As the global authority on all things maritime, the International Maritime Organization (IMO), the United Nations agency responsible for regulating shipping, keeps a close watch on digital developments and their impact on the industry, including the threat of cyber attacks and virtual vulnerability. “The overall goal is to support a safe and secure shipping industry that is operationally resilient to cyber risks,” says Gisela Vieira, Acting Head, Maritime Security at the IMO.
As of 1 January 2021, companies must demonstrate their compliance with IMO Resolution MSC 428(98), documenting that cyber security is an integral part of the safety management system as verified in the company’s Document of Compliance. “The point is that preventing a cyber attack enhances safety, because an attack could compromise the safety of the ship, in particular its navigational equipment,” Vieira says.
Identifying cyber risk
The IMO defines maritime cyber risk as “the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.”
According to the IMO, common cyber vulnerabilities found onboard existing ships, and on some newbuilds, include obsolete and unsupported operating systems, outdated or lacking antivirus software and protection from malware, and inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts or passwords.
In addition, shipboard computer networks may lack boundary protection measures and so-called segmentation. Safety critical equipment and systems are not always connected to shore operations, and adequate access controls for third parties including contractors and service providers may be lacking as well.
Plugging the gaps
To mitigate these and other shortcomings, the IMO advises on practical steps in assessing cyber risk that companies can take in order to comply with the new resolution. Best practices include identifying the threat environment in order to understand external and internal cyber threats to the ship, clarifying vulnerabilities by developing complete and full inventories of onboard systems, and understanding the consequences of cyber threats to these systems.
Assessing risk exposure by determining the likelihood and impact of a vulnerability exploitation by any external or internal actor is another key step, along with developing protection and detection measures to reduce the likelihood and impact of exploitation. The IMO also recommends establishing prioritized contingency plans and having these at the ready in order to respond to and recover from cyber incidents.
Autonomy on the cyber security radar
Relating specifically to autonomous vessels, including data sharing between stakeholders, the IMO has issued guidelines for trials of MASS - guidelines for Maritime Autonomous Surface Ships (MASS) trials. (MSC.1-Circ.1604).
“Among other things, the guidelines stipulate that appropriate steps should be taken to ensure sufficient cyber risk management of the systems and infrastructure used when conducting MASS trials,” says Vieira. “Apart from these guidelines, we have not yet issued specific rules for autonomous ships, but as the guidelines clearly illustrate, cyber risk management has to be part of the safe operation of such vessels.”
Addressing the human factor
Though technology often grabs the headlines when cyber attacks occur, human behavior is widely acknowledged as a major liability to cyber security systems. The IMO addresses the human factor accordingly in future cyber security measures, says Vieira: “Keeping staff and crew up to date on cyber risk is recommended as part of companies’ continuous review and renewal of safety management systems (SMS) under the International Safety Management Code (ISM), supplementing existing safety management systems for ships.”
Acknowledging the human element and its related components, including training, familiarization and procedures, may in many cases serve as a preventive action, Vieira adds, even with the potential to compensate for risks associated with technical issues. “Respect for the role of humans can help in preventing and avoiding potential exposure to cyber risks.”
She relates that IMO model courses designed for ship security officers, as well as other IMO security model courses, are being reviewed to include seafarer awareness of cyber threats.
Making sure the good guys win
Hackers have repeatedly compromised even the most robust national security systems. So what chance does the maritime industry have of preventing the hacking of ships' systems, or ship-to-shore communications?
“As with maritime accidents and casualties in general, you cannot prevent every incident, but you can prepare and have procedures in place to prevent attacks as far as possible and mitigate impacts,” Vieira assures. “The key lies in preparation and risk management, taking into account applicable guidelines, and making sure the right people have responsibility for cyber risk management in shipping companies and ports.”