Maritime cybersecurity

Written By Henrik Ottosson

Published on April 15, 2019

Båt.png

Today´s global maritime sector depends more and more on digitalization, integration of operations, and automation. The widespread and rapid implementation of IT systems and internet communication for ships at sea in every part of the world brings a new and urgent requirement – maintaining the operational safety of those critical systems..

Cybersecurity is today a priority in the international maritime sector.

In what follows we look closely at new requirements which all of us in this industry must now meet. Also, we provide guidance on how to implement cybersecurity in maritime operations.

Neither the International Maritime Organization, IMO, nor national authorities have developed cybersecurity regulations specific to the maritime sector. This will change in the very near future. As of January 1st 2021, cybersecurity requirements will be formalised in Chapter IX of the International Convention for the Safety of Life at Sea, SOLAS, Regulations 1-6, Management for Safe Operation of Ships.

This is not an isolated development. Significant moves towards cybersecurity regulations for shipping have already been taken by other organizations or are in the pipeline. The urgent need to develop cybersecurity regulations for the maritime industry has, in fact, been an area of concern for some time.

In June 2017 the IMO´s Maritime Safety Committee, MSC, agreed guidelines for cyber risk management. These, in turn, became the basis of high-level recommendations for the entire maritime sector,

The guidelines place an obligation on shipowners, operators, and stakeholders to adopt a risk management approach with three overriding objectives: minimizing the danger to crew, to environmental safety, and to the financial consequences of a full or partial loss of availability, integrity and confidentiality of sensitive data.

The new mandatory cybersecurity requirements for all ship owners

In the face of emerging cybersecurity threats to the industry and with the MSC resolution in mind, IMO has taken the decision to incorporate mandatory cybersecurity requirements into the International Safety Management Code, ISM.

As of January 1, 2021, cybersecurity must be addressed by all players in the shipping industry and incorporated into their Safety Management Systems, SMS.

One organisation which was quick to respond to these new circumstances was the Oil Companies International Marine Forum, OCIMF. Beginning in January 2018 the OCIMF updated Tanker Management and Self Assessment, TMSA, version 3, with a 13th Performance Element. This new element deals specifically with cybersecurity.

What do developments like these mean for the worldwide maritime sector? More specifically, what does the ISM Code, a SOLAS requirement, and TMSA version 3, best industry practice, require when it comes to preventing cyber crime at sea?

What does the ISM code say about information security requirements?

The ISM Code requires modification to a company’s SMS and should now include the following.

  • Cybersecurity measures to be adopted in the company´s Health, Safety & Environment, Security & Quality / HSES&Q Policy Statement.

    1. Risk assessments of all OT and IT systems onboard and ashore

    2. Policy in place for the uses of removable storage.

    3. Policy and procedure in place regarding network communications and WiFi for vessel crews.

    4. Policy and procedure in place for monitoring and updating navigation and communication systems.

    5. Policy in place regarding authorization criteria for remote connections.

    6. Inventory of all OT systems.

    7. Internet access policy in place outlining restrictions relating to operations currently being performed onboard.

    8. Contingency Plans for Emergency

    9. Response developed and in place.

    10. Items identified by TMSA and listed below.

What are the TMSA cybersecurity requirements?

  • Procedures in place regarding patch management for software.

    1. Processes and guidance in place for the identification and mitigation of cyber threats.

    2. Availability of guidelines for cybersecurity set by industry and classification authorities.

    3. Password management procedures developed.

      1. A Cyber Awareness Plan to promote security awareness among all personnel, developed and implemented.

Does the ISM code impact you?

Mandatory requirements set out in the ISM Code will cover the following operations of all vessels on international operations, specifically:

  • Passenger ships including high-speed passenger craft.

    1. Oil tankers, chemical tankers, gas carriers, bulk carriers and cargo high-speed craft of 500 GRT and above.

    2. Other cargo ships (offshore vessels) and mobile offshore drilling units (not bottom founded) of 500 GRT and above.

TMSA version 3 also relates to business operations under the Ship Inspection Reporting Program / SIRE.

How can you comply with the new cybersecurity requirements?

TMSA 3 is now in effect. Any business operating under the jurisdiction of the new ISM Code should therefore start planning to update their SMS accordingly. The deadline is no later than the first annual verification of the company’s Document of Compliance following January 1st 2021.

For all organizations concerned the message is clear. In order to be prepared and to develop the required business cybersecurity posture, including provisions relating to third party ecosystems, start planning now for the implementation of best-practice. In support of this action IMO has updated it´s guidelines on cybersecurity.

What about cybersecurity in the offshore industry?

