The Future of Maritime Cyber Security
Today´s global maritime sector depends more and more on digitalization, integration of operations, and automation.
The widespread and rapid implementation of IT systems and internet communication for ships at sea in every part of the world brings a new and urgent requirement- maintaining the operational safety of those critical systems.
Cybersecurity is today a priority in the international maritime sector. In what follows we look closely at new requirements which all of us in this industry must now meet. Also, we provide guidance on how to implement cybersecurity in maritime operations.
Neither the International Maritime Organization, IMO, nor national authorities have developed cybersecurity regulations specific to the maritime sector. This will change in the very near future. As of January 1st 2021, cybersecurity requirements will be formalised in Chapter IX of the International Convention for the Safety of Life at Sea, SOLAS, Regulations 1-6, Management for Safe Operation of Ships.
This is not an isolated development. Significant moves towards cybersecurity regulations for shipping have already been taken by other organizations or are in the pipeline. The urgent need to develop cybersecurity regulations for the maritime industry has, in fact, been an area of concern for some time.
In June 2017 the IMO´s Maritime Safety Committee, MSC, agreed guidelines for cyber risk management. These, in turn, became the basis of high-level recommendations for the entire maritime sector,
The guidelines place an obligation on shipowners, operators, and stakeholders to adopt a risk management approach with three overriding objectives: minimizing the danger to crew, to environmental safety, and to the financial consequences of a full or partial loss of availability, integrity and confidentiality of sensitive data.
THE NEW MANDATORY CYBERSECURITY REQUIREMENTS FOR ALL SHIP OWNERS
In the face of emerging cybersecurity threats to the industry and with the MSC resolution in mind, IMO has taken the decision to incorporate mandatory cybersecurity requirements into the International Safety Management Code, ISM.
As of January 1, 2021, cybersecurity must be addressed by all players in the shipping industry and incorporated into their Safety Management Systems, SMS.
One organisation which was quick to respond to these new circumstances was the Oil Companies International Marine Forum, OCIMF. Beginning in January 2018 the OCIMF updated Tanker Management and Self Assessment, TMSA, version 3, with a 13th Performance Element. This new element deals specifically with cybersecurity.
What do developments like these mean for the worldwide maritime sector? More specifically, what does the ISM Code, a SOLAS requirement, and TMSA version 3, best industry practice, require when it comes to preventing cyber crime at sea?
WHAT DOES THE ISM CODE SAY ABOUT INFORMATION SECURITY REQUIREMENTS?
The ISM Code requires modification to a company's SMS and should now include the following.
- Cybersecurity measures to be adopted in the company´s Health, Safety & Environment, Security & Equality / HSES&Q Policy Statement.
- Risk assessments of all OT and IT systems onboard and ashore
- Policy in place for the uses of removable storage.
- Policy and procedure in place regarding network communications and WiFi for vessel crews.
- Policy and procedure in place for monitoring and updating navigation and communication systems.
- Policy in place regarding authorization criteria for remote connections.
- Inventory of all OT systems.
- Internet access policy in place outlining restrictions relating to operations currently being performed onboard.
Plans for Emergency R
esponse developed and in place.
- Items identified by TMSA and listed below.
WHAT ARE THE TMSA CYBERSECURITY REQUIREMENTS?
- Procedures in place regarding patch management for software.
- Processes and guidance in place for the identification and mitigation of cyber threats.
- Availability of guidelines for cybersecurity set by industry and classification authorities.
- Password management procedures developed.
- A Cyber Awareness Plan to promote security awareness among all personnel, developed and implemented.
DOES THE ISM CODE IMPACT YOU?
Mandatory requirements set out in the ISM Code will cover the following operations of all vessels on international operations, specifically:
- Passenger ships including high-speed passenger craft.
- Oil tankers, chemical tankers, gas carriers, bulk carriers and cargo high-speed craft of 500 GRT and above.
- Other cargo ships (offshore vessels) and mobile offshore drilling units (not bottom founded) of 500 GRT and above.
TMSA version 3 also relates to business operations under the Ship Inspection Reporting Program / SIRE.
HOW CAN YOU COMPLY WITH THE NEW CYBERSECURITY REQUIREMENTS?
TMSA 3 is now in effect. Any business operating under the jurisdiction of the new ISM Code should therefore start planning to update their SMS accordingly. The deadline is no later than the first annual verification of the company's Document of Compliance following January 1st 2021.
For all organizations concerned the message is clear. In order to be prepared and to develop the required business cybersecurity posture, including provisions relating to third party ecosystems, start planning now for the implementation of best-practice. In support of this action IMO has updated it´s guidelines on cybersecurity.
