How passenger ships can become cyber secure
In a changing digital landscape, passenger ship operators need to evolve their cyber security to prevent threats affecting maritime operations
Ferries and cruise ships are becoming more vulnerable to threats as passengers and crew are provided with greater access to online services and social media while on board.
New online threats to maritime are constantly emerging, but Lloyd's Register (LR) consultancy manager for data, digital and security in maritime, Graeme Ripley thinks the biggest threat to passenger ship operations comes from the guests. "The use of new and emerging technology and the reliance on internet connections contribute to the increase in the threat surface," Mr Ripley tells Passenger Ship Technology.
"But, the biggest threat vector in passenger shipping is likely to be the internal user and in general the human factor." He says shipowners, managers and operators need a cyber strategy to identify their particular threats and gain a greater understanding of the assets and operation. Owners need to use threat intelligence "to identify the most credible threat vectors".
LR subsidiary Nettitude has created a cyber strategy framework (CSF) for owners. It uses threat intelligence and a deep understanding of assets, people and technology from a process point of view. LR CSF will define the areas of capability, the governance, assurance needs and the priorities of work to become cyber secure.
"This can be applied to diverse environments including IT and OT [operations technology] and is designed to look at organisations holistically," says Mr Ripley. This can be adopted for ships, shore centres and for third parties.
If the growing online threats are not powerful enough to drive passenger ship operators to review their cyber security, the threat from maritime regulators should.
IMO's Maritime Safety Committee adopted resolution MSC.428(98) covering cyber risk management in safety management systems in June 2017.
"The resolution affirms that an approved safety management system should take into account cyber risk management," says Mr Ripley. "It ensures that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 2021."
This resolution was incorporated into a new appendix in the latest update of the ISM Code in May 2018. "Shipping companies will be soon be expected to demonstrate that cyber security risks have been suitably addressed in the safety management systems," says Mr Ripley.
In reaction to greater security regulation, LR introduced Cyber Enabled Ships and the Cyber SAFE notation. It revised Digital Ship Shipright and introduced a Cyber Security descriptive note to be applied to individual systems.
"The biggest threat vector in passenger shipping is likely to be the internal user and in general the human factor"