MARITIME CYBER SECURITY Archives - Page 32 of 40

While the IMO has given shipowners and operators until 2021 to incorporate cyber risk into ships’ safety management systems, cyber criminals are already at work. Crises like the COVID-19 pandemic often lead malicious cyber actors to take advantage through various malicious methods.

Also available in Japanese.

To cope with operational issues such as denied physical access, quarantined vessels and travel restrictions, shipowners are now actively opening for remote access and implementing remote digital survey tools towards vessels and encouraging shore staff to work remotely from home.

There is also increased use of mobile devices to access operational systems onboard vessels and core business systems in the company. Unprotected devices could lead to the loss of data, privacy breaches, and systems being held at ransom. Data is an asset and protecting it requires a good balance between confidentiality, integrity and availability.

In an era of cyber everywhere, with more technological transformation, use of cloud, and broader networking capabilities towards vessels, the threat landscape continues to increase. Cyber-criminals will look to attack operational systems and backup capabilities simultaneously in highly sophisticated ways leading to destructive cyber attacks. Cyber security depends not only on how company and shipboard systems and processes are designed but also on how they are used – the human factor.

Cyber risks may not be easy to identify

Criminals trying to exploit the maritime industry, the vessels and their crew are well organised and continuously evolve in the way they operate. This reflects the constantly evolving nature of cyber risk in general. Approaches to cyber risk management need to be company- and vessel specific but must also be guided by requirements contained in relevant national, international and flag state regulations.

Shipowners and operators who have not already done so, should undertake risk assessments and incorporate measures to deal with cyber risks in their ship’s safety management systems (SMS) and crew awareness training. Shipowners and operators should also embed a culture of cyber risk awareness into all levels and departments in the office and on board the vessels. The result should be a flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.

Most Classification societies (Class) and several marine consulting companies have issued guidelines and recommendations on cyber security onboard vessels. Class, as a Recognized Organization on behalf of Flag State authorities, may now also deliver ISM audits which include cyber risk.

Class is also offering a voluntary cyber secure class notation for verifying secure vessel design and operation and cyber secure type approval to support manufacturers with cyber-secure systems and components. As an advisor, Class may also offer cyber security risk assessment, improvement, penetration testing and training support both on board and in the office.

At Gard we strive to protect the interests of our Members and clients in the best possible way. Our recommendation is to take a holistic approach to the cyber risks to protect the confidentiality, integrity and accessibility of both IT and OT systems through measures covering processes, technology and most importantly people. The easiest and most common way for cyber criminals to gain access, is through negligent or poorly trained individuals.

Recommendation No.1: Focus on policies, procedures and risk assessments

The latest Guidelines on Cyber Security Onboard Ships anticipates that cyber incidents will result in physical effects and potential safety and/or pollution incidents. Therefore, companies need to assess the risks arising not only from the use of IT equipment but also from OT equipment onboard ships and establish appropriate safeguards against cyber incidents involving either of these.

Company plans and procedures for cyber risk management must be aligned with existing security and safety risk management requirements contained in the ISPS and ISM Codes as included in company policies. Requirements related to training, operations and maintenance of critical cyber systems should also be included in relevant documentation on-board.

The IMO Maritime Safety Committee (MSC) adopted Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems in June 2017. The resolution states that an approved safety management system should include cyber risk management in accordance with the objectives and requirements of the ISM Code, no later than the first annual verification of a company’s Document of Compliance after 1 January 2021.

Based on the recommendations in MSC-FAL.1/Circ.3, Guidelines on maritime cyber risk management, the resolution confirms that existing risk management practices should be used to address the operational risks arising from the increased dependence on cyber enabled systems. The guidelines set out the following actions that can be taken to support effective cyber risk management:

Identify: Define the roles responsible for cyber risk management and identify the systems, assets, data and capabilities that, if disrupted, pose a risk to ship operations.
Protect: Implement risk control processes and measures, together with contingency planning to protect against a cyber incident and to ensure continuity of shipping operations.
Detect: Develop and implement processes and defenses necessary to detect a cyber incident in a timely manner.
Respond: Develop and implement activities and plans to provide resilience and to restore the systems necessary for shipping operations or services which have been halted due to a cyber incident.
Recover: Identify how to back-up and restore the cyber systems necessary for shipping operations which have been affected by a cyber incident.

