Ships and other vessels may seem like unusual targets for cyberattacks. But with their growing use of industrial control systems (ICS) and satellite communications, hackers have a new playground that’s ripe for attack.”
77% view cyber-attacks as high or medium risks...
yet, only 42% protect vessels from OT cyber threats.
As hackers become even more sophisticated in their tactics, it’s inevitable that cyber-attacks against OT on ships are becoming the norm rather than the exception. It’s time for the maritime industry to take a look at every aspect of their ship operations to ensure they’re protected and resilient against these growing threats.
In this guide, we will help you navigate the ins and outs of maritime cybersecurity, address cybersecurity challenges and compliance considerations, and get you geared up to establish your maritime cybersecurity action plan.
Whether moving dry or liquid bulk, containers or cars, crude oil, products, or chemicals, the maritime industry is a critical backbone of our global economy. Protecting a vessel’s critical operations from cyber threats poses unique challenges with operation centers and fleets of numerous classes and vintages spread across the world, increasingly digitalized operations, and a complex environment merging IT with industrial control systems (ICS) and operational technology (OT).
Differences in System Requirements*
IT | CIA
OT | CAIC
In the CAIC model, availability is more important than confidentiality because of the nature of processes and the impact that shutting down and restarting systems can have on productivity. Control refers to the ability to control a process and change a state when needed in a safe and secure manner. Since it can impact people, safety, and assets, it will have the highest priority when considering the attack surface of any system.
The Maritime Executive: Playing Catch-up with Cybersecurity
"If we had to place a number on the 90,000 commercial vessels worldwide, perhaps 5% to 10% are prepared today for full compliance and/or to defend against cyberattacks."READ THE FULL ARTICLE
Maritime Security Incidents: COVID-19 Pandemic
More recently, with the onset of the COVID-19 pandemic, the number of shipping cyberattacks has jumped 400% since February.
Travel restrictions, social distancing, and the economic recession are having an impact on the maritime industry and its ability to protect itself. OEMs, technicians, and vendors are forced to connect standalone systems to the Internet to service them. Ship and offshore staff are connecting their OT systems to onshore networks for brief periods to carry out diagnostics and upload software updates, leaving endpoints, critical systems, and components susceptible to attack since they are no longer segmented. Also, stress levels of short-staffed crews can leave vessels vulnerable to scams, misconfigurations, and human error.
Context of the Organization
defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.
defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information Security Policy.
defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
defines requirements for the availability of resources, competencies, awareness, communication, and control of documents and records.
defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.
defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
defines requirements for nonconformities, corrections, corrective actions, and continual improvement.
In 2004, the Oil Companies International Marine Forum (OCIMF) introduced the Tanker Management and Self Assessment (TMSA) program to help vessel operators assess, measure, and improve their safety management systems. It complements industry quality codes and is intended to encourage self-regulation and promote continuous improvement among tanker operators.
The TMSA framework is based on 12 elements of management practice. Each element includes a clear objective and a set of supporting KPIs:
- Management, leadership, and accountability
- Recruitment and management of shore-based personnel
- Recruitment and management of vessel personnel
- Reliability and maintenance standards
- Navigational safety
- Cargo, ballast and mooring operations
- Management of change
- Incident investigation analysis
- Safety management
- Environmental management
- Emergency preparedness and contingency planning
- Measurement, analysis, and improvement
Guidelines on activities, grouped into four stages, are provided to help you meet these objectives. You should work through the 12 elements to produce as accurate and substantive an assessment as possible. You can use the assessment to conduct a gap analysis to identify which elements and stages have yet to be attained and how best to develop a performance improvement program.
Your On-Vessel Maritime Cybersecurity Action Plan
Click on each item to cross it off your maritime cybersecurity to-do list. Select the expander next to each item to get more information.
- Update the admin password on critical systems and devices on your OT network
Make sure you change the admin password on your critical systems and devices from the manufacturer default. Hackers can quickly identify and access internet-connected systems that use shared default passwords. It is imperative to change default manufacturer passwords and restrict network access to critical vessel systems.