The International Marine Contractors Association, IMCA, which represents the offshore support and construction (vessels) industry worldwide has also updated its advice on cyber threats.

IMCA´s Recommended Cyber Security Measures includes twenty controls, and sub-controls, that focus on various technical measures and activities. The primary objective is to help organizations prioritize defence against the current most common and most damaging forms of attack on IT systems and networks.

A summary of the IMCA 20 controls for offshore cybersecurity

  1. Inventory of Authorized and Unauthorized Devices Actively Managed. This means drawing up an inventory, tracking and managing all hardware devices on the network so that only authorized devices have access. This action also allows unauthorized and unmanaged devices to be identified, located and prevented from gaining network access.

  2. Inventory of Authorized and Unauthorized Software Actively Managed. Again, this means drawing up an inventory and using it to track and correct all software on the network. Only authorized software should be installed and permitted to function. All unauthorized and unmanaged software should be identified and prevented from being installed or from executing any function.

  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers. Determine, implement and actively manage, by tracking reporting and  correcting the security configuration of all laptops, servers and workstations. This should be done using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

  4. Continuous Vulnerability Assessment and Remediation. Continuously acquire, assess and take action on new information in order to identify all vulnerabilities. Remediate same and by so doing minimize the window of opportunity for attackers.

  5. Malware Defences. Maintain a watch 24/7 against the installation, spread and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defence, data gathering and corrective action.

  6. Application Software Security. Manage the security lifecycle of all software applications, whether developed in-house or acquired, in order to prevent, detect and correct security vulnerabilities.

  7. Wireless Access Control. Deploy and implement the processes and tools used to track, control, prevent abuse of and correct the secure use of wireless local area networks (LANs), access points and wireless client systems.

  8. Data Recovery Capability. Prepare and deploy all processes and tools for adequately backing up critical information, with a proven methodology for its timely recovery following a security breach.

  9. Security Skills Assessment and Appropriate Training to Fill Gaps. This refers to all functional roles in the organization, prioritizing those which are mission critical for business operations and security requirements. Identify the specific expertise, skills and abilities needed to support defence of the enterprise. Develop and execute an integrated plan to assess and identify gaps in cyber defence. Remediate any vulnerabilities thereby identified through operational policy, organizational planning, training and awareness programs.

  10. Secure Configurations for Network Devices such as Firewalls, Routers and Switches. Establish, implement and actively manage, by tracking, reporting on and correcting, the security configuration of network infrastructure devices. This should be done using a rigorous configuration management and change control process in order to prevent attackers exploiting vulnerable services and settings.

  11. Limitation and Control of Access to Network Ports. Protocols and Services. Manage by tracking, controlling and correcting the ongoing operational use of ports, protocols and services on networked devices in order to minimize windows of vulnerability available to attackers.

  12. Control the Use of Administrative Privileges. Manage the processes and tools used to track, control, prevent or correct the assignment, use of and configuration of administrative privileges on computers, networks and applications.

  13. Boundary Defence. Detect, prevent and/or correct the flow of information transferring between networks operating at different trust levels with a focus on data likely to compromise security.

  14. Maintenance, Monitoring and Analysis of Audit Logs. Collect, manage and analyze audit logs of cybersecurity-related events that could help in the detection or understanding of an attack, or which could assist recovery from a security breach.

  15. Control Access Based on Need to Know. The processes and tools used totrack, control, prevent or correct secure access to critical assets, such as information, resources and systems should be organised and maintained according to a formal determination of which persons, computers and applications have a need, and right, to access these critical assets, based on an approved classification.

  16. Account Monitoring and Control. Actively manage the lifecycle of system and application accounts in order to minimize opportunities for attackers to leverage them. This includes managing their creation, use, periods of dormancy and deletion.

  17. Data Protection. Deploy and implement processes and tools used to prevent data exfiltration, to mitigate the effects of exfiltrated data and to ensure the privacy and integrity of sensitive information.

  18. Incident Response and Management. Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure. This should include detailed planning, the definition of personnel roles and responsibilities, training, communications and management supervision. These actions are essential for the purposes of quickly detecting an attack, effectively containing any damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

  19. Secure Network Engineering. Make cybersecurity an inherent attribute of the enterprise by specifying, designing, and creating features that allow a high degree of confidence in systems operations while denying or minimizing opportunities for attackers.

  20. Penetration Tests and Red Team Exercises. Test the overall strength of your organization’s defences, including technology, processes, and personnel, by simulating the actions and objectives of an attacker.

Overview of IMO guidelines

From the high-level resolution of MSC mentioned above, IMO has updated guidelines for the shipping industry to version 2.0.

