine performance monitoring
--maintenance and spare parts management
--cargo, loading and unloading, crane, pump management and stow planning
--voyage performance monitoring.
The above list provides examples of this interface and is not exhaustive. The above systems provide data, which may be of interest to cyber criminals to exploit.
Modern technologies can add vulnerabilities to the ships especially if there are insecure designs of networks and uncontrolled access to the internet. Additionally, shoreside and onboard personnel may be unaware how some equipment producers maintain remote access to shipboard equipment and its network system. Unknown, and uncoordinated remote access to an operating ship should be taken into consideration as an important part of the risk assessment.
It is recommended that companies should fully understand the ship’s OT and IT systems and how these systems connect and integrate with the shore side, including public authorities, marine terminals and stevedores. This requires an understanding of all computer based onboard systems and how safety, operations, and business can be compromised by a cyber incident.
The following should be considered regarding producers and third parties including contractors and service providers:
1. The producer’s and service provider’s cyber risk management awareness and procedures: Such companies may lack cyber awareness training and governance in their own organisations and this may represent more sources of vulnerability, which could result in cyber incidents. These companies should have an updated cyber risk management company policy, which includes training and governance procedures for accessible IT and OT onboard systems.
2. The maturity of a third-party’s cyber risk management procedures: The shipowner should query the internal governance of cyber network security, and seek to obtain a cyber risk management assurance when considering future contracts and services. This is particularly important when covering network security if the ship is to be interfaced with the third-party such as a marine terminal or stevedoring company.
The following are common cyber vulnerabilities, which may be found onboard existing ships, and on some newbuild ships:
--obsolete and unsupported operating systems
--outdated or missing antivirus software and protection from malware
--inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts and passwords,
--shipboard computer networks, which lack boundary protection measures and segmentation of networks
--safety critical equipment or systems always connected with the shore side
--inadequate access controls for third parties including contractors and service providers.
4.Assess risk exposure
Cyber risk assessment should start at senior management level of a company, instead of being immediately delegated to the ship security officer or the head of the IT department. There are several reasons for this.
1. Initiatives to heighten cyber security and safety may at the same time affect standard business procedures and operations, rendering them more time consuming and/or costly. It is, therefore, a senior management level decision to evaluate and decide on risk mitigation.
2. A number of initiatives, which would improve cyber risk management, are related to business processes, training, the safety of the ship and the environment and not to IT systems, and therefore need to be anchored organisationally outside the IT department.
3. Initiatives which heighten cyber awareness may change how the company interacts with customers, suppliers and authorities, and impose new requirements on the co-operation between the parties. It is a senior management level decision whether and how to drive these changes in relationships.
The following questions may be used as a basis for a risk assessment when addressing cyber risks onboard ships:
--What assets are at risk?
--What is the potential impact of a cyber incident?
--Who has the final responsibility for the cyber risk management?
--Are the OT systems and their working environment protected from the internet?
--Is there remote access to the OT systems, and if so how is it monitored and protected?
--Are the IT systems protected and is remote access being monitored and managed?
--What cyber risk management best practices are being used?
--What is the training level of the personnel operating the IT and OT systems?
Based on the answers, the company should delegate authority and allocate the budget needed to carry out a full risk assessment and develop solutions that are best suited for the company and the operation of their ships. The following should be addressed:
--identify systems that are important to operation, safety and environmental protection
--assign the persons responsible for setting cyber policies, procedures and enforce monitoring
--determine where secure remote access should use multiple defence layers and where protection of networks should be disconnected from the internet
--identification of needs for training of personnel.
The level of cyber risk will reflect the circumstances of the company, ship (its operation and trade), the IT and OT systems used, and the information and/or data stored. The maritime industry possesses a range of characteristics, which affect its vulnerability to cyber incidents:
--the cyber controls already implemented by the company onboard its ships
--multiple stakeholders are often involved in the operation and chartering of a ship potentially resulting in lack of accountability for the IT infrastructure
--the ship being online and how it interfaces with other parts of the global supply chain
--ship equipment being remotely monitored, eg by the producers
--business-critical, data sensitive and commercially sensitive information shared with shore-based service providers, including marine terminals and stevedores and also, where applicable, public authorities
--the availability and use of computer-controlled critical systems for the ship’s safety and for environmental protection.
These elements should be considered, and relevant parts incorporated into the company cyber security policies, safety management systems, and ship security plans. Users of these guidelines should refer to specific national, international and flag state regulations as well as relevant international and industry standards and best practices when developing and implementing cyber risk management procedures.
IT and OT systems, software and maintenance can be outsourced to third-party service providers and the company, itself, may not possess a way of verifying the level of security supplied by these providers. Some companies use different providers responsible for software and cyber security checks.
The growing use of big data, smart ships and the “internet of things”8 will increase the amount of information available to cyber attackers and the potential attack surface to cyber criminals. This makes the need for robust approaches to cyber risk management important both now and in the future.
Visits to ships by third parties requiring a connection to one or more computers on board can also result in connecting the ship to shore. It is common for technicians, vendors, port officials, marine terminal representatives, agents, pilots, and other technicians to board the ship and plug in devices, such as laptops and tablets. Some technicians may require the use of removable media to update computers, download data and/or perform other tasks. It has also been known for customs officials and port state control officers to board a ship and request the use of a computer to “print official documents” after having inserted an unknown removable media.