- Update your passwords regularly and use multi-factor authentication, where possible
If you do not have one in place already, deploy a password management system for your critical computers and devices on your OT network. This includes adding multi factor authentication, where possible, and changing passwords (including any that are shared) on a regular basis.
- Make sure your critical systems and devices are not accessible via the Internet
Most providers offer a private IP address space to keep hackers from reaching your systems over the Internet. You can determine if your vessel terminals are public by entering the IP address in a browser to see if you can route to the terminal web interface.
- Update the software on critical systems and devices
Most updates include fixes for security flaws, so make sure your systems are running the latest software versions and ensure they are updated every time the manufacturer publishes an update.
- Secure USB ports on all ships systems
Lock down USB access to prevent malware from entering vessel systems. If critical systems can only be updated by USB, keep dedicated USB keys in a secure location.
- Lock up your IT and OT equipment on the ship
This seems like an obvious security control, but many times, for many reasons, cabinets and rooms are left wide open for an adversary to use as an access point both on board vessels and in operations centers. With the transient nature of crews on board maritime vessels, an adversary could simply pay a crew member to put a device on an open network or USB port, bypassing other security in place, and gain access to the most critical parts of the OT system. Keep the critical devices locked up and develop a key management strategy.
- Check all onboard Wi-Fi networks
Just like you need to make sure you change default admin passwords on your satcom system and other devices, the same applies to your Wi-Fi routers. Also, you need to make sure you have strong encryption and passwords for all of your Wi-Fi networks. Make sure that your crew Wi-Fi network does not connect to anything other than the Internet and streaming services for personal use. Any of your vessel systems that use Wi-Fi for comms and navigation (e.g., tablets) must have strong security levels and strong user authentication (e.g., multi-factor authentication).
- Segment your bridge, engine room, crew, Wi-Fi and business networks on board
If a device on your vessel is compromised, segmented networks will ensure critical systems are not susceptible to an attacker. Ensure that the crew’s personal devices and laptops do not have access to navigation systems and other critical areas of the ship’s network.
- Eliminate unsecure wireless devices and services on your networks
Devices such as wireless printers, wireless keyboards, and mice offer easy targets for a moderately sophisticated cyber adversary.
- Educate your crew about cybersecurity
Establish a cybersecurity training program for your crew. You can also take advantage of complimentary resources like ESET’s online cybersecurity awareness training and the Be Cyber Aware At Sea campaign to raise cybersecurity awareness and help train your crew to avoid opening the vessel to compromise. Security starts with your people.
The cyber risk is specific to the company, ship, operation, and/or trade. When assessing the risk, organizations should consider any specific aspects of their operations that might increase their vulnerability to cyber incidents.
There are motives for organizations and individuals to exploit cyber vulnerabilities. There is the possibility that company personnel, onboard and ashore, could compromise cyber systems and data. In general, the organization should realize that this may be unintentional and caused by human error when operating and managing IT and OT systems or failure to respect technical and procedural protection measures. There is, however, the possibility that actions may be malicious and are a deliberate attempt by a disgruntled employee to damage the company and the ship.
Need help getting started on your cybersecurity action plan or just want to learn more about maritime security? Here are some resources dedicated to maritime cybersecurity that can get you on the right track:
- NIST Cybersecurity Framework: This framework helps organizations focus on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of their risk management processes.
- NIST Guide to Industrial Control Systems (ICS) Security: This document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.
- International Maritime Organization (IMO) Guidelines on Maritime Cyber Risk Management: These guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities.
- ISA/IEC 62443: The 62443 series of standards was developed jointly by the ISA99 committee and IEC Technical Committee 65 Working Group 10 to address the need to design cybersecurity robustness and resilience into industrial automation control systems
- ISO/IEC 27001: ISO/IEC 27001 provides requirements for an information security management system.
- Tanker Management and Self Assessment (TMSA): The TMSA program provides companies with the means to improve and measure their own safety management systems.
- The Guidelines on Cyber Security Onboard Ships: This document offers guidance to shipowners and operators on procedures and actions to maintain the security of cyber systems in their organization and onboard their vessels.