Guidelines on Cybersecurity Onboard Ships was composed and approved by the world´s leading international trade associations for the maritime industry. Members of these associations range from shipowners, operators, dry and tanker cargo shipping industry partners and international maritime industry organisations.

Version 2.0 includes important updates concerning specific risks and the threat environment now facing the industry. Among these items are the following.

  • Incorporation of cyber risks into eacg ship´s safety management system / SMS.

    1. Improvements to guidance relating to risk assessments performed on operational technology / OT so as to include navigation and engine control systems.

    2. Additional guidance for managing risk associated with third party suppliers and vendors.

The purpose of the IMO guidelines is to address the specific and unique needs of the maritime, shipping and commercial passenger industries in relation to cyber risk management. The IMO guidelines in general are based on best-practice as developed by the cybersecurity sector, with add-ons relating to the specific requirements and functional areas of the maritime industry. The IMO guidelines cover the following topics.

Specific maritime considerations

Adoptingbest-practice standards is a necessary step but not enough. The maritime industry has specific challenges that must be met. These include, first of all, the relation to safety issues as well as the entanglement of IT and Operational Technology / OT.

Safety and cybersecurity

IMO Guidelines focus on the close relation between safety and security. But the guidelines also highlight important distinctions.

  • Cybersecurity concerns itself with the protection of IT / OT information and data from unauthorized access, manipulation or tampering.

    1. Cyber safety is focussed on the risk of loss of availability, or integrity, of data and OT that are critical for the safety of personnel as well as vessels and other facilities.

    2. Systems that fall under Cyber Safety would include ECDIS, GNSS or other external sensor data or OT systems such as Dynamic Positioning or engine control systems.

Information technology and operational technology

There are some very distinct differences between IT systems and OT systems. A sure way to remember the difference is to separate them by their main functions.  IT systems process information and/or transmit data. OT systems control physical machines.

Further distinctions in IT systems

  • High performance is maintained even when access controls and restrictions are applied.

    1. “0 downtime” is not typically a crucial factor

    2. Low fault tolerance required

    3. Low safety impact

    4. Data management

    5. High degree of compatibility in using open source protocols

    6. Resource flexibility; IT systems are engineered to permit fluctuatation of resource allocation

    7. Professional CTO / IT Director should be responsible for procurement

Further distinctions in OT systems

  • Timing is a key factor and controls or functions which delay processes can cause disruption or even system failure.

    1. “0 downtime” is typically a crucial factor.

    2. Redundancies or backup systems are required to maintain “0 downtime”

    3. High safety impact.

    4. High fault tolerance required.

    5. Low compatibility / proprietary protocols used.

    6. Resource inflexible. Systems are engineered with enough resources to perform designed functions

    7. The Chief Engineer is responsible for procurement 

Basic consepts of information security

Information security in plain language refers to those steps taken to ensure that information does not fall into the wrong hands.

A good starting point for anyone seeking to understand Information Security is a policy tool known as the CIA Triad. CIA in this case stands for Confidentiality, Integrity and Availability of Information.

The CIA Triad is a guide to the implementation of policies, security controls, and procedures in any organization.

Confidentiality

Confidentiality refers to the concept that only those who need access to information, or those for whom the information is intended should have access to the plain-text contents.

Integrity

Integrity refers to assurance that the information is free from unauthorized tampering or modification in any way. In addition there should be a means of testing the integrity of the information.

Availability

Availability refers to ease of access to information by authorized entities. When an

authorized entity which needs the information takes the correct steps to access it they should face no difficulty in doing so.

The CIA Triad is today an industry standard which is used to assess organizations for cyber risk. The goal of cyber risk management is to determine the appropriate degree of protection needed to ensure Confidentiality, Integrity and Availability of the organization´s most important information assets.

Cyber risk management

Developing and implementing a cyber risk management strategy incorporating both

Cybersecurity and Cyber Safety should begin with communication and planning workshops.

The unique frame of reference and area of expertise in each of these two skill sets help to determine the right balance between Cybersecurity and Cyber Safety. The first step should be a general Threat Risk Assessment /TRA with a maritime focus.

Four possible actions

In terms of Cyber Risk Management there are four possible actions. These are as follows.

  • Risk Avoidance

  • Risk Transfer

  • Risk Acceptance

  • Risk Mitigation.

Risk Avoidance

In most cases this is not a feasible solution to risk management as the

interconnectivity and communication of businesses relies on the internet, web facing

servers and cloud solutions. In this context, a decision to avoid risk means going back to pen and paper for every interaction. Clearly this choice will place the company at a huge disadvantage to their competitors who will likely prefer to mitigate, transfer and accept some of the residual risk.