Sometimes there is no control as to who has access to the onboard systems, eg during drydocking, layups or when taking over a new or existing ship. In such cases, it is difficult to know if malicious software has been left in the onboard systems. It is recommended that sensitive data is removed from the ship and reinstalled on returning to the ship. Where possible, systems should be scanned for malware prior to use. OT systems should be tested to check that they are functioning correctly.
Some IT and OT systems are remotely accessible and may operate with a continuous internet connection for remote monitoring, data collection, maintenance functions, safety and security. These systems can be “third-party systems”, whereby the contractor monitors and maintains the systems from a remote access. These systems could include both two-way data flow and upload-only. Systems and work stations with remote control, access or configuration functions could, for example, be:
--bridge and engine room computers and work stations on the ship’s administrative network
--cargo such as containers with reefer temperature control systems or specialised cargo that are tracked remotely
--stability decision support systems
--hull stress monitoring systems
--navigational systems including Electronic Navigation Chart (ENC) Voyage Data Recorder (VDR), dynamic positioning (DP)
--cargo handling and stowage, engine, and cargo management and load planning systems
--safety and security networks, such as CCTV (closed circuit television)
--specialised systems such as drilling operations, blow out preventers, subsea installation systems, Emergency Shut Down (ESD) for gas tankers, submarine cable installation and repair.
The extent and nature of connectivity of equipment should be known by the shipowner or operator and considered as an important part of the risk assessment.
The confidentiality, integrity and availability (CIA) model9 provides a framework for assessing the impact of:
--unauthorised access to and disclosure of information or data about the ship, crew, cargo and passengers
--loss of integrity, which would modify or destroy information and data relating to the safe and efficient operation and administration of the ship
--loss of availability due to the destruction of the information and data and/or the disruption to services/ operation of ship systems.
The relative importance of confidentiality, integrity and availability depends on the use of the information or data. For example, assessing the vulnerability of IT systems related to commercial operations may focus on confidentiality and integrity rather than availability. Conversely, assessing the vulnerability of OT systems onboard ships, particularly safety critical systems, may focus on availability and/or integrity instead of confidentiality.
Potential impacts could be safety-related, operational, environmental-related, financial, reputational and compliance-related. Several assessment methodologies offer criteria and techniques that can help define the magnitude of the impact from a cyber attack.
When it comes to OT systems, an extra dimension must be added to the CIA model.
A risk assessment of OT systems needs to be based on an inventory overview of equipment and/ or computer-based systems and a map of the networks’ connections. Further, access points and communication devices should be part of this overview. As the impact of an onboard OT system’s cyber incident may include physical effects, risk assessments should include:
--impacts on the safety of onboard personnel, the ship and cargo
--physical impact on an OT system, including the environment surrounding it on board; the effect on the process that is being controlled and the physical effect on the OT system itself
--the consequences for risk assessments of non-digital control components within an OT system.
The implementation of protection measures based on risk assessments is well established on all ships via the ISM code and the ship’s SMS. Safety assessments are concerned primarily with the physical world bearing in mind that the physical and the digital worlds are now intertwined. Assessing the potential physical damage from a cyber incident should include:
1. how an incident could manipulate the operation of sensors and actuators to impact the physical environment
2. what redundant controls and manual overriding possibilities exist in the OT system to prevent an incident
3. how a physical incident could emerge.
4. how to evaluate potential effects to the physical process performed by the OT system.
Bring your own device (BYOD)
It is recognised that personnel may be allowed to bring their own devices (BYOD) on board to access the ship’s system or network. Although this may be both beneficial and economical for ships, it significantly increases the level of vulnerability because these devices may be unmanaged. Policies and procedures should address the control and use of BYODs, as well as how to protect vulnerable data, by using network segregation for example.
4.1 Risk assessment made by the company
As mentioned above, the risk assessment process starts by assessing the systems on board, in order to map their robustness to handle the current level of cyber threats. The assessment should assess the IT and OT systems on board. When conducting the assessment, the company should consider the outcomes of the ship security assessment as well as the following:
1. identification of existing technical and procedural controls to protect the onboard IT and OT systems
2. identification of IT and OT systems that are vulnerable including the human factor, and the policies and procedures governing the use of these systems. The identification should include searches for known vulnerabilities relevant to the equipment as well as the current level of patching and firmware updates
3. identification and evaluation of key ship board operations that are vulnerable to cyber attacks
4. identification of possible cyber incidents and their impact on key ship board operations, and the likelihood of their occurrence to establish and prioritise protection measures.
Companies may consult with the producers and service providers of onboard equipment and systems to understand the technical and procedural controls that may already be in place to address cyber risk management. Furthermore, any identified cyber vulnerability in the factory standard configuration of a critical system or component should be disclosed to facilitate better protection of the equipment in the future.
