Cyber Security

Criminals trying to exploit the maritime industry, the vessels and their crew are well organized and continuously evolve in the way they operate. This reflects the constantly evolving nature of cyber risk in general. Approaches to cyber risk management need to be company- and vessel specific but must also be guided by requirements contained in relevant national, international and flag state regulations.

Shipowners and operators who have not already done so, should undertake risk assessments and incorporate measures to deal with cyber risks in their ship’s safety management systems (SMS) and crew awareness training. Shipowners and operators should also embed a culture of cyber risk awareness into all levels and departments in the office and on board the vessels. The result should be a flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.

Most Classification societies (Class) and several marine consulting companies have issued guidelines and recommendations on cyber security onboard vessels. Class, as a Recognized Organization on behalf of Flag State authorities, may now also deliver ISM audits which include cyber risk. Class is also offering a voluntary cyber secure class notation for verifying secure vessel design and operation and cyber secure type approval to support manufacturers with cyber-secure systems and components. As an advisor, Class may also offer cyber security risk assessment, improvement, penetration testing and training support both on board and in the office.

Some IT and OT systems can be accessed remotely and may have a continuous internet connection for remote monitoring, data collection, maintenance, safety and security. These can be “third-party systems”, whereby the contractor monitors and maintains the systems from a remote location and can be both two-way data flow or upload-only. Systems and workstations with remote control, access or configuration functions could, for example, be:

• bridge and engine room computers and workstations on the ship’s administrative network,

• cargo such as containers with reefer temperature control systems or specialised cargo that is tracked remotely,

• stability decision support systems,

• hull stress monitoring systems,

• navigational systems including Electronic Navigation Chart (ENC) Voyage Data Recorder (VDR),

• dynamic positioning systems (DP),

• cargo handling and stowage, engine, and cargo management and load planning systems,

• safety and security networks, such as CCTV (closed circuit television),

• specialised systems such as drilling operations, blow out preventers, subsea installation systems,

• Emergency Shut Down (ESD) for gas tankers, submarine cable installation and repair.

Below are some common cyber vulnerabilities, which may be found onboard existing ships, and on some newbuild ships:

• obsolete and unsupported operating systems,

• outdated or missing antivirus software and protection from malware,

• inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts and passwords,

• shipboard computer networks lacking boundary protection measures and segmentation of networks,

• safety critical equipment or systems always connected to the shore side,

• inadequate access controls for third parties including contractors and service providers.