The Document of Compliance holder is ultimately responsible for ensuring the management of cyber risks on board. Where the ship is under third party management, the ship manager is advised to reach an agreement with the shipowner as to who is responsible for this matter. Emphasis should be placed by both parties on the split of responsibilities, alignment of pragmatic expectations, agreement on specific instructions to the manager and possible participation in purchasing decisions as well as budgetary requirements.

Apart from the ISM requirements, such an agreement should take into consideration additional applicable legislation such as the EU General Data Protection Regulation (GDPR) or specific cyber regulations in other coastal states. Managers and owners should consider using these guidelines as a base for an open discussion on how best to implement an efficient cyber risk management regime onboard. Any agreements on responsibility for cyber risk management should be formal and in writing.

Companies should also evaluate and cover service providers’ physical security and cyber risk management processes in supplier agreements and contracts. Similarly, coordination of the ship’s port calls is a highly complex task being both global and local in nature. It includes updates from agents, coordinating information with all port vendors, port state control, handling ship and crew requirements, and electronic communication between the ship, port and authorities ashore.

Agents’ quality standards are important because like all other businesses, agents are also targeted by cyber criminals. Cyber enabled crime, such as electronic wire fraud and false ship appointments, and cyber threats such as ransomware and hacking, call for mutual cyber strategies and cyber enhanced relationships between owners and agents to mitigate these risks.

Recommendation No.2: Ensure that system design and configuration are safe and fully understood and followed

The problem with procedures is that good intentions can become paper pushing exercises. It is therefore important to ensure that those performing tasks involving cyber security understand that the purpose of the procedures is to prevent unauthorised access and not simply to satisfy the regulators or their immediate superiors.

Unlike other areas of safety and security, where historic evidence is available, cyber risk management is made more challenging due to the lack of facts about incidents and their impact. Until we have such evidence, the scale and frequency of attacks will continue to be unknown.

Experience from the shipping industry and other business sectors such as financial institutions, public administrations and air transport have shown that successful cyber attacks can result in a significant loss of services.

Modern technologies may add vulnerabilities to ships especially if there are placed on unsecured networks and given free access to the internet onboard. Additionally, shoreside and onboard personnel may be unaware that some equipment manufacturers maintain remote access to shipboard equipment and its network system. Unknown, and uncoordinated remote access to an operating ship should be an important part of the risk assessment.

Gard recommends that companies fully understand the ship’s IT and OT systems and how these systems connect and integrate with the shore side, including public authorities, marine terminals and stevedores. This requires an understanding of all computer-based systems onboard and how safety, operations, and business can be compromised by a cyber incident.

Some IT and OT systems can be accessed remotely and may have a continuous internet connection for remote monitoring, data collection, maintenance, safety and security. These can be “third-party systems”, whereby the contractor monitors and maintains the systems from a remote location and can be both two-way data flow or upload-only.

Systems and workstations with remote control, access or configuration functions could, for example, be:

bridge and engine room computers and workstations on the ship’s administrative network,
cargo such as containers with reefer temperature control systems or specialised cargo that is tracked remotely,
stability decision support systems,
hull stress monitoring systems,
navigational systems including Electronic Navigation Chart (ENC) Voyage Data Recorder (VDR),
dynamic positioning systems (DP),
cargo handling and stowage, engine, and cargo management and load planning systems,
safety and security networks, such as CCTV (closed circuit television),
specialised systems such as drilling operations, blow out preventers, subsea installation systems,
Emergency Shut Down (ESD) for gas tankers, submarine cable installation and repair.

Below are some common cyber vulnerabilities, which may be found onboard existing ships, and on some newbuild ships:

obsolete and unsupported operating systems,
outdated or missing antivirus software and protection from malware,
inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts and passwords,
shipboard computer networks lacking boundary protection measures and segmentation of networks,
safety critical equipment or systems always connected to the shore side,
inadequate access controls for third parties including contractors and service providers.

Recommendation No.3: Provide proper onboard awareness and training

Today, the weakest link when it comes to cyber security is still the human factor. It is therefore important that seafarers are given proper training to help them identify and report cyber incidents.

The latest cyber security surveys show that the industry is more aware of the issue and has increased cyber risk management training, but there is still room for improvement. This has also been confirmed by the 2018 Crew Connectivity Survey by Futurenautics Maritime group with partners, where only 15% of seafarers acknowledge having received cyber security training, and only 33% said the company they last worked for had a policy of regularly changing passwords on board.

