At this moment there are not many people in the maritime business that have not heard about the upcoming IMO regulation, Resolution MSC.428(98), regarding Maritime Cyber Security. Cyber Risk Management is to be included in the Safety Management System (SMS), which will be audited after the first annual Document of Compliance (DOC) audits as per 1 January 2021.
There have been many seminars and discussions on the subject, many guidelines, many tips and tricks from different organisations and vendors. But what is cyber security about? And what exactly are the related practical tasks and issues that should be considered by every mariner on board every ship?
In many industries, regulations have driven requirements, and cyber security has already been continually developed and improved for decades. When it comes to cybersecurity and the maritime sector, the famous NotPetya attack on Maersk in 2017 was a real eye opener. Prompted by the incident, the International Maritime Organization (IMO), which has a regulatory role within the industry, identified the industry’s security challenges and made regulations and guidelines for cyber risk management onboard ships mandatory as of 1 January 2021.This article is co-published together with ALANDIA INSURANCE – a leading insurance provider in the seafaring market.
WHAT IS CYBER SECURITY, AND WHAT IS IT IN A SPECIFICALLY MARITIME CONTEXT?
Cyber Security refers to the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It is also known as information technology security. In a maritime context, cyber risk refers to the probability of a technology asset being intentionally affected in a way that may result in operational, safety or security failures because of lost, corrupted, or compromised information or systems.
The distinction between Information Technology (IT) and Operational Technology (OT) systems should be noted. IT systems refers normally to the traditional company IT and business systems. OT systems, on the other hand, refers to the operational systems and equipment onboard vessels. OT systems are usually less familiar than IT systems and are often managed by vendors.
WHO ARE THE THREAT ACTORS, WHAT ARE THEIR MOTIVES AND METHODS?
A frequent comment we hear is “Who would be interested in us? We are so small, and we do not carry any value for hackers…”. To answer this question, we must understand the threat actors, which are often presented as follows: Hacktivists, Cybercriminals, Insiders, Opportunists, Nation states and Terrorists. Depending on the threat actor profile, motives for hacking may differ. One of the most common motives is financial, along with political, technical, and even military agendas. For disgruntled employees or customers, revenge is a rather common motive. When it comes to financial motives, even small maritime actors maintain personal data banks that may be commercialized together with thousands of actors on the criminal market. The risk of becoming a target among others as a part of a larger attack is often greater than becoming the sole target of a directed attack. Considering that Maersk was affected indirectly, even the costs of being a secondary target can be immense, such as the cost of having company cargo and vessels stopped even for one day.
Determining suitable targets is done by finding weaknesses in design, implementation, operation, or internal control. Depending on the motive, common methods include e.g., Phishing, Spoofing, Denial-of-service attack (D-Dos), Malwares, and Social engineering.
SECURITY FRAMEWORKS AND GUIDELINES
Although there is a multitude of tips, tricks and guidelines available, maritime operators should prioritize studying the Bimco guidelines which offer a complete list of cyber security actions to be carried out. In addition to the IMO resolution, these guidelines incorporate knowledge from the NIST (U.S. National Institute of Standards and Technology) Cybersecurity Framework. The NIST Cybersecurity Framework assists companies by helping them adopt an effective approach for managing potential cyber risks both internally and externally.
Cyber security is crucial for personnel, ships, the environment, companies, and cargo. The maritime industry has a range of characteristics that render it vulnerable to cyber incidents. The growing use of comprehensive data analysis, smart ships and the “Industrial Internet of Things” (IIoT) has multiplied the amount of information available to threat actors and thus broadened the potential attack surface for cyber criminals. Therefore, cyber risk management is a necessary part of company safety and security culture and must be implemented on all levels of the company, including senior management ashore and all personnel onboard.
ORGANISATIONAL AND MANAGERIAL CHALLENGE
Managing different security and safety programs, documentation and audits is not a new challenge for maritime operators. A novelty, however, is that Cyber Risk Management is to be included in the Safety Management System (SMS) and will be part of the annual Document of Compliance (DOC) audits as per 1 January 2021.
Cyber Security itself must be a horizontal activity that spans the whole organisation both on- and offshore. Everything is becoming more connected and automated, and Cyber Security is not a separate IT project, but must rather be integrated into operations, business, and management. To prioritise cyber security and delegate enough resources to its implementation and maintenance, top management must have a thorough understanding of its overall functions and its parts as well as a deep-seated engagement in its realization.
AND WHAT ABOUT PEN TESTING?
Penetration testing, or also called pen testing or ethical hacking, is when you “book a hacker” to test your computer system, network, or web application to find security vulnerabilities that could be exploited by an attacker with malicious objectives. There are obviously many methods and techniques for carrying out a pen test, and the optimal time to carry out such a project depends on the overall situation as well as its maturity and objective. While a pen test itself may not directly increase security, it can give some important insights on certain critical vulnerabilities that need to be addressed. A pen test could be the perfect activity to take on after implementing, developing, or establishing security measures as quality assurance of the work done.
A SIMPLE CHECKLIST OF ADVANCED TASKS
The list of actions that should be carried but depends on the organisation as well as its resources and maturity and may as such be not simple to compile. Nevertheless, as a rule of thumb, the following should be included:
- Carry out a current state analysis on technical structures, systems and devices, policies and procedures, organisation, and management both ashore and on board.
- Identify risks in IT and OT systems, assets, and data, to categorize, analyse in relation to risks on operations and safety.
- Implement technical and procedural measures to manage identified risks and to detect, protect against and respond to cyber threats and risks.
- Ensure adequate cyber security training and raise awareness within the organisation.
A CONTINUOUS PROCESS
As with other security and safety programs, establishing and maintaining cyber security measures and programs is about a continuous process that is to be incorporated within the recurring activities of the organisation. It is not a project that starts and ends, but rather a process of continuous improvement that will require investments of both time and money.
SECURITY AND SAFETY IS MUCH MORE THAN COMPLIANCE
Cyber Risk Management must be included in the Safety Management System (SMS) and comply with the relevant documentation requirements. But Cyber Security is rather about awareness, culture, and behaviour of your employees; a defined process compiled of clear steps for carrying out tasks; and the technology used to accomplish, speed up, or boost the impact of the security goals.
Managing Cyber Security is not a new IT project, nor is it about ensuring compliance or installing new software or systems. It is a complex and continuous process that must be integrated with working tasks on all levels and maintained with the help of management through all employees by raising awareness and providing the right means for its realization. In other words, cyber security is not a onetime effort. And, it can certainly not be ordered and installed like a piece of equipment.