4.2 Third-party risk assessments
Self-assessments can serve as a good start but may be complemented by third-party risk assessments to drill deeper and identify the risks and the gaps that may not be found during the self-assessment. Penetration tests of critical IT and OT infrastructure can also be performed to identify whether the actual defence level matches the desired level set forth in the cyber security strategy for the company. Such tests can be performed by external experts simulating attacks using both IT-systems, social engineering and, if desired, even physical penetration of a facility’s security perimeter. These tests are referred to as active tests because they involve accessing and inserting software into a system. This may only be appropriate for IT systems. Where risk to OT systems during penetration testing is unacceptable, passive testing approaches should be considered. Passive methods rely on scanning data transmitted by a system to identify vulnerabilities. In general, no attempt is made to actively access or insert software into the system.
4.3 Risk assessment process
Phase 1: Pre-assessment activities
Prior to starting a cyber risk assessment on board11, the following activities should be performed:
--map the ship’s key functions and systems and their potential impact levels, for example using the CIA model, taking into consideration the operation of OT systems
--identify main producers of critical shipboard IT and OT equipment
--review detailed documentation of critical OT and IT systems including their network architecture, interfaces and interconnections
--identify cyber security points-of-contact with each of the producers and establish a working relationship with them
--review detailed documentation on the ship’s maintenance and support of the IT and OT systems
--establish contractual requirements and obligations that the shipowner/ship operator may have for maintenance and support of shipboard networks and equipment
--support, if necessary, the risk assessment with an external expert to develop detailed plans and include producers and service providers.
Phase 2: Ship assessment
The goal of the assessment of a ship’s network and its systems and devices is to identify any vulnerabilities that could compromise or result in either loss of confidentiality, loss of integrity or result in a loss of operation of the equipment, system, network, or even the ship. These vulnerabilities and weaknesses could fall into one of the following categories:
--technical such as software defects or outdated or unpatched systems
--design such as access management, unmanaged network interconnections
--implementation errors for example misconfigured firewalls
--procedural or other user errors.
The activities performed during an assessment could include reviewing the configuration of all computers, servers, routers, and cyber security technologies including firewalls. It could also include reviews of all available cyber security documentation and procedures for connected IT and OT systems and devices.
An aspect of on-ship assessment is involvement of crew of all levels; particularly the master, chief engineer and first mate. This process assists to understand the implementation of the IT and OT systems onboard, and how they may vary from stated design documentation, and also to understand the level of cyber training delivered to the ship’s crew.
Phase 3: Debrief and vulnerability review/reporting
Following the assessment, each identified vulnerability should be evaluated for its potential impact and the probability of its exploitation. Recommended technical and/or procedural corrective actions should be identified for each vulnerability.
Ideally, the cyber risk assessment should include:
--executive summary – a high-level summary of results, recommendations and the overall security profile of the assessed ship
--technical findings – breakdown of discovered vulnerabilities, their probability of exploitation, the resulting impact, and appropriate technical fix and mitigation advice
--prioritised list of actions – the priorities allocated should reflect the effectiveness of the measure, the cost, the applicability, etc. It is important that this list should be a complete list of options available and not represent a list of services and products the third-party risk assessor, if applicable, would like to sell.
--supplementary data – a supplement containing the technical details of all key findings and comprehensive analysis of critical flaws. This section should also include sample data recovered during the penetration testing, if any, of critical or high-risk vulnerabilities
--appendices – records of activities conducted by the cyber risk assessment team and the tools used during the engagement.
Consideration should be given as to whether parts of the cyber risk assessment should be treated as confidential.
Whilst cyber risk management policies and procedures should be included in the company safety management system, these should not contain information, which if made available outside the company could become a vulnerability.
Phase 4: Producer debrief
Once the shipowner has had an opportunity to review, discuss and assess the findings, a subset of the findings may need to be sent to the producers of the affected systems. Any findings, which are approved by the shipowner for disclosure to the producers, could be further analysed with support from external experts, who should work with the producer’s cyber security point of contact to ensure that a full risk and technical understanding of the problem is achieved. This supporting activity is intended to ensure that any remediation plan developed by the producer is comprehensive in nature and identifies the correct solution to eliminate the vulnerabilities.
5.Develop protection and detection measures
The outcome of the company’s risk assessment and subsequent cyber security strategy should be a reduction in risk to be as low as reasonably practicable. At a technical level, this would include the necessary actions to be implemented to establish and maintain an agreed level of cyber security.
It is important to identify how to manage cyber security on board and to delegate responsibilities to the master, responsible officers and when appropriate the company security officer.
5.1 Defence in depth and in breadth
It is important to protect critical systems and data with multiple layers of protection measures, which take into account the role of personnel, procedures and technology to:
--increase the probability that a cyber incident is detected
--increase the effort and resources required to protect information, data or the availability of IT and OT systems.
Connected OT systems on board should require more than one technical and/or procedural protection measure. Perimeter defences such as firewalls are important for preventing unwelcomed entry into the systems, but this may not be sufficient to cope with insider threats.
This defence in depth approach encourages a combination of:
--physical security of the ship in accordance with the ship security plan (SSP)
--protection of networks, including effective segmentation
--periodic vulnerability scanning and testing
--access and user controls
--appropriate procedures regarding the use of removable media and password policies
--personnel’s awareness of the risk and familiarity with appropriate procedures.
Company policies and procedures should help ensure that cyber security is considered within the overall approach to safety and security risk management. The complexity and potential persistence of cyber threats means that a “defence in depth” approach should be considered. Equipment and data protected by layers of protection measures are more resilient to cyber attacks.
