MAKKAH: Saudi Arabia has warned the UN Security Council that an “oil spot” has been sighted in a shipping lane 50 km west of an abandoned, decaying oil tanker off the coast of Yemen. Experts fear it could spill 1.1 million barrels of crude into the Red Sea.
The tanker, called the Safer, has been moored near Ras Issa oil terminal for more than five years. The UN previously warned that it could leak four times as much oil as was spilled during the 1989 Exxon Valdez disaster off the coast of Alaska. UN Secretary-General Antonio Guterres and the Security Council have repeatedly called on Houthi insurgents in Yemen to grant access the tanker for a technical assessment and emergency repairs.
In a letter to the 15-member Security Council on Wednesday, Saudi Ambassador to the UN Abdallah Al-Mouallimi said “a pipeline attached to the vessel is suspected to have been separated from the stabilizers holding it to the bottom and is now floating on the surface of the sea.”
He said the vessel “has reached a critical state of degradation, and the situation is a serious threat to all Red Sea countries, particularly Yemen and Saudi Arabia,” adding “this dangerous situation must not be left unaddressed.”
Ahmed Al-Ansari, an environmental expert in Jeddah, said: “There is no doubt that the Houthi militias’ intransigence in allowing … maintenance of the tanker … has increased the chances of deterioration.”
It might result in a major oil leak, he added, that could cause an unprecedented environmental disaster, the “negative economic, environmental and health effects (of which) will be great on the countries of the region and the world, due to the importance of the Red Sea in international maritime transport” as a major link between East and West.
Al-Ansari welcomed the efforts of Saudi authorities to press for action in the UN “to ensure that the Kingdom’s shores and regional waters are protected from all potential dangers.”
Independent researchers are also concerned about the condition of the Safer. In a 2019 report for the Atlantic Council titled “Why the massive floating bomb in the Red Sea needs urgent attention,” energy experts Ian Ralby, David Soud and Rohini Ralby said the potential consequences of a disaster include an end to the two-year cease-fire in Hodeidah and a worsening of Yemen’s humanitarian crisis.
“The risk of explosion increases by the day and if that were to happen, not only would it damage or sink any ships in the vicinity, but it would create an environmental crisis roughly four and a half times the size of the Exxon Valdez oil spill,” they said.
Other experts warn that the security situation in Yemen adds to the danger. “(Given) the complexity of this war, an errant bullet or shell from any one of the combatants could trigger a blast as large as Beirut’s Aug. 4 disaster, prompting a historic oil spill,” Dave Harden, managing director of Georgetown Strategy Group, wrote in an op-ed published by news website The Hill last month. “Cleanup efforts would be daunting — given the insecurity of being in a war zone and the additional health risks from COVID-19.”
Waleed Al-Qudaimi, deputy governor of Hodeidah, said an oil spill would create a humanitarian crisis as severe as the one caused by the Houthi insurgency.
“It (would) add an additional burden that will affect Yemen for decades, deprive thousands of people of their jobs and destroy marine biodiversity in Yemeni waters,” he said as he appealed for the international community to maintain pressure on the Houthis to allow maintenance work.
Copyright: Arab News © 2020 All rights reserved. Provided by SyndiGate Media Inc.
[The excerpts below are from the book Maritime Cybersecurity: A Guide for Leaders and Managers, published in early September.]
[T]hreats must be put into context. The figure [below] shows the light configuration of a vessel that you do not want to see steaming towards you at night. Not only is this ship coming towards you head-on, it suggests that you are already in very dangerous waters, per Rule 27(f) in the Navigation Rules.
While this portrayal has a certain element of dark humor to it, it is also analogous to real life. When a ship is in a minefield, what is the real problem? Is it the threat of hitting a mine, or is it the vulnerability of the ship to the damage caused by the explosion? During the early days of the Battle in the Atlantic during World War II, Germany deployed magnetic mines against the British. The mines rose from the seafloor when they detected the small change in the Earth’s magnetic field that occurred when a steel-hulled vessel came within range. The British, upon discovering this mechanism, took countermeasures to effectively degauss their warships. This change eliminated the mine’s ability to exploit the ship’s magnetic field and, at least temporarily, obviated the threat. The vulnerability of the ship to a mine was not eliminated, but the exploit was defeated.
In cyberspace, we can’t control where the mines are, but we can control our susceptibility to getting hit by one and the subsequent damage that could result.