Risk Transfer

This alternative is based on the growing market for cybersecurity insurance

providers. Much like automotive or other types of term insurance, a higher risk incurred by not performing corrective maintenance or having a history of “accidents” means higher insurance premiums. In some cases it may be cost effective compared to the alternative of Risk Acceptance.

Risk Mitigation

This is where the greatest effort is required by the organization under threat but also where we see the greatest ROI. Company brand, customer trust, and other non-quantifiable assets are not easily acquired. Nor can the results of a loss of those assets be easily transferred. You can’t buy reputation insurance.

Risk Acceptance

Here we have two alternatives. We can accept risk as it is or we can accept the residual risk after a mitigating factor has been added. A degree of residual risk will, however, continue to be present even after mitigation. For that reason every information security management system and risk management strategy entails the acceptance of a degree of risk.

Identify

The first steps in cybersecurity concern the Identify Function in the cybersecurity framework. The Identity Function covers identification of the following.

  • This refers to both information assets as well as physical devices and systems

    1. This includes all parties presenting a threat, existing or potential.

    2. This refers to all known weak points where an attack would be most likely to penetrate our defences.

Information from the three areas above should be applied to the assessment of risks and the degree and nature of business impact in a risk assessment workshop. Additionally, customised cyber risk assessments should be performed for each unique type of ship in order to accurately identify the risk pattern for that ship.

Protect

Based on the results from the Threat Risk Assessment / TRA the next step is to select appropriate controls to mitigate risks. Selected controls should not only cover technical measures but also cover training and cyber awareness for all personnel. Procedural and administrative controls relating to policy and procedure should also be addressed.

Implementing technical controls, CIS top 20

The CIS Controls consist of a set of twenty actions. These actions form a defence-in-depth framework of best practices that mitigate the most common attacks against systems and networks.

This framework purposely avoids the “nitty-gritty” of security, focusing on high-level areas that offer the greatest value. At the same time the controls are mapped to other standards and guidelines, giving both a holistic view and compliance support.

The CIS framework was developed by a grass-roots community covering multiple sectors and industries. Based on the collective experience of actual attacks and the professional expertise of this community the controls are listed in order of priority. This approach helps us to focus efforts on the most fundamental and valuable actions which should be taken to prevent, raise the alarm and respond to an attack.

Controls 1-6 are the most important. These are “Basic Controls”. Taking action in these areas decreases the likelihood of a successful attack by 85%. Moreover the Top 6 are highly cost-effective in terms of lowering the level of cyber risk. The additional recommended actions in the CIS Framework are listed below under the heading of Foundational.

CIS framework to 6 actions

  1. Inventory and Control of Hardware Assets

  2. Inventory and Control of Software Assets

  3. Continuous Vulnerability Management

  4. Controlled use of Administrative Privileges

  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

  6. Maintenance, Monitoring and Analysis of Audit Logs

CIS framework foundational actions

  1. Email and Web Browser Protection

  2. Malware Defences

  3. Limitation and Control of Network Ports, Protocols, and Services

  4. Data Recovery Capabilities

  5. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

  6. Boundary Defence

  7. Data Protection

  8. Controlled Access Based on the Need to Know Onboard Networks (Annex 2) Segmentation

Detect

According to Wärtsilä, a major, worldwide marine engine manufacturer, the vast majority of

cybersecurity attacks are conducted by means of phishing and social engineering techniques, But most actual breaches of security can be attributed to human error. Wärtsilä´s strategy for detecting and mitigating cybersecurity attacks is based on training and awareness programs for all personnel.

More specifically, regular training not only increases and maintains awareness but focusses attention on specific forms of threat. These include malware, phishing and social engineering, Additionally personnel training helps ensure vigilance regarding password protection, private use of the internet, email attachments and links and other Do´s and Don´ts. Regular training will go a long way in detecting and preventing cyber security violations.

Anatomy of a cyber attack

What exactly happens in a cyber attack? Let´s look at the phases of a typical cybersecurity violation.

Reconnaissance – Gathering information on the targeted organization or entity.

The reconnaissance phase comes in two main forms:

  • Passive Reconnaissance – Not engaging the target directly, open source info gathering. This can mean dumpster diving, google hacking, or using job sites or social media websites to find information about employees that can be used in a later phase.

    1. Active Reconnaissance – Directly interacting with the target. This could mean manipulating the human factor, sending emails, calling reception or employees directly to gather information about the targeted organization.

Scanning

Using tools to probe the target and recording the response. The intention is to identify versions of operating systems and software running on systems in order to home in on vulnerabilities that may be present on those same systems.