When developing integration between systems, a trust boundary model should be considered, whereby systems are grouped into those between which trust is implicit (for example user workstations), and those between which trust should be explicit (between bridge computers and corporate networks). For large or complex networks, threat modelling should be considered as an activity to understand where technical controls should be implemented between systems in order to support a defence in breadth approach.
However, onboard ships where levels of integration between IT and OT systems may be high, defence in depth only works if technical and procedural protection measures are applied in layers across all vulnerable and integrated systems. This is “defence in breadth” and it is used to prevent any vulnerabilities in one system being used to circumvent protection measures of another system.
Cyber risk protection measures may be either technical or procedural in nature, with technical controls implemented to enforce procedural controls; a combination approach using appropriate measures provides the most effective level of protection.
Defence in depth and defence in breadth are complementary approaches, which, when implemented together, provide the foundation of a holistic response to the management of cyber risks.
Cyber risk protection measures may be technical and focused on ensuring that onboard systems are designed and configured to be resilient to cyber attacks. Protection measures may also be procedural and should be covered by company policies, safety management procedures, security procedures and access controls.
Consideration needs to be given to implementing technical controls that are practical and cost effective, particularly on existing ships.
Implementation of cyber security controls should be prioritised, focusing first on those measures, or combinations of measures, which offer the greatest benefit.
5.2 Technical protection measures
The Centre for Internet Security (CIS) provides guidance on measures that can be used to address cyber security vulnerabilities. The protection measures are a list of Critical Security Controls (CSC) that are prioritised and vetted to help ensure that they provide an effective approach for companies to assess and improve their defences. The CSCs include both technical and procedural aspects.
The below mentioned examples of CSCs have been selected as particularly relevant to equipment and data onboard ships.
Limitation to and control of network ports, protocols and services
Access lists to network systems can be used to implement the company’s security policy. This helps ensure that only appropriate traffic will be allowed via a controlled network or subnet, based on the control policy of that network or subnet.
It is recommended that routers are secured against attacks and unused ports should be closed to prevent unauthorised access to systems or data.
Configuration of network devices such as firewalls, routers and switches
It should be determined which systems should be attached to controlled or uncontrolled networks. Controlled networks are designed to prevent any security risks from connected devices by use of firewalls, security gateways, routers and switches. Uncontrolled networks may pose risks due to lack of data traffic control and should be isolated from controlled networks, as direct internet connection makes them highly prone to infiltration by malware. For example:
--networks that are critical to the operation of a ship itself, should be controlled. It is important that these systems have a high level of security
--networks that provide suppliers with remote access to navigation and other OT systems’ software on board, should also be controlled. These networks may be necessary to allow suppliers to upload system upgrades or perform remote servicing. Shoreside external access points of such connections should be secured to prevent unauthorised access
--cargo stowage, load planning and management systems should be controlled. So, should those systems that perform mandatory ship reporting to public authorities
--other networks, such as guest access networks, may be uncontrolled, for instance those related to passenger recreational activities or private internet access for crew. Normally, any wireless network should be considered uncontrolled.
Effective segregation of systems, based on necessary access and trust levels, is one of the most successful strategies for the prevention of cyber incidents. Effectively segregated networks can significantly impede an attacker’s access to a ship’s systems and is one of the most effective techniques for preventing the spread of malware. Onboard networks should be partitioned by firewalls to create safe zones. The fewer communications links and devices in a zone, the more secure the systems and data are in that zone. Confidential and safety critical systems should be in the most protected zone. See annex 3 of these guidelines for more information on shipboard networks and also refer to ISO/IEC 62443.
Physical security15 is a central aspect of cyber risk management and an effective defence in depth strategy relies on ensuring that technical controls cannot be circumvented through trivial technical means. Areas containing sensitive OT or IT control components should be securely locked, security and safety critical equipment and cable runs should be protected from unauthorised access, and physical access to sensitive user equipment (such as exposed USB ports on bridge systems) should be secured.
Detection, blocking and alerts
Identifying intrusions and infections is a central part of the control procedures. A baseline of network operations and expected data flows for users and systems should be established and managed, so that cyber incident alert thresholds can be established. Key to this will be the definition of roles and responsibilities for detection to help ensure accountability. Additionally, a company may choose to incorporate an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) into the network or as part of the firewall. Some of their main functions include identifying threats/malicious activity and code, and then logging, reporting and attempting to block the activity. Further details concerning IDS and IPS can be found in annex 3 of these guidelines. It helps to ensure that dedicated onboard personnel can understand the alerts and their implications. Incidents detected should be directed to an individual or service provider, who is responsible for acting on this type of alert.
Satellite and radio communication
Cyber security of the radio and satellite connection should be considered in collaboration with the service provider. In this connection, the specification of the satellite link should be considered when establishing the requirements for onboard network protection.
When establishing an uplink connection for a ship’s navigation and control systems to shore-based service providers, consideration should be given on how to prevent illegitimate connections gaining access to the onboard systems.
The access interconnect is the distribution partner’s responsibility. The final routing of user traffic from the internet access point to its ultimate destination onboard (“last mile”) is the responsibility of the shipowner. User traffic is routed through the communication equipment for onward transmission on board. At the access point for this traffic, it is necessary to provide data security, firewalling and a dedicated “last-mile” connection.
