The exchange of electronic data between ship and shore has increased significantly in the past decade. The shipping industry’s use of remote monitoring of systems, diagnosis and remote maintenance will continue to increase, as will the information exchange between ships and authorities, service providers, charterers and owners/operators.
Vulnerable and very important on board systems require updates and support by web technology so vessels are more frequently connected to the worldwide web (e.g. ECDIS, Engine Maintenance system etc). On the other hand Companies have developed IT departments to support the shore based activities and the managed vessels requirements that need internet connections and correspondence.
The extended use of electronic data exchange increases the likelihood of cyber-attacks in variety, frequency and sophistication. These may be from a USB stick that introduces malware aimed at acquiring sensitive commercial information, from an email with detailed ship information sent to unknown people, to the fullscale subversion of a company’s shore-based IT system, or the potential compromising of systems on board ships. The number of potential risk scenarios is significant and keeps growing. Criminals employ whichever hacking technology is the most applicable and often tailor it to specific targets.
There are two categories of cyber-attacks which may affect companies and ships:
- Untargeted attacks, where a company or a ship’s systems and data are one of many potential targets. These attacks use common based technology to locate known vulnerabilities common for many companies or vessels.
- Targeted attacks, where a company or a ship’s systems and data are the intended target. These attacks use more sophisticated technology and tools specially developed to harm a specific target (company or vessel).
Potential attackers that can perform a Cyber-attack may be Opportunists (for the challenge), Activists (for reputational damage or disruption of operations), Criminals (for profit) or Terrorists (for political gain)
Almost all Cyber-attacks have the same developing stages:
- Survey – Information gathering and developing the attack method
- Delivery- The tool of the attack is delivered in company’s or vessel’s system
- Breach – Access gained in the system
- Affect – The results of the attack
All the above may produce several results against Company or vessel such as destruction of data or publication of sensitive data, system’s malfunction, media attention (reputation damage) undesirable costs (ransom, rectification costs etc).
Industry Feedback
Industry in order to be prepared for potential Cyber-attacks in very recently past started to take its initial steps to address item. On March 2015, during 95th Committee, ICS, BIMCO, INTERTANKO and INTERCARGO proposed a draft of guidelines regarding measures to enhance maritime security and industry guidelines on cyber security on board ships, inviting the Committee to consider the item.
On January 2016 USCG issued two Maritime Cyber Bulletins (MCB 001-16 and MCB 002-16) providing guidance on ransomware and spoofed business e-mail used to try and defraud maritime organization.
Additionally BIMCO issued The Guidelines on Cyber Security onboard Ships (version 1.0 – Jan. 16) providing detailed information to ship owners and operators on how to assess their operations and put in place the necessary procedures and actions to maintain the security of cyber systems onboard their ships.
Above infographic is included in the paper sets out key items to raise Cyber Security Awareness. Learn more here
Actions required
Ship Managers and owners are advised to review their approach to the use of information technology, data exchange between office and vessels and cyber security risks and threats, having in mind that:
- Cyber security in a business like shipping should be based on risk management. Risk management is the ongoing process of identifying, assessing, prioritizing and responding to threats in order to minimize, monitor and control the probability and/or impact of unfortunate events.
- Key information should be protected and kept confidential.
- Access must be restricted to people authorized to view the sensitive data. In order to make this effective, data needs to be categorized according to the risk of damage that could occur if someone other obtained access to the systems on which the data is saved.
- In a business environment such as shipping, access to onboard systems is granted to various stakeholders. Suppliers and contractors are a risk because often they have intimate knowledge of the ship’s operations as well as access to key information systems.
- Development of contingency plans is needed in order to respond in cyber security attacks, breaches or incidents.
- A Cyber Security Management Plan is strongly recommended for Shore-based facilities and managed vessels in order to mitigate threats/risks and provide guidance/solutions and response to Cyber incidents.