2021 Informa plc. This article first appeared in Maritime Risk International, February 2021. The link to the published article is here.
As the IMO’s cyber security guidelines come into effect, cyber security specialist Mark Weston, of Hill Dickinson, discusses the measures ship operators should take to mitigate the risks to their vessels and operations posed by cyber threat.
We are, unfortunately, now familiar with the top five cyber risks: ransomware, phishing, data leakage, hacking and insider threats. There are many others and they have become part of business risk assessments worldwide. If you do not know what any of these are, you should be popping the terms into your nearest online search engine.
The wider world has gradually implemented various standards about IT and information security designed to allow method, policy and process routes to attempt to stop (or at the very least reduce the risk) of all of these. For example, ISO/IEC 27001:2013 (usually better known as ISO 27001) is the international standard that sets out the specification for an information security management system. It uses a best-practice approach aimed to help organisations manage information security by addressing people and processes as well as technology. There are others.
The maritime sector is particularly prone to attack as technology becomes ever more widely used and data (whether it is about cargo, staff, location, weather or whatever) becomes ever more important and transportable – and able to be corrupted, exploited or stolen if in the wrong hands.
For example, Bureau Veritas has collaborated with the French flag to take forward SeaOwl’s remote-operated vessel project, known as ROSS (remotely operated services at sea). A few months ago, the supply ship VN Rebel (Bureau Veritas classed) was retrofitted with ROSS and operated by a SeaOwl captain based in Paris who took control remotely and maintained command of the ship navigating fully remotely off the French Mediterranean port of Toulon. All this was under the required authorisations from the French flag, ensuring compliance with the IMO resolution for the trial of maritime autonomous surface ships (MASS). The test was successful, leading to the next stage which will be implementing ROSS on a newbuild, designed to provide services to offshore platforms. But think about the potential to hack or intercept the remote signal. Think about someone feeding false GPS coordinates. And so on.
Or think about tugboats. Last August, the Maritime Transportation System (MTS) in association with the Information Sharing and Analysis Center (ISAC) of the US also issued the first ever general warning to all tug owners that their connected operations were vulnerable to cyber attacks; whether they be state-funded hacks, malware hits, virus infections or any of the other myriad cyber threats out there. That warning was prompted by a phishing email which was sent to a maritime facility which had a voicemail attached, imitating a vessel operator. Fortuitously, this was caught and notified to an agency dealing with cyber threats who then alerted MTS-ISAC. After analysis, the report found that one of the http requests in the email was too sophisticated to be flagged by any known threat detection solution.
Being well aware of growing dangers, particularly in the maritime world, most readers of this article will be aware that in mid-2017 the Facilitation Committee and the Maritime Safety Committee of the IMO approved new Guidelines on maritime cyber risk management which superseded interim guidelines that had been in place. These new guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities; and the Guidelines included functional elements. For development and implementation of specific shipping risk management processes and systems, the Guidelines were (and are) intended to be supplemented by requirements of specific member governments and flag administrations, as well as relevant international and industry standards and best practices.
However, every organisation in the shipping industry is different and the Guidelines are expressed in broad terms so as to have a widespread application; the more complex an entity or its systems, the more care and resources are expected to be expended. A shipping business does not want to be the most secure, compliant (and insolvent) entity in existence, so, as with so many areas of law, compliance and regulation, it’s about reasonableness and proportionality. The Guidelines are recommendatory only…but there’s a sting in the tail, discussed below.
The Guidelines contain a non-exhaustive list of vulnerable systems, including bridge systems; cargo handling and management systems; propulsion and machinery management and power control systems; access control systems; passenger servicing and management systems; passenger facing public networks; administrative and crew welfare systems; and communication systems. They also make the important distinction between information technology systems (which focus on the use of data as information), operational technology systems (where that data is used to control or monitor physical processes), and interfaces which allow exchange of information within and between such systems.
The Guidelines note possible vulnerabilities at every stage of the acquisition and implementation chain, from inadequacies in design, integration and/or maintenance of systems, as well as lapses in cyber discipline. That latter issue is often direct (eg weak passwords allowing unauthorised access) or indirect (eg the absence of network segregation). All these have implications for security and the integrity, confidentiality and availability of information. Most important of all, these have implications for safety, particularly where critical systems (such as main propulsion systems or bridge navigation) are compromised.
The lack of mandatory status is because a mandatory set of rules would be out of date extremely quickly as technology changes and as new threats develop. Accordingly, the approach taken by the IMO is, as in so many other industries, a resilient and evolving risk management approach to cyber risks which is a natural extension of existing safety and security management practices.
One of the biggest issues in cyber risk management is ensuring that management appreciates the importance of it and is willing to expend resources (read “cash”) to put the necessary preventative measures in place. This can often be perceived as spending money to stand still but in reality it’s about mitigating risk so everyone can sleep at night (on the high seas or otherwise). The Guidelines reflect this by making clear that “effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organisation and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms”. It comes down to the oft-quoted compliance refrain of policies, procedures and process. A key part of this is appropriate training at all levels of the business; everyone has a responsibility for security.
Any compliance plan should start with the creation of a snapshot as to where an organisation ‘is at’; then a plan for where it needs to get to – and the gap is then plugged with a costed, detailed remediation plan. The plan should be ‘RAG’- coded so resources are spent on the ‘Red’ areas first moving to ‘Amber’ and then ‘Green’.
The non-sequential functional elements suggested by the Guidelines are:
- Identify. The need to define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
- Protect. The need to implement risk control processes and measures, and contingency planning to protect against a cyber event and ensure continuity of shipping operations.
- Detect. The need to develop and implement activities necessary to detect a cyber event in a timely manner.
- Respond. The need to develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.
- Recover. The need to identify measures to back up and restore cyber systems necessary for shipping operations impacted by a cyber event.
And what about that sting in the tail mentioned above?
Despite the Guidelines only being recommendations, from 1 January 2021, by Resolution MSC 428(98) the IMO has said that cyber security and risks related to it will now be tested in audits. Essentially, no later than the first annual verification of a Document of Compliance (DOC) after 1 January 2021, an organisation must demonstrate that cyber security is an integral part of the safety management systems being used.
In short, it is important to:
- Identify objectives in the field of cyber security.
- Undertake a mapping exercise of existing systems, software, policies, procedures and processes.
- Undertake a gap analysis of the differential between where the current map shows you are and where you need to be in terms of your objectives. This gap analysis then needs to be turned in to a costed and step-by-step remedial plan. This will probably include:
– ensuring management buy-in and allocation of key roles and responsibilities for cyber security all the way to management level; – putting in place or upgrading cyber security policies and procedures. These need to be workable and used and not just a tick-box exercise or ‘something you have to have’; – upgrading networks, segregating and hardening them; – repeated training of everyone in the organisation, appropriate to their level. This should be both general awareness training and more specific role-based training; and – implementing hardened systems and network segregation.
- Finally, it is vital to ensure that there is also a rolling programme of ongoing compliance and ongoing training so that cyber security is not just ‘something we checked’ but becomes part of business as usual.
Cyber threats are evolving – and so should you.