When assessing cyber risks, both external and internal cyber threats should be considered. Onboard personnel have a key role in protecting IT and OT systems but can also be careless, for example by using removable media to transfer data between systems without taking precautions against the transfer of malware. Training and awareness should be tailored to the appropriate seniority of onboard personnel including the master, officers and crew.

Gard have previously, together with DNV-GL, published a free to download and share cyber security awareness campaign to build competence towards crew and others – focusing on daily tasks and routines, with the aim to de-mystify the cyber issues for “normal people”. The material is not intended to suggest any industry changes or rule changes, but rather changes in the way people behave and act.

Lastly, we recommend everyone to stay cyber alert and avoid all “COVID-19 phishing” expeditions by:

Exercise caution in handling any email with a COVID-19 related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
Use trusted sources—such as legitimate, government websites for up-to-date, fact-based information about cyber security and COVID-19.
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
Remember to disconnect or close temporary remote access given to any external party after finishing the job.

Source: gard.no

Ships are increasingly using systems that rely on digitalization, integration, and automation, which call for cyber risk management on board. As technology continues to develop, the convergence of information technology (IT) and operational technology (OT) onboard ships and their connection to the Internet creates an increased attack surface that needs to be addressed.

Challenges in Maritime Cybersecurity

While the IT world includes systems in offices, ports, and oil rigs, OT is used for a multitude of purposes such as controlling engines and associated systems, cargo management, navigational systems, administration, etc. Until recent years, these systems were commonly isolated from each other and from any external shore-based systems. However, the evolution of digital and communications technology has allowed the integration of these two worlds, IT and OT.

The maritime OT world includes systems like:

Vessel Integrated Navigation System (VINS)
Global Positioning System (GPS)
Satellite Communications
Automatic Identification System (AIS)
Radar systems and electronic charts

Ship Bridge. Images courtesy of Isidoros Monogioudis and Hellenic American University

While these technologies and systems provide significant efficiency gains for the maritime industry, they also present risks to critical systems and processes linked to the operation of systems integral to shipping. These risks may result from vulnerabilities arising from inadequate operation, integration, maintenance, and design of cyber-related systems as well as from intentional and unintentional cyberthreats.

When addressing these cyberthreats, it is important to consider the uniqueness of OT systems, as these assets control the physical world. As such, there are certain challenges to consider, such as:

OT systems are responsible for real-time performance, and response to any incidents is time-critical to ensure the high reliability and availability of the systems.
Access to OT systems should be strictly controlled without disrupting the required human-machine interaction.
Safety of these systems is paramount, and fault tolerance is essential. Even the slightest downtime may not be acceptable.
OT systems present extended diversity with proprietary protocols and operating systems, often without embedded security capabilities.
They have long lifecycles, and any updates or patches to these systems must be carefully designed and implemented (usually by the vendor) to avoid disrupting reliability and availability.
The OT systems are designed to support the intended operational process and may not have enough memory and computing resources to support the addition of security capabilities.

Disruption of the operation of OT systems may impose significant risk to the safety of onboard personnel and cargo, cause damage to the marine environment, and impede the ship’s operation.

In addition to the ongoing integration of IT and OT, the future will bring MAS – Maritime Autonomous Systems. Based on artificial intelligence and Internet of Ships and Sea Services, the new generation of ships will be remotely controlled from the shore. MAS has a “disruptive” potential with implications in terms of technical, economic, environmental, legislative and social impacts in the years to come. This development may also provide opportunities and new concepts which could improve logistics and, therefore, also improve the overall environmental impact of transport.

Maritime Cyber Threat Landscape

Completely digitalized shipping means greater reliance on digital, interconnected control and communication systems, says Isidoros Monogioudis, Adjunct Professor at the Hellenic American University.

Maritime digitalization is planned to increase performance, efficacy, and better collaboration within the industry. However, at the same time it means a significant increase of the digital/cyber “attack” surface. Maritime industry, especially through vessels digitalization and with the numerous different Operational Technology devices deployed, creates a digital landscape previously unknown to a big extent due to the specific hardware and software being used. New security risks will be evolved with the impact being very significant mainly due to the direct connection with the physical world and the consequent operational damage.