WHAT ABOUT CYBERSECURITY IN THE OFFSHORE INDUSTRY?
The International Marine Contractors Association, IMCA, which represents the offshore support and construction (vessels) industry worldwide has also updated its advice on cyber threats.
IMCA´s Recommended Cyber Security Measures includes twenty controls, and sub-controls, that focus on various technical measures and activities. The primary objective is to help organizations prioritize defence against the current most common and most damaging forms of attack on IT systems and networks.
A SUMMARY OF THE IMCA 20 CONTROLS FOR OFFSHORE CYBERSECURITY
- Inventory of Authorized and Unauthorized Devices Actively Managed. This means drawing up an inventory, tracking and managing all hardware devices on the network so that only authorized devices have access. This action also allows unauthorized and unmanaged devices to be identified, located and prevented from gaining network access.
- Inventory of Authorized and Unauthorized Software Actively Managed. Again, this means drawing up an inventory and using it to track and correct all software on the network. Only authorized software should be installed and permitted to function. All unauthorized and unmanaged software should be identified and prevented from being installed or from executing any function.
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers. Determine, implement and actively manage, by tracking reporting and correcting the security configuration of all laptops, servers and workstations. This should be done using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
- Continuous Vulnerability Assessment and Remediation. Continuously acquire, assess and take action on new information in order to identify all vulnerabilities. Remediate same and by so doing minimize the window of opportunity for attackers.
- Malware Defences. Maintain a watch 24/7 against the installation, spread and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defence, data gathering and corrective action.
- Application Software Security. Manage the security lifecycle of all software applications, whether developed in-house or acquired, in order to prevent, detect and correct security vulnerabilities.
- Wireless Access Control. Deploy and implement the processes and tools used to track, control, prevent abuse of and correct the secure use of wireless local area networks (LANs), access points and wireless client systems.
- Data Recovery Capability. Prepare and deploy all processes and tools for adequately backing up critical information, with a proven methodology for its timely recovery following a security breach.
- Security Skills Assessment and Appropriate Training to Fill Gaps. This refers to all functional roles in the organization, prioritizing those which are mission critical for business operations and security requirements. Identify the specific expertise, skills and abilities needed to support defence of the enterprise. Develop and execute an integrated plan to assess and identify gaps in cyber defence. Remediate any vulnerabilities thereby identified through operational policy, organizational planning, training and awareness programs.
- Secure Configurations for Network Devices such as Firewalls, Routers and Switches. Establish, implement and actively manage, by tracking, reporting on and correcting, the security configuration of network infrastructure devices. This should be done using a rigorous configuration management and change control process in order to prevent attackers exploiting vulnerable services and settings.
- Limitation and Control of Access to Network Ports. Protocols and Services. Manage by tracking, controlling and correcting the ongoing operational use of ports, protocols and services on networked devices in order to minimize windows of vulnerability available to attackers.
- Control the Use of Administrative Privileges. Manage the processes and tools used to track, control, prevent or correct the assignment, use of and configuration of administrative privileges on computers, networks and applications.
- Boundary Defence. Detect, prevent and/or correct the flow of information transferring between networks operating at different trust levels with a focus on data likely to compromise security.
- Maintenance, Monitoring and Analysis of Audit Logs. Collect, manage and analyze audit logs of cybersecurity-related events that could help in the detection or understanding of an attack, or which could assist recovery from a security breach.
- Control Access Based on Need to Know. The processes and tools used totrack, control, prevent or correct secure access to critical assets, such as information, resources and systems should be organised and maintained according to a formal determination of which persons, computers and applications have a need, and right, to access these critical assets, based on an approved classification.
- Account Monitoring and Control. Actively manage the lifecycle of system and application accounts in order to minimize opportunities for attackers to leverage them. This includes managing their creation, use, periods of dormancy and deletion.
- Data Protection. Deploy and implement processes and tools used to prevent data exfiltration, to mitigate the effects of exfiltrated data and to ensure the privacy and integrity of sensitive information.
- Incident Response and Management. Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure. This should include detailed planning, the definition of personnel roles and responsibilities, training, communications and management supervision. These actions are essential for the purposes of quickly detecting an attack, effectively containing any damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.
- Secure Network Engineering. Make cybersecurity an inherent attribute of the enterprise by specifying, designing, and creating features that allow a high degree of confidence in systems operations while denying or minimizing opportunities for attackers.
- Penetration Tests and Red Team Exercises. Test the overall strength of your organization's defences, including technology, processes, and personnel, by simulating the actions and objectives of an attacker.