Gaining Access

Getting a foot in the door to systems. This can mean either remotely or physically. Once inside the attacker can either escalate privileges so that they have full access or acquire “system privilege” on a particular system.

Maintaining Access

A hacker enters a system and escalates privilege, They aim to maintain that level of access, so the attacker may leave a “backdoor” or rootkit such as a remote access trojan / RAT so they can easily return to a system for some nefarious purpose such as exfiltrating data or to “pivot” to another system on the network.

Covering Tracks

Hackers of course seek to escape detection. For this reason they remove, or try to delete, any trace of their intrusion into a system. This may include deleting logs or malware / scripts / exploits / payloads that they had used to gain access. It can also include removing accounts they may have created for the purpose of gaining access or escalating privilege, or causing a system to overwrite relevant logs by causing it to write a large number of irrelevant logs.

Company and vessel response planning

The implementation of a well prepared response plan is of vital importance in resolving

problems with the minimum risk to personnel, assets and normal operations. Response and recovery plans should be reviewed and exercised in reality at regular intervals.

Example: Initial Response (Not all  inclusive)

  • Conduct a preliminary evaluation to determine if the event requires escalation of response action or if it can be resolved through normal response activities.

    1. Notify the Master of the vessel and, if required, shoreside management

    2. Review the event details.

    3. Perform an initial assessment of the event and associated impacts.

    4. Determine if an escalation level needs to be declared. For example:

1) Does the situation require assistance beyond the vessel and shore side management?

2 ) Does the situation require the relocation of people or materials/equipment?

Recovery – From planning cycle to restoration of services

Example: Recovery planning (Not all inclusive)

  • Establish a planning cycle so that status updates can be provided at regular intervals.

  • Monitor recovery efforts and address any identified issue.

  • Determine if the problem has been resolved.

  • Declare the incident over.

  • Notify appropriate personnel to begin restoration of services and a return to normal operations.

Recommendations from the IMO guidelines

The stated aim of the Guidelines is as follows. “Offering Guidance to Shipowners and Operators on Effective Cyber Risk Management”

The Guidelines are not intended to be a call for external vetting or auditing as many smaller organizations may not necessarily benefit from an audit of procedures. An example of an organization that would not necessarily benefit from an external audit is one whose policies and procedures are less granular and more ad hoc, unwritten and informal.

An organization that has unwritten and informal procedures and policies for cyber risk management would benefit more from starting with basics rather than forming a committee comprised of key members of management, finance, HR, legal and IT to discuss and write formal policies and procedures for cyber risk management in their own organization.

These policies may be based on several informal procedures already being conducted in the organization as well as adaptations from industry best practice as well as “Guidelines on Cybersecurity Onboard Ships”.

The procedures and policies in place in an organization may currently only be an acceptable use policy for their users plus account policy, network configuration and server administration procedures for the IT Section.

The organization may have overlooked certain items that would be beneficial for formalizing policy. In that case, using the IMO Guidelines and external resources to help identify gaps in this process is recommended.

Reference documentation

The Maritime Safety Committee states that the guidelines are advisory. The information and advice provided by the MSC guidelines should be adapted by maritime operators depending on their specific business. As a shipping company or a shore-based operation you may choose which specific risk management approach to adopt based on the needs of your business and on the risk appetite of your business.

Clearly an SMS should aim for cyber risk management in accordance with the functional objectives and requirements of the ISM Code. There are several cyber risk management frameworks to choose from. The guidelines suggest an approach that is based on the five functional elements of the US National Institute of Standards & Technology / NIST Cybersecurity and Risk Management Frameworks.These are as follows: Identify, Detect, Protect, Respond and Recover.

It´s highly positive to see that MSC and the facilitation committee agreed on guidelines after due diligence and research into an already well-established industry with best practices that are evaluated and improved regularly.

There are three areas of guidance and standards that are referred to in MSC-FAL.1/Circ.3as reference material:

  • ”The Guidelines on Cybersecurity Onboard Ships”

  • ”ISO/IEC 27001 standard on Information technology – Security techniques –

  • Information security management systems – Requirements. Published jointly by the

  • International Organization for Standardization (ISO) and the International

  • Electrotechnical Commission (IEC)”

  • ”United States National Institute of Standards and Technology’s Framework for improving Critical Infrastructure Cybersecurity (the NIST Framework).”

Cybersecurity service with a maritime focus

Secure State Cyber performs external technical reviews and audits as well as identifying threats and vulnerabilities. Secure State Cyber, with operations in Europe and North America, helps organizations manage cyber risk and is available to assist any organization, from those that are unsure where to start, right up to any level of maturity in cyber risk management.

Henrik Ottosson
Previous

Secure business operations when employees are working remotely from home