In fact, it was only last July that the U.S. Coast Guard issued a safety alert warning all shipping companies of maritime cyber-attacks. The incident that led to this warning happened in February 2019 when a large ship on an international voyage bound for the Port of New York and New Jersey reported “a significant cyber incident impacting their shipboard network.”

The Coast Guard led an incident-response team to investigate the issue and found that “although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted.”

This was not the first time the U.S. Coast Guard had released a cyber safety warning. In May 2019, they published a bulletin to raise the awareness of maritime stakeholders of “email phishing and malware intrusion attempts that targeted commercial vessels.”

A cyber incident in ships might have severe consequences for the crew, the passengers, and the cargo on board. Considering that many ships carry harmful substances, a cyber incident might have severe environmental consequences or might lead to hijacking the ship to steal the cargo.

The Baltic and International Maritime Council (BIMCO) has defined a cyber safety incident any incident that leads to “the loss of availability or integrity of safety critical data and OT.”

Cyber safety incidents can be the result of:

a cyber security incident, which affects the availability and integrity of OT (for example, corruption of chart data held in an Electronic Chart Display and Information System (ECDIS))
a failure occurring during software maintenance and patching
loss or manipulation of external sensor data that’s critical to the operation of a ship including but not limited to Global Navigation Satellite Systems (GNSS)

With more than 90% of the world’s trade being carried by shipping, according to the United Nations’ International Maritime Organization, the maritime industry is an attractive target for cyber attackers. The European Union has recognized the importance of the maritime sector to the European and global economy and has included shipping in the Network and Information Systems (NIS) Directive, which deals with the protection from cyber threats of national critical infrastructure.

Best Practices for Mitigating Maritime Cyber Threats

In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The Resolution stated that an approved SMS should consider cyber risk management and encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems.

The same year, IMO developed guidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.

In addition, BIMCO has developed the Guidelines on Cyber Security Onboard Ships, which are aligned with the NIST Cybersecurity Framework. The overall goal of these guidelines is the building of a strong operational resilience to cyber-attacks. To achieve this goal, maritime companies should follow these best practices:

Identify the threat environment to understand external and internal cyber threats to the ship
Identify vulnerabilities by developing complete and full inventories of onboard systems and understanding the consequences of cyber threats to these systems
Assess risk exposure by determining the likelihood and impact of a vulnerability exploitation by any external or internal actor
Develop protection and detection measures to reduce the likelihood and the impact of a potential exploitation of a vulnerability
Establish prioritized contingency plans to mitigate any potential identified cyber risk
Respond and recover from cyber incidents using the contingency plan to ensure operational continuity

“Maritime industry and its digital exposure have many similarities with industrial systems and the broader OT,” says Isidoros Monogioudis. “In this context, these companies must move very fast to the direction of protecting their systems, providing a reliable operating environment not only from performance perspective but also from security perspective. Both proactive and reactive measures must be developed and applied with the real-time security awareness and visibility being possibly the most critical solution, since OT environment remains extremely sensitive in providing timely and accurate services.”

“Maintaining effective cybersecurity is not just an IT issue but is rather a fundamental operational imperative in the 21st century maritime environment,” said the U.S. Coast Guard in their July 2019 security warning.

Source: tripwire

After a successful pilot, system integrator Bakker Sliedrecht and gas shipping company Anthony Veder intend to enter a partnership to provide ships with remote service through augmented reality glasses (AR-glasses).

The companies have run a successful pilot on gas tanker Coral Favia. During the pilot, functionalities were tested via a dial-up connection and common failures were simulated. On board, an officer wore the AR glasses, guiding Bakker Sliedrecht experts virtually through the ship.

Thijs van Hal, Head of Main Contracting at Bakker Sliedrecht, says:

“Normally, emails and construction plans are sent back and forth first and phone calls are made to get to the core problem. Now we can watch live. We can solve the problem immediately, or we know what’s going on and we can make a better planning and bring the right parts directly with us.”

Thijs. Anthony Veder has a fleet of over thirty vessels transporting liquified gas on a worldwide scale, says:

“Now it can happen that a colleague is travelling for several days, while afterwards it turned out that the solution for the malfunction was relatively easy. As downtime for ships is very expensive, quick service is important. If you can offer them remote assistance through AR glasses, you can be ready in two hours instead of two days.”

All kinds of digital information can be projected or added to the screen on the glasses. This varies from construction plans, virtual arrows to a 3D impression of the engine room or the switch box. Computer screens on the glasses can also be shared. It is a kind of webcam on site, where you both see the same thing and where you have multiple additional tools to make an accurate assessment of the situation.