When using a Virtual Private Network (VPN), the data traffic should be encrypted to an acceptable international standard. Furthermore, a firewall in front of the servers and computers connected to the networks (ashore or on board) should be deployed. The distribution partner should advise on the routing and type of connection most suited for specific traffic. Onshore filtering (inspection/blocking) of traffic is also a matter between a shipowner and the distribution partner. Both onshore filtering of traffic and firewalls/security inspection/blocking gateways on the ship are needed and supplement each other to achieve a sufficient level of protection.
Producers of satellite communication terminals and other communication equipment may provide management interfaces with security control software that are accessible over the network. This is primarily provided in the form of web-based user interfaces. Protection of such interfaces should be considered when assessing the security of a ship’s installation.
Wireless access control
Wireless access to networks on the ship should be limited to appropriate authorised devices and secured using a strong encryption key, which is changed regularly. The following can be considered for controlling wireless access:
--the use of enterprise authentication systems using asymmetric encryption and isolating networks with appropriate wireless dedicated access points (e.g. guest networks isolated from administrative networks)
--the adoption of systems, such as wireless IPS, that can intercept non-authorized wireless access points or rogue devices
--the protection of the physical interconnection between wireless access devices and the network, such as network plugs, network racks, etc.) to avoid unauthorized access by rogue devices.
Scanning software that can automatically detect and address the presence of malware in systems onboard should be regularly updated.
As a general guideline, onboard computers should be protected to the same level as office computers ashore. Anti-virus and anti-malware software should be installed, maintained and updated on all personal work-related computers onboard. This will reduce the risk of these computers acting as attack vectors towards servers and other computers on the ship’s network. How regularly the scanning software will be updated must be taken into consideration when deciding whether to rely on these defence methods.
Secure configuration for hardware and software
Only senior officers should be given administrator profiles, so that they can control the set up and disabling of normal user profiles. User profiles should be restricted to only allow the computers, workstations or servers to be used for the purposes, for which they are required. User profiles should not allow the user to alter the systems or install and execute new programs.
Email and web browser protection
Email communication between ship and shore is a vital part of a ship’s operation. Appropriate email and web browser protection serves to:
--protect shoreside and onboard personnel from potential social engineering
--prevent email being used as a method of obtaining sensitive information
--ensure that the exchange of sensitive information via email or by voice is appropriately protected to ensure confidentiality and integrity of data, eg encryption protection
--prevent web browsers and email clients from executing malicious scripts.
Some best practices for safe email transfer are: email as zip or encrypted file when necessary, disable hyperlinks on email system, avoid using generic email addresses and ensure the system has configured user accounts.
Data recovery capability
Data recovery capability is the ability to restore a system and/or data from a secure copy or image, thereby allowing the restoration of a clean system. Essential information and software-adequate backup facilities should be available to help ensure recovery following a cyber incident.
Retention periods and restore scenarios should be established to prioritise which critical systems
need quick restore capabilities to reduce the impact. Systems that have high data availability requirements should be made resilient. OT systems, which are vital to the safe navigation and operation of the ship, should have backup systems to enable the ship to quickly and safely regain navigational and operational capabilities after a cyber incident. More details on recovery can be found in chapter 7 of these guidelines.
Application software security (patch management)
Safety and security updates should be provided to onboard systems. Ordinary security patches should be included in the periodic maintenance cycle. Critical patches should be evaluated in terms of operational impact on the OT systems. These updates or patches should be applied correctly and in a timely manner to ensure that any flaws in a system are addressed before they are exploited by a cyber attack. If a critical patch cannot be installed, alternative measures should be evaluated to help implement virtual patching techniques.
5.3 Procedural protection measures
Procedural controls are focused on how personnel use the onboard systems. Plans and procedures that contain sensitive information should be kept confidential and handled according to company policies. Examples for procedural actions can be:
Training and awareness
Training and awareness are the key supporting elements to an effective approach to cyber risk management as described in these guidelines and summarised in figure 1.
The internal cyber threat should be taken into account. Personnel have a key role in protecting IT and OT systems but can also be careless, for example by using removable media to transfer data between systems without taking precautions against the transfer of malware. Training and awareness should be tailored to the appropriate levels for:
--onboard personnel including the master, officers and crew
--shoreside personnel, who support the management, loading and operation of the ship.
These guidelines assume that other major stakeholders in the supply chain, such as charterers, classification societies and service providers, will carry out their own best-practice cyber security protection and training. It is advisable for owners and operators to ascertain the status of cyber security preparedness of their third-party providers, including marine terminals and stevedores, as part of their sourcing procedures for such services.
An awareness programme should be in place for all onboard personnel, covering at least the following:
--risks related to emails and how to behave in a safe manner. Examples are phishing attacks where the user clicks on a link to a malicious site
--risks related to internet usage, including social media, chat forums and cloud-based file storage where data movement is less controlled and monitored
--risks related to the use of own devices. These devices may be missing security patches and controls, such as anti-virus, and may transfer the risk to the environment, to which they are connected
--risks related to installing and maintaining software on company hardware using infected hardware (removable media) or software (infected package)
--risks related to poor software and data security practices, where no anti-virus checks or authenticity verifications are performed
--safeguarding user information, passwords and digital certificates
--cyber risks in relation to the physical presence of non-company personnel, eg, where third-party technicians are left to work on equipment without supervision
--detecting suspicious activity or devices and how to report a possible cyber incident. Examples of this are strange connections that are not normally seen or someone plugging in an unknown device on the ship network awareness of the consequences or impact of cyber incidents to the safety and operations of the ship
--understanding how to implement preventative maintenance routines such as anti-virus and anti-malware, patching, backups, and incident-response planning and testing
--procedures for protection against risks from service providers’ removable media before connecting to the ship’s systems.
In addition, personnel need to be made aware that the presence of anti-malware software does not remove the requirement for robust security procedures, for example controlling the use of all removable media.
Further, applicable personnel should know the signs when a computer has been compromised. This may include the following:
--an unresponsive or slow to respond system
--unexpected password changes or authorised users being locked out of a system
--unexpected errors in programs, including failure to run correctly or programs running unexpectedly
--unexpected or sudden changes in available disk space or memory
--emails being returned unexpectedly
--unexpected network connectivity difficulties
--frequent system crashes
--abnormal hard drive or processor activity
--unexpected changes to browser, software or user settings, including permissions.
And, nominated personnel should be able to understand reports from IDS systems, if used. This list is not comprehensive and is intended to raise awareness of potential signs, which should be treated as possible cyber incidents.
Access for visitors
If a visitor requires computer and printer access, an independent computer, which is air-gapped from all controlled networks, should be used. To avoid unauthorised access, removable media blockers should be used on all other physically accessible computers and network ports.
Upgrades and software maintenance
Hardware or software that is no longer supported by its producer or software developer will not receive updates to address potential vulnerabilities. For this reason, the use of hardware and software, which is no longer supported, should be carefully evaluated by the company as part of the cyber risk assessment.
Relevant hardware and software installations on board should be updated to help maintain a sufficient level of security. Procedures for timely updating of software may need to be put in place taking into account the ship type, speed of internet connectivity, sea time, etc. Software includes computer operating systems, which should also be kept up to date.
Additionally, a number of routers, switches and firewalls, and various OT devices will be running their own firmware, which may require regular updates and so should be addressed in the procedural requirements.
Effective maintenance of software depends on the identification, planning and execution of measures necessary to support maintenance activities throughout the full software lifecycle. An industry standard to help ensure safe and secure software maintenance has been developed. It specifies requirements for all stakeholders involved in software maintenance of shipboard equipment and associated integrated systems. The standard covers on board, on shore and remote software maintenance.
Anti-virus and anti-malware tool updates
In order for scanning software tools to detect and deal with malware, they need to be updated. Procedural requirements should be established to ensure updates are distributed to ships on a timely basis and that all relevant computers on board are updated.
Policy and procedures should be established for control over remote access to onboard IT and OT systems. Clear guidelines should establish who has permission to access, when they can access, and what they can access. Any procedures for remote access should include close co-ordination with the ship’s master and other key senior ship personnel.
All remote access occurrences should be recorded for review in case of a disruption to an IT or OT system. Systems, which require remote access, should be clearly defined, monitored and reviewed periodically.
Use of administrator privileges
Access to information should only be allowed to relevant authorised personnel.
Administrator privileges allow full access to system configuration settings and all data. Users logging onto systems with administrator privileges may enable existing vulnerabilities to be more easily exploited. Administrator privileges should only be given to appropriately trained personnel, who as part of their role in the company or on board, need to log onto systems using these privileges. In any case, use of administrator privileges should always be limited to functions requiring such access.
User privileges should be removed when the people concerned are no longer on board. User accounts should not be passed on from one user to the next using generic usernames. Similar rules should be applied to any onshore personnel, who have remote access to systems on ships, when they change role and no longer need access.
In a business environment, such as shipping, access to onboard systems is granted to various stakeholders. Suppliers and contractors are a risk because they often have both intimate knowledge of a ship’s operations and full access to systems.
To protect access to confidential data and safety critical systems, a robust password policy should be developed. Passwords should be strong and changed periodically. The company policy should address the fact that over-complicated passwords, which must be changed too frequently, are at risk of being written on a piece of paper and kept near the computer.
Physical and removable media controls
When transferring data from uncontrolled systems to controlled systems, there is a risk of introducing malware. Removable media can be used to bypass layers of defences and attack systems that are otherwise not connected to the internet. A clear policy for the use of such media devices is important; it must help ensure that media devices are not normally used to transfer information between un-controlled and controlled systems.
There are, however, situations where it is unavoidable to use these media devices, for example during software maintenance. In such cases, there should be a procedure in place to check removable media for malware and/or validate legitimate software by digital signatures and watermarks.
Policies and procedures relating to the use of removable media should include a requirement to scan any removable media device in a computer that is not connected to the ship’s controlled networks. If it is not possible to scan the removable media on board, eg the laptop of a maintenance technician,then the scan could be done prior to boarding. Companies should consider notifying ports and terminals about the requirement to scan removable media prior to permitting the uploading of files onto a ship’s system. This scanning should be carried out when transferring the following file types:
--cargo files and loading plans eg container ship BAPLIE files
--national, customs, and port authority forms
--bunkering and lubrication oil forms
--ship’s stores and provisions lists
--engineering maintenance files.
This list represents examples and should not be seen as exhaustive. Wherever possible, the files and forms should be transferred electronically or be downloaded directly from a trusted source without using removable media.
Equipment disposal, including data destruction
Obsolete equipment can contain data which is commercially sensitive or confidential. Prior to disposal of the equipment, the company should have a procedure in place to ensure that the data held in obsolete equipment is properly destroyed and cannot be retrieved.
Obtaining support from ashore and contingency plans
Ships should have access to technical support in the event of a cyber attack. Details of this support and associated procedures should be available on board. Please refer to chapter 6 of these guidelines for more information on contingency planning.
6.Establish contingency plans
When developing contingency plans for implementation onboard ships, it is important to understand the significance of any cyber incident and prioritise response actions accordingly.
Any cyber incident should be assessed in accordance with chapter 4 to estimate the impact on operations, assets etc. In most cases, and with the exception of load planning and management systems, a loss of IT systems on board, including a data breach of confidential information, will be a business continuity issue and should not have any impact on the safe operation of the ship. In the event of a cyber incident affecting IT systems only, the priority may be the immediate implementation of an investigation and recovery plan.
The loss of OT systems may have a significant and immediate impact on the safe operation of the ship. Should a cyber incident result in the loss or malfunctioning of OT systems, it will be essential that effective actions are taken to help ensure the immediate safety of the crew, ship, cargo and protection of the marine environment. In general, appropriate contingency plans for cyber incidents, including the loss of critical systems and the need to use alternative modes of operation, should be addressed by the relevant operational and emergency procedures included in the safety management system.
Some of the existing procedures in the ship’s safety management system will already cover such cyber incidents. However, cyber incidents may result in multiple failures causing more systems to shut down at the same time. The contingency planning should take such incidents into consideration.
Disconnecting OT from shore network connection
Connections between shore and OT systems can be relevant in a wide range of applications like performance monitoring, predictive maintenance, and remote support just to mention a few. Common for these systems are that they are not strictly necessary for operating the ship safely. However, they represent a potential attack vector to the systems that are needed for the ship’s safe operation. Therefore, it is relevant to assess when these connections are allowed and under what circumstances. Plans should be established specifying when such OT systems should be temporarily separated from the shore network connection to protect the ship’s safe operation. Disconnecting will help prevent the attacker from being able to manipulate safety critical systems or take direct control of the system. Disconnecting could also take place to avoid malware spreading between network segments.
To effectively shut down shore connections, it is important to have the network and connectivity services designed in such a way that the networks can be physically segregated quickly by removing a single network cable (eg marked in an odd color) or powering off the firewall.
Safety management system
The safety management system will already include procedures for reporting accidents or hazardous situations and define levels of communication and authority for decision making. Where appropriate, such procedures should be amended to reflect communication and authority in the event of a cyber incident.
The following is a non-exhaustive list of cyber incidents, which should be addressed in contingency plans on board:
--loss of availability of electronic navigational equipment or loss of integrity of navigation related data
--loss of availability or integrity of external data sources, including but not limited to GNSS
--loss of essential connectivity with the shore, including but not limited to the availability of Global Maritime Distress and Safety System (GMDSS) communications
--loss of availability of industrial control systems, including propulsion, auxiliary systems and other critical systems, as well as loss of integrity of data management and control
--the event of a ransomware or denial or service incident.
Furthermore, it is important to help ensure that a loss of equipment or reliable information due to a cyber incident does not make existing emergency plans and procedures ineffective. Contingency plans and related information should be available in a non-electronic form as some types of cyber incidents can include the deletion of data and shutdown of communication links.
There may be occasions when responding to a cyber incident may be beyond the competencies on board or at head office due to the complexity or severity of such incidents. In these cases, external expert assistance may be required (for example, post event forensic analysis and clean-up).
7.Respond to and recover from cyber security incidents
It is important to understand that cyber incidents may not disappear by themselves. If for example, the ECDIS has been infected with malware, starting up the back-up ECDIS may cause another cyber incident. It is, therefore, recommended to plan how to carry out the cleaning and restoring of infected systems.
Knowledge about previous identified cyber incidents should be used to improve the response plans of all ships in the company’s fleet and an information strategy for such incidents may be considered.
7.1 Effective response
A team, which may include a combination of onboard and shore-based personnel and/or external experts, should be established to take the appropriate action to restore the IT and/or OT systems so that the ship can resume normal operations. The team should be capable of performing all aspects of the response.
An effective response should at least consist of the following steps:
1. Initial assessment. To help ensure an appropriate response, the response team should find out:
• how the incident occurred
• which IT and/or OT systems were affected and how
• the extent to which the commercial and/or operational data is affected
• to what extent any threat to IT and OT remains.
2. Recover systems and data. Following an initial assessment of the cyber incident, IT and OT systems and data should be cleaned, recovered and restored, so far as is possible, to an operational condition by removing threats from the system and restoring software. The content of a recovery plan is covered in section 7.2.
3. Investigate the incident. To understand the causes and consequences of a cyber incident, an investigation should be undertaken by the company, with support from an external expert, if appropriate. The information from an investigation will play a significant role in preventing a potential recurrence. Investigations into cyber incidents are covered in section 7.3.
4. Prevent a re-occurrence. Considering the outcome of the investigation mentioned above, actions to address any inadequacies in technical and/or procedural protection measures should be considered, in accordance with the company procedures for implementation of corrective action.
When a cyber incident is complex, for example if IT and/or OT systems cannot be returned to normal operation, it may be necessary to initiate the recovery plan alongside onboard contingency plans. When this is the case, the response team should be able to provide advice to the ship on:
--whether IT or OT systems should be shut down or kept running to protect data
--whether certain ship communication links with the shore should be shut down
--the appropriate use of any advanced tools provided in pre-installed security software
--the extent to which the incident has compromised IT or OT systems beyond the capabilities of existing recovery plans.
It is important for relevant personnel to execute regular cyber security exercises in order to help keep the response capability effective. Cyber security exercises could, where appropriate, be inspired by real-life events and can be simulations of large-scale incidents that escalate to become cyber crises. This offers an opportunity to analyse advanced technical cyber security incidents, but also to help address business continuity and crisis management.
7.2 Recovery plan
Recovery plans should be available in hard copy on board and ashore. The purpose of the plan is to support the recovery of systems and data necessary to restore IT and OT to an operational state. To help ensure the safety of onboard personnel, the operation and navigation of the ship should be prioritised in the plan. The recovery plan should be understood by personnel responsible for cyber security. The detail and complexity of a recovery plan will depend on the type of ship and the IT, OT and other systems installed on board.
The incident response team should consider carefully the implications of recovery actions (such as wiping of drives), which may result in the destruction of evidence that could provide valuable information as to the causes of an incident. Where possible, professional cyber incident response support should be obtained in order to assist in preservation of evidence whilst restoring operational capability.
As explained in section 5.1, a data recovery capability is a valuable technical protection measure. Data recovery capabilities are normally in the form of software backup for IT data. The availability of a software backup, either on board or ashore, should enable recovery of IT to an operational condition following a cyber incident.
Recovery of OT may be more complex especially if there are no backup systems available and may require assistance from ashore. Details of where this assistance is available and by whom, should be part of the recovery plan, for example by proceeding to a port to obtain assistance from a service engineer.
If qualified personnel are available on board, more extensive diagnostic and recovery actions may be performed. Otherwise, the recovery plan will be limited to obtaining quick access to technical support.
7.3 Investigating cyber incidents
Investigating a cyber incident can provide valuable information about the way in which a vulnerability was exploited. Companies should, wherever possible, investigate cyber incidents affecting IT and OT on board in accordance with company procedures. A detailed investigation may require external expert support.
The information from an investigation can be used to improve the technical and procedural protection measures on board and ashore. It may also help the wider maritime industry with a better understanding of maritime cyber risks. Any investigation should result in18:
--a better understanding of the potential cyber risks facing the maritime industry both on board and ashore
--identification of lessons learned, including improvements in training to increase awareness
--updates to technical and procedural protection measures to prevent a recurrence.
7.4 Losses arising from a cyber incident
For insurers, the term “cyber” includes many different aspects and it is important to distinguish between them and their effects on insurance cover. Some insurers believe that there is no systemic risk to ships arising from a cyber incident and the impact of an incident will most likely be confined to a single ship.
Companies will be aware that specific non-marine insurance cover may be available to cover data loss and any resulting fines and penalties.
Companies should be able to demonstrate that they are acting with reasonable care in their approach to managing cyber risk and to protecting the ship from any damage that may arise from a cyber incident.
Cover for property damage
Generally, in many markets offering marine property insurance, the policy may cover loss or damage to the ship and its equipment caused by a shipping incident such as grounding, collision, fire or flood, even when the underlying cause of the incident is a cyber incident. It may be noted that currently in some markets, exclusion clauses for cyber attacks exist. If the marine policy contains an exclusion clause for cyber attacks, the loss or damage may not be covered.
Companies are recommended to check with their insurers/brokers in advance whether their policy covers claims caused by cyber incidents and/or by cyber attacks.
Guidelines for the market have been published, in which marine insurers are recommended to ask questions about a company’s cyber risk awareness and non-technical procedures. Companies should, therefore, expect a request for non-technical information regarding their approach to cyber risk management from insurers.
The limited data on the frequency, severity of loss or probability of physical damage resulting from cyber incidents, represents a challenge and means that standard pricing is not available.
Cover for liability
It is recommended to contact the P&I Club for detailed information about cover provided to shipowners and charterers in respect of liability to third parties (and related expenses) arising from the operation of ships.
An incident caused, for example by malfunction of a ship’s navigation or mechanical systems because of a criminal act or accidental cyber attack, does not in itself give rise to any exclusion of normal P&I cover. In the event of a claim involving a cyber incident, claimants may well seek to argue that the claim arose as a result of an inadequate level of cyber preparedness. This, therefore, further stresses the importance of companies being able to demonstrate that they are acting with reasonable care in their approach to managing cyber risk and to protecting the ship.
It should be noted that many losses, which could arise from a cyber incident, are not in the nature of third-party liabilities arising from the operation of the ship and are therefore not covered by P&I insurance. For example, financial loss caused by ransomware, or costs of rebuilding scrambled data would not be identified in the coverage.
It should, however, be noted that normal P&I cover in respect of liabilities is subject to a war risk exclusion and cyber incidents in the context of a war or terror risk will not normally be covered.