This leads to the following general truth about cybersecurity:
Vulnerabilities Trump Threats Maxim: If you know the vulnerabilities (weaknesses), you’ve got a shot at understanding the threats (the probability that the weaknesses will be exploited and by whom). Plus, you might even be OK if you get the threats all wrong. But if you focus mostly on the threats, you’re probably in trouble.
Threats are a danger from someone else that can cause harm or damage. We might or might not be able to identify a potential threat, but we cannot control them. Vulnerabilities are our own flaws or weaknesses that can be exploited by a threat actor. Indeed, not all vulnerabilities can be exploited. We are—or should be—able to identify our vulnerabilities and correct them.
While we cannot control the threats, we should be knowledgeable about the threat landscape and have an idea of threat actors who might wish to do us harm, but we should not obsess over the threats while planning a cyberdefense. Instead, we should look inward at our own systems, seek out the vulnerabilities, and plug the holes. New threats always emerge, but that doesn’t change the strategic importance of fixing our own vulnerabilities.
Ironically, there is a corollary to this maxim: “Identifying threats can help get you funding while identifying vulnerabilities probably won’t.” Almost all cybersecurity professionals have gone to management to seek funds for an emergency update to hardware or software, just to be told that fixing a vulnerable system can always wait until the next budget cycle. Conversely, when management sees a memo from IMO or USCG, or a warning from an ISAC/ISAO, that highlights a credible threat directed at that same hardware or software, it’s remarkable how quickly the funds become available.
——————————————————–
A common but mistaken belief at the leadership level of many organizations, both within the maritime industry and beyond, is that the responsibility for protecting information assets lies within the technology ranks. To those who subscribe to that belief, let us share the following: Anyone who thinks that technology can solve their problems does not understand technology or their problems.
Cybersecurity—or, arguably more properly, information security—is not merely, or even primarily, the responsibility of the IT department. Everyone who comes in contact with information in any form has the responsibility to protect it and, further, to recognize when it is under attack—and take whatever action is required to defend it, including reporting suspected attacks to the appropriate defensive agencies within the organization. Ultimately, it is the responsibility of a designated Chief Information Security Officer (CISO) to manage the cybersecurity posture of an organization. That posture includes the creation of a sense of urgency and awareness around cyberthreats at every level of the organization.
It is also important to recognize that IT and cybersecurity professionals have different—albeit often overlapping—skill sets. IT professionals keep networks running and resilient, and provide services and application to the users; cybersecurity professionals defend these assets.
——————————————————–
[We wrote this book for] the maritime manager, executive, or thought leader who understands their business and the maritime transportation system, but is not as familiar with issues and challenges related to cybersecurity. Our goal is to help prepare management to be thought and action leaders related to cybersecurity in the maritime domain. We assume that the reader knows their profession well, knowledge that will help to provide the insight into how cyber affects their profession and organization.
Chapter One (The Maritime Transportation System, MTS) provides a broad, high-level overview of the MTS, the various elements within it that we’re trying to secure, and the size and scope of the challenge. Chapter Two (Cybersecurity Basics) offers terms, concepts, and the vocabulary required to understand the articles that one reads and the meetings that one attends that discuss cybersecurity.
The next three chapters describe actual cyber incidents in various domains of the MTS and their impact on maritime operations. Chapters Three through Five address cyberattacks on shipping lines and other maritime companies, ports, and shipboard networks, respectively. Chapter Six (Navigation Systems) discusses issues relating to Global Navigation Satellite Systems (GNSS) and Automatic Identification System (AIS) spoofing and jamming, while Chapter Seven (Industrial Control and Autonomous Systems) presents cyber-related issues and the ever-increasing challenge of remote control, semi-autonomous, and fully-autonomous systems finding their way into the MTS.
Chapter Eight (Strategies for Maritime Cyberdefense) discusses practices that address cybersecurity operations in the MTS, including risk mitigation, training, the very real need for a framework of policies and procedures, and the development and implementation of a robust cybersecurity strategy. Chapter Nine offers final conclusions and a summary.
——————————————————–
Author’s note: This book is intended to speak to all levels of members of the MTS, from executives, directors, and ship masters to managers, crew members, and administrative staff. Our hope is that it informs the reader to a higher level of awareness so that they can be more aware of the threats and be better prepared — at whatever level of their job — to protect their information assets.
Because the field is so fast moving, we also have a Web site — www.MaritimeCybersecurityBook.com — where we will post additional information.
Gary C. Kessler is a Professor of Cybersecurity in the Department of Security Studies & International Affairs at Embry-Riddle Aeronautical University. He is also the president of Gary Kessler Associates, a training, research, and consulting company in Ormond Beach, Florida.
Steven D. Shepard is the founder of Shepard Communications Group in Williston, Vermont, co-founder of the Executive Crash Course Company, and founder of Shepard Images.
With today’s news that French shipping giant CMA CGM has been hit by a ransomware attack, this now means that all of the four biggest maritime shipping companies in the world have been hit by cyber-attacks in the past four years, since 2017.
Previous incidents included:
On top of these, we also have CMA CGM, which today took down its worldwide shipping container booking system after its Chinese branches in Shanghai, Shenzhen, and Guangzhou were hit by the Ragnar Locker ransomware.
This marks for a unique case study, as there is no other industry sector where the Big Four have suffered major cyber-attacks one after the other like this.
But while all these incidents are different, they show a preferential targeting of the maritime shipping industry.
“I’m not so sure it’s that they’re any more or less vulnerable than other industries,” said Ken Munro, a security researcher at Pen Test Partners, a UK cyber-security company that conducts penetration testing for the maritime sector.
“It’s that they are brutally exposed to the impact of ransomware.
“After Maersk was hit by the NotPetya crytper, I believe criminals realized the opportunity to bring a critical industry down, so payment of a ransom was perhaps more likely than other industries,” Munro said.
Over the past year, incidents where malware landed on ships have intensified. This included sightings of ransomware, USB malware, and worms; all spotted aboard a ship’s IT systems.
Maritime industry groups have responded to these increasing reports of malware aboard ships by publishing two sets of IT security guidelines to address maritime security aboard ocean-bound vessels.
But Munro points out that it’s not the ships that are usually getting attacked in the major incidents.
Sure, malware may land on a ship’s internal IT network once in a while, but the incidents where malware gangs have done the most damage were the attacks that targeted shore-based systems that sit in offices, business offices, and data centers.
These are the systems that manage personnel, receive emails, manage ships, and are used to book container transports. There is nothing particularly different from these systems compared to any other IT systems sitting inside other industry verticals.
“That said, if you can’t book a container, there’s no point in having the ship,” Munro added.
For all intents and purposes, it appears that despite efforts to protect ships from external hacking, the maritime industry has failed to treat its shore-based systems with the same level of attention.
While the rare ship hacking incidents are the ones that usually grab headlines, it’s the attacks on a shipping company’s shore-based systems that are more common these days, and especially the attacks on their container booking applications.
These systems have often been hacked by sea pirate groups looking for ship manifests, container ID numbers, and ship sea routes so they can organize attacks, board ships, and steal containers transporting high-value goods like electronics and jewelry [1, 2, 3, 4].
These waves of “cyber pirates,” as these groups have been often named, along with the recent attacks on the Big Four shipping giants, are a clear sign that the shipping industry needs to stop prioritizing the less likely ship hacking scenarios and focus more on its shore-based systems, at least, for the time being.
Source: zdnet
The World Economic Forum cites cyberattacks on critical infrastructure, including transportation, as the world’s fifth highest risk in 2020.1 At the same time, transportation and logistics organizations are rapidly evolving to improve their service levels and efficiency.
To accelerate their digital transformation, Intelligent Transportation Systems (ITS) are becoming more connected and complex, which unfortunately opens the door to new cyber risks. To ensure operational availability during this transition, deep visibility into ITS networks is required.
Let’s look at the challenges faced by the maritime sector, and how they can be eased with ITS cybersecurity best practices and use of the right technology.
Maritime cybersecurity and operational resiliency are challenged by increasing digitization and connectivity. Applying cybersecurity best practices and OT/IoT visibility and security technology eases the problem.
The maritime industry transports 90% of the world’s trade.2 Like other industries, it’s becoming increasingly automated and remotely monitored. Shippers want to optimize voyages and track the operational status of things like:
Rapid digitization is fueling the development of Maritime Autonomous Systems (MAS), where new generation ships can be remotely controlled from land.
On the other hand, the level of system visibility and cybersecurity maturity in this sector is relatively low. Many ships contain devices and even systems that are unknown to their operators. Crew are not typically trained to identify phishing emails or manage network access control.
While dramatic situations like a vessel capsizing3 due to hacking are not out of the realm of possibility, they are still unlikely. Crew constantly observe ship behavior and can often employ manual or safety systems to correct performance that is out of normal range.
Disruptive events that are more likely to occur include:
Driven by the need to reduce risk, comply with international shipping standards,4 and meet insurer requirements, shipping companies are investing in cyber resiliency. An important capability lies in identifying maritime assets and tracking their communications. Networks should be monitored for vulnerabilities, threats, and unusual behavior that could indicate a cyberattack.
Fortunately, real-time OT/IoT visibility technology can be used to improve both operational availability and cyber resiliency, helping ensure the safety of transportation system as they transform.
The wide variety of controls and control systems on ships makes them challenging to monitor and secure. Nonetheless, ship owners are improving cybersecurity programs, in part because of international shipping standards.
The complex technology used within the maritime transportation environment makes consolidated OT/IoT visibility extremely difficult. It also expands the attack surface, increasing vulnerability to cyber threats.
To keep things running smoothly, security and operations teams need a simple way to inventory the wide variety of devices and systems used. The Nozomi Networks solution, for example, provides deep visibility across all control networks by automatically creating an accurate, centralized inventory of OT/IoT assets and keeping it up-to-date.
Our solution analyzes network traffic, using the data to build a live, interactive visualization of operational technology systems. An extensive amount of useful information is provided, including:
In fact, the breadth and depth of information often provides insight into previously unknown devices, connections and activity.
Within minutes of deployment, the Nozomi Networks Solution provides comprehensive visibility into operational networks and ITS/IoT assets. It helps teams efficiently identify and mitigate cybersecurity and reliability risks.
To stay on top of what’s happening on transportation system networks, OT/IoT visibility and threat detection is required. Security gaps related to people and processes can have a big impact on operational resiliency too. For example, the separation of IT and OT, combined with increasingly connected ITS control systems, can lead to blind spots and vulnerabilities. But with the right technology and a focus on best practices, transportation organizations can increase operational resiliency.
The Nozomi Networks solution is tailored to meet the unique requirements of transportation asset owners. Many of the world’s top transportation companies have chosen our innovative solution for OT and IoT visibility. It helps them accelerate digital transformation while reducing cyber risk. Find out how it can help you by downloading the document below or contacting us.
Related Content
Source: securityboulevard
This overview continues the Eazi Security series on practical considerations for Designated Persons Ashore (DPA’s) to ensure full compliance with Resolution MSC 428(98) on maritime cyber security. The requirement to implement effective cyber security measures across a fleet of vessels and in Company offices ashore can be daunting for DPA’s. Particularly as the cyber threat may not be in the direct knowledge and experience of the safety team. Most DPA’s are experienced mariners and have a very well developed sense of what is (and is not) safe with ship-board operations. Cyber security may be outside their technical comfort zone.
However, the important thing for DPA’s to remember is that cyber threats can be assessed using the same methodology as any other maritime risk. The key is to go back to the first principles of safety management.
In particular the ISM Code (Section 1.2 Objectives) requires the following:
It is an important point to note that the ISM Code does not specifically require the prevention of commercial risk. This is an interesting point as most cyber crime is committed for commercial gain. Whilst protecting the vessel’s systems to make them safe is a requirement, and will undoubtedly assist against hackers for commercial gain, it is not an explicit requirement of the ISM Code to establish systems solely to prevent commercial wrongdoing . Therefore when implementing enhanced IT security measures the DPA should ask the fundamental question, is this for safety or commercial benefit? If it is only the latter it may be worth considering whether it should be included in the ISM framework (and who should be responsible for the management of that commercial risk).
Moreover, the ISM Code requires the Company to identify risks to its ships, personnel and the environment and thereafter establish appropriate safeguards (ISM Code Section 1.2.2.2). This requirement is usually understood as defining credible risks and put in place measures to manage the risk As Low As Reasonably Practicable (ALARP). DPA’s and Company IT managers should be asking if a cyber threat is credible to their specific operating environment. The subsequent level of protection then needs to be commensurate with the identified cyber threat. It does not need to be bank level security in response to an incredible threat (the equivalent in ship operations terms would be attempts to quantify and manage the risk of a jumbo jet landing on the vessel whilst alongside during cargo operations).
Good cyber security providers have software which will audit the Company’s existing IT systems remotely (usually for a period of a couple of weeks) and report on the actual level of threat the Company is experiencing. This will form the basis of a risk register of known and credible threats. This can then be used to identify a pragmatic and cost effective solution where resources are needed to reduce the known and credible threats to ALARP.
Source: eazisecurity
[The excerpts below are from the book Maritime Cybersecurity: A Guide for Leaders and Managers, published in early September.]
[T]hreats should be put into context. The determine [below] exhibits the sunshine configuration of a vessel that you do not need to see steaming in direction of you at night time. Not solely is that this ship coming in direction of you head-on, it suggests that you’re already in very harmful waters, per Rule 27(f) within the Navigation Guidelines.
Whereas this portrayal has a sure ingredient of darkish humor to it, additionally it is analogous to actual life. When a ship is in a minefield, what’s the actual drawback? Is it the specter of hitting a mine, or is it the vulnerability of the ship to the harm brought on by the explosion? Through the early days of the Battle within the Atlantic throughout World Battle II, Germany deployed magnetic mines in opposition to the British. The mines rose from the seafloor once they detected the small change within the Earth’s magnetic area that occurred when a steel-hulled vessel got here inside vary. The British, upon discovering this mechanism, took countermeasures to successfully degauss their warships. This variation eradicated the mine’s means to take advantage of the ship’s magnetic area and, a minimum of briefly, obviated the risk. The vulnerability of the ship to a mine was not eradicated, however the exploit was defeated.
In our on-line world, we are able to’t management the place the mines are, however we are able to management our susceptibility to getting hit by one and the next harm that would end result.
This results in the next normal fact about cybersecurity:
Vulnerabilities Trump Threats Maxim: If you recognize the vulnerabilities (weaknesses), you’ve bought a shot at understanding the threats (the chance that the weaknesses might be exploited and by whom). Plus, you may even be OK should you get the threats all unsuitable. However should you focus totally on the threats, you’re in all probability in bother.
Threats are a hazard from another person that may trigger hurt or harm. We would or won’t be capable to determine a possible risk, however we can not management them. Vulnerabilities are our personal flaws or weaknesses that may be exploited by a risk actor. Certainly, not all vulnerabilities could be exploited. We’re—or ought to be—in a position to determine our vulnerabilities and appropriate them.
Whereas we can not management the threats, we ought to be educated concerning the risk panorama and have an idea of risk actors who may want to do us hurt, however we must always not obsess over the threats whereas planning a cyberdefense. As a substitute, we must always look inward at our personal techniques, hunt down the vulnerabilities, and plug the holes. New threats at all times emerge, however that doesn’t change the strategic significance of fixing our personal vulnerabilities.
Sarcastically, there’s a corollary to this maxim: “Figuring out threats may help get you funding whereas figuring out vulnerabilities in all probability gained’t.” Virtually all cybersecurity professionals have gone to administration to hunt funds for an emergency replace to {hardware} or software program, simply to be instructed that fixing a susceptible system can at all times wait till the following finances cycle. Conversely, when administration sees a memo from IMO or USCG, or a warning from an ISAC/ISAO, that highlights a reputable risk directed at that very same {hardware} or software program, it’s exceptional how shortly the funds turn into accessible.
——————————————————–
A typical however mistaken perception on the management stage of many organizations, each inside the maritime trade and past, is that the duty for defending info property lies inside the know-how ranks. To those that subscribe to that perception, allow us to share the next: Anybody who thinks that know-how can clear up their issues doesn’t perceive know-how or their issues.
Cybersecurity—or, arguably extra correctly, info safety—isn’t merely, and even primarily, the duty of the IT division. Everybody who is available in contact with info in any form has the duty to guard it and, additional, to acknowledge when it’s beneath assault—and take no matter motion is required to defend it, together with reporting suspected assaults to the suitable defensive businesses inside the group. In the end, it’s the duty of a delegated Chief Data Safety Officer (CISO) to handle the cybersecurity posture of a corporation. That posture contains the creation of a way of urgency and consciousness round cyberthreats at each stage of the group.
It is usually essential to acknowledge that IT and cybersecurity professionals have completely different—albeit usually overlapping—talent units. IT professionals maintain networks working and resilient, and present providers and utility to the customers; cybersecurity professionals defend these property.
——————————————————–
[We wrote this book for] the maritime supervisor, govt, or thought chief who understands their enterprise and the maritime transportation system, however isn’t as aware of points and challenges associated to cybersecurity. Our aim is to assist put together administration to be thought and motion leaders associated to cybersecurity within the maritime area. We assume that the reader is aware of their occupation effectively, information that may assist to supply the perception into how cyber impacts their occupation and group.
Chapter One (The Maritime Transportation System, MTS) offers a broad, high-level overview of the MTS, the assorted parts inside it that we’re attempting to safe, and the dimensions and scope of the problem. Chapter Two (Cybersecurity Fundamentals) provides phrases, ideas, and the vocabulary required to know the articles that one reads and the conferences that one attends that debate cybersecurity.
The subsequent three chapters describe precise cyber incidents in numerous domains of the MTS and their influence on maritime operations. Chapters Three by 5 tackle cyberattacks on delivery strains and different maritime firms, ports, and shipboard networks, respectively. Chapter Six (Navigation Programs) discusses points regarding International Navigation Satellite tv for pc Programs (GNSS) and Computerized Identification System (AIS) spoofing and jamming, whereas Chapter Seven (Industrial Management and Autonomous Programs) presents cyber-related points and the ever-increasing problem of distant management, semi-autonomous, and fully-autonomous techniques discovering their way into the MTS.
Chapter Eight (Methods for Maritime Cyberdefense) discusses practices that tackle cybersecurity operations within the MTS, together with danger mitigation, coaching, the very actual want for a framework of insurance policies and procedures, and the event and implementation of a strong cybersecurity technique. Chapter 9 provides last conclusions and a abstract.
——————————————————–
Creator’s be aware: This guide is meant to talk to all ranges of members of the MTS, from executives, administrators, and ship masters to managers, crew members, and administrative workers. Our hope is that it informs the reader to the next stage of consciousness in order that they are often extra conscious of the threats and be higher ready — at no matter stage of their job — to guard their info property.
As a result of the sphere is so fast-paced, we even have a Web page — www.MaritimeCybersecurityBook.com — the place we are going to submit further info.
Gary C. Kessler is a Professor of Cybersecurity within the Division of Safety Research & Worldwide Affairs at Embry-Riddle Aeronautical College. He’s additionally the president of Gary Kessler Associates, a coaching, research, and consulting firm in Ormond Seashore, Florida.
Steven D. Shepard is the founding father of Shepard Communications Group in Williston, Vermont, co-founder of the Government Crash Course Firm, and founding father of Shepard Photos.
Source: analyticsread
September 28, 2020 MARITIME CYBER SECURITY
The 01 January 2021 deadline for the implementation of maritime cyber risk management in the Safety Management Systems as per IMO Resolution MSC.428(98) is fast approaching.
Members are reminded of the due date for implementation – the first annual verification of the company’s Document of Compliance after 01 January 2021. While this translates to different target deadlines for each Member and their vessels, it should be recognised that significant preparatory work may be anticipated.
It is also important to acknowledge that the vulnerability of a ship’s systems to a cyber incident continues to be a real threat, as has been experienced in a number of recent high-profile shoreside incidents, such as the “NotPetya” ransomware attack. Whilst that incident did not directly affect vessel operations, the potential vulnerability of on-board systems has been demonstrated by ‘ethical hacking’. Such tests have demonstrated that these attacks, which typically exploit weaknesses in human behaviour, are possible and could result in navigational and control systems being compromised.
In July 2019 the US Coast Guard (USCG) issued a Marine Safety Alert about a cyber incident involving a deep draught vessel on an international voyage and bound for US ports. The vessel reported that it was experiencing a significant cyber incident which affected its shipboard network. A team of experts led by the USCG responded and investigated. It was concluded that although malware had significantly degraded the onboard computer system, essential vessel control systems had not been compromised. The investigation also found that the vessel was operating without effective cyber security measures in place, thereby exposing vulnerabilities of critical vessel control systems. Prior to the incident the security risk presented by the shipboard network was apparently well known to the crew, but this had not been addressed. The USCG stated that it was imperative for the maritime community to adapt to changing technologies and the changing threat landscape by recognising the need for, and implementing basic cyber hygiene measures, thus emphasising the importance of the 2021 cyber security management requirements.
A recently published article on the website of Smart Maritime Network (SMN) explains the vulnerability and ease of access to the communications systems on board vessels where such basic cyber hygiene measures as robust password management was not being implemented.
The Guidelines on CYBER SECURITY ONBOARD SHIPS, produced by BIMCO and supported by a number of maritime stakeholders, is aligned with the MSC resolution and contains recommendations on various processes that should be undertaken for successful implementation of cyber security management.
The NIST (National Institute of Standards and Technology) framework of Identify – Protect – Detect – Respond – Recover sets out the core cyber security activities, the ISM Code and the ISPS Code provides the necessary framework for integration into the company risk management and security protocols and procedures.
The Club has previously recognised the importance of cyber security management on vessel in the loss prevention DVD “Cyber Security – Smart, Safe Shipping”, and Club encourages Members to ensure that early implementation of cyber security management is considered and that the procedures of cyber risk management be seamlessly integrated within the existing safety management system at the earliest opportunity, even where the deadline for implementation is not imminent.
Source: steamshipmutual
The White House hopes to update U.S. government’s approach to its maritime cybersecurity strategy in coming months, according to two senior administration officials.
The Trump administration’s priorities are to enhance and secure the United States’ ability to project power at sea and defend against adversarial cyberattacks, two senior administration officials told reporters during a call Tuesday. The plan involves re-examining the national approach to information sharing and better emphasizing the use of operational technologies in ports, according to one senior administration official.
The two officials on the call declined to reveal any specific information about the administration’s plans, saying more information would soon become available. But hackers have long targeted shipping firms and the maritime supply chain to steal data involving the U.S. government or interrupt cargo operations. Hackers using a strain of ransomware known as Ryuk compromised computer networks at a maritime transportation facility last year, disrupting operations for 30 hours, according to the U.S. Coast Guard. Nation-state hackers also have targeted Americans aboard maritime vessels to trick them into revealing their location or activities.
More recently, the Trump administration has been concerned about a ransomware attack targeting a shipping company, which “affected COVID-19 supply chains in Australia,” one senior administration official said.
“Adversaries frequently interfere with ship or navigation systems by targeting position or navigation systems through spoofing or jamming, causing hazards to shipping,” one senior administration official said.
The announcement comes amid several efforts at the Department of Defense to test readiness against cyberattacks in the maritime domain. The Pentagon’s offensive cyber unit, Cyber Command, simulated a cyberattack last year on a seaport. The Army is also participating in an exercise meant to simulate adversaries targeting U.S. ports this month.
Source: cyberscoop
A live superyacht cyber security event named Don’t Miss the Boat is set to educate superyacht owners and captains on cyber security threats and how to combat them.
The event comes as the IMO prepares to implement new cyber security regulations. By January 2021, yacht owners and operators of vessels over 500GT will need to have incorporated a cyber risk management plan to demonstrate they have addressed security threats on board.
The live event, which will take place at 3pm on September 25, will be held by the 360 Maritime Security alliance. The alliance comprises Infosec Partners, Priavo Security and Halo Group Security which will demonstrate attacks on an existing superyacht legacy security network (the most basic protection) and compare it to an attack against a secure system.
The event will be broadcast from Shepperton Studios in Surrey and streamed on YouTube and Linkedin.
Mark Oakton, security director at Infosec Partners, said the superyacht industry still considers cybercrime “an afterthought”.
“The level of protection on yachts compared to other environments is very low and is especially dangerous in an industry populated with ultra-high net worth individuals,” he said.
“The worst impact is not what actually happens in the attack, it’s the ongoing brand and reputation damage.”
For more information, click here.
Source:boatinternational
The last victim in a long list of cyber-attacks was cruise operator Carnival Corp, who announced on 15 August 2020 that they had suffered from an attack involving files being stolen. According to David Bernstein, chief financial officer for Carnival, the company “detected a ransomware attack that accessed and encrypted a portion of one brands’ information technology systems. The unauthorized access also included the download of certain of our data files.”
It seems that the ransomware attack included unauthorized access to personal data of guests and employees. The incident may become a costly one for the cruise operator, as it may result in potential claims from guests, employees and regulatory agencies.
This was the most recent event in a series of incidents that affected both shipping companies and ports. Since NotPetya caused US$300 million in losses for Maersk, the attacks are increasing at an alarming rate. In 2018, the ports of Barcelona and San Diego fell under attack. Australian shipbuilder Austal was also hit ,and the attack on COSCO took down half of the shipowner’s US network.
Fast forward to 2020, when the shipping company MSC was hit by malware, which resulted in shutting down the shipowner’s Geneva headquarters for five days. According to a US Coast Guard security bulletin, a cargo facility’s operating system was infected with the Ryuk ransomware. Finally, the OT systems at Iran’s Shahid Rajee port were hacked, restricting all infrastructure movements and creating a massive backlog.
Until relatively recently, topics relating to cybersecurity have been the domain of the IT department. However, securing Operational Technology (OT) is becoming critical for maritime and shipping business, since they rely more on smart, cutting-edge technology. (This is especially true for the digitalized maritime sector, as we discussed in a recent post.)
“All new builds are based on software that runs systems within the ship pertaining to safety and security, and also for monitoring of operations,” says former naval officer Chronis Kapalidis, a maritime cybersecurity researcher at HudsonAnalytix and an analyst at Chatham House. “It’s important that cybersecurity across IT and OT becomes part of a new cyber culture. It shouldn’t be something that ship owners are requesting and pushing the vendors for – it should be something vendors have in place to demonstrate their competitive advantage.”
The IMO recognized the need to make sure that these OT systems are secure. In response, it required that all maritime administrators appropriately address the cyber risk of their Safety Management Systems by January 2021.
Addressing these risks begins with knowing your vulnerabilities and being prepared for a constant increase of cyber threats. Paul Ferrillo, partner at Law firm McDermott, Will & Emery said in a recent webinar that all ports and terminals are attractive targets for cyber attackers. “If you have data, you are a target,” he warned. “You will be attacked and breached – you may already be breached, but you may not know it.”
However, cyber threats that threaten to break the maritime operational reliability and delay cargo delivery carry additional risks. “Infected systems can compromise navigation or propulsion, threatening ship safety itself as well as the marine environment,” reads a recent article by ABB.
With cyber-attacks against port operators and shipping companies increasing, “people need to be aware of the threats,” says Scott Dickerson, executive director at Maritime Transportation System ISAC. “It is not just a technology challenge. Some ports do not have a dedicated IT person, so at operational level people need to understand how they are being targeted and make sure they have good cyber hygiene.”
The quantity of information transmitted from ship to shore has increased dramatically thanks to advances in maritime communications and an ever-increasing reliance on technology-enabled on-board systems.
“What is interesting is that many operators believe they have this protected with traditional cybersecurity, but the firewalls and software protecting the IT side, do not protect individual systems on the OT network,” says Jonas Blomqvist, General Manager, Cyber Security, Marine Business at Wärtsilä.
Installing an antivirus platform on a vessel bridge navigation system (ECDIS) could very quickly impair and inhibit system performance, for example.
“Operational networks, in contrast to information networks, are measured by their performance level. Their operation cannot be disconnected and stopped. An emergency state in these systems can usually only be identified following a strike and they will be irreparable and irreversible,” adds Blomqvist.
Taking precautions by installing security systems, such as firewalls and detection systems for denial of services attacks and other malware, is crucial but insufficient. Adopting proactive cybersecurity risk management provides an opportunity for shipping companies to differentiate themselves.
Cyber resilience has emerged over the past years because traditional cybersecurity countermeasures are not sufficient to protect organizations against sophisticated attacks. Preserving both cybersecurity and cyber safety are important because of the potential effect a cyber-attack might have on personnel, the ship, the environment, the company and the cargo.
Cyber resilience programs should be able to identify, assess and manage the cyber risks. They must continuously monitor all mission critical systems to detect anomalies, change and potential cybersecurity incidents before they cause significant damage and disrupt the reliability and safety of operational processes. An incident response management program ensures business continuity and helps the maritime and shipping company to continue to operate despite a cyber-attack.
With cyber-attacks increasing in frequency and severity, supposing that maritime and shipping organizations can defend against every potential attack scenario is just wishful thinking. Organizations need to combine cybersecurity with business resilience to be cyber resilient. As the maritime sector continues its digitalization journey, a safer shipping offering is a competitive strategic advantage.
Source: tripwire