Wouter Boogaart, Digital Development Manager at Anthony Veder, says:

“It is a very useful tool when there are problems on a ship far away. You can see together what is the problem and how you can solve it.”

The AR glasses can also be used for tests and remote inspections.

According to Van Hal, this type of remote assistance technology will become more important as ships are becoming more and more complex:

“We will do more things remotely. Then it is important that we are already successful with this.”

Anthony Veder wants to expand the deployment of the AR glass in phases over a part of the fleet. In addition to purchasing AR glasses, staff will be trained and the IT infrastructure will be upgraded.

Boogaart says:

“We believe that these kinds of developments are the future. Ships are becoming increasingly complex. As a result, much more expertise and specialism is needed to see what is going on. Something that is often not present on board. The glasses can save a lot of time, travel time and money, which is why the investment is worth it. Especially during Corona times, the glasses are a useful tool because borders are closed and planes stay on the ground. Then these kinds of innovations have proven to be necessary.”

Source: seawanderer

Elbit Systems tested the combination of a mini-unmanned aerial system with its Seagull Unmanned Surface Vessel (USV) to further enhance the vessel’s intelligence capabilities beyond Anti-Submarine Warfare (ASW) and Mines Countermeasure (MCM). The addition of a UAS extends the Seagull operator’s line of sight. Trials were conducted in recent weeks.

The shipborne mini-UAS is capable of point water recovery and a takeoff weight of up to 15kg. The visual feed generated by the mini-UAS can be transmitted to the land based control unit of the Seagull USV and to the Combat Management System (CMS) of additional vessels, according to the company announcement.

While the Seagull USV is a specially designed multi-role vessel for underwater warfare, the USV’s switchable payload suite includes Electronic Warfare and Electro-Optic/Infra-Red payloads to provide situational awareness and facilitate intelligence gathering.

The integration of a tactical UAS onboard the USV further expands its capacity to generate intelligence enabling to utilize the USV for enhancing the situational awareness of any maritime force and for shore exploration.

The Seagull USV enables naval forces to enhance performance while reducing risk to human life and dramatically cutting procurement and operating costs. Additional sonar systems were added onboard the Seagull USV during the last year, integrating a HELRAS sonar in-cooperation with the Israeli Navy and concluding a series of trials for the TRAPS-USV towed sonar, significantly enhancing its ASW capabilities.

The Seagull USV was deployed by in several exercises that were conducted with NATO maritime forces in the last few years, including in an MCM exercise alongside the HMS Ocean of the UK Royal Navy, and an ASW exercise and more.

Source: i-hls

The U.S. Department of Homeland Security has awarded Port Canaveral a $908,015 grant to help the port beef up its security.

The port said the grant will help pay for a $1.2 million project to improve Port Canaveral’s risk prevention, threat mitigation and security response service capabilities.

The grant award comes at a time when threats against seaports are evolving and becoming more sophisticated.

Cary Davis, government relations director and general counsel for the American Association of Port Authorities, said that, “whether it’s attempted supply-chain disruption, sophisticated and coordinated cross-border attacks, or novel cyber-threats that transcend national borders, ports have security challenges like never before.”

Port Canaveral Chief Executive Officer John Murray said the grant Brevard County’s seaport is receiving “will help us invest in some new technologies to broaden our capabilities to protect our people and assets with an enhanced ability to detect and respond to threats.”

Port Canaveral has been the world’s second-busiest cruise port, behind PortMiami, in terms of passenger volume, although the coronavirus pandemic has halted multiday cruises since mid-March. Port Canaveral also has a multifaceted cargo sector, with an increasing business involving space-related components, including SpaceX rocket boosters.

The grant Port Canaveral received is part of Department of Homeland Security’s Federal Emergency Management Agency Port Security Grant Program.

Port Canaveral was one of more than 30 U.S. ports awarded fiscal year 2020 federal funding from FEMA’s $100 million Port Security Grant Program, which provides grants to ports on a competitive basis. Some of that money also goes to terminal operators, municipalities and policing entities throughout the country.

Davis said these grants are crucial to the nation’s seaports.

“The Port Security Grant Program protects our country, our workers and our supply chains,” Davis said. “Ports large and small use these grants to stay vigilant; to ‘harden’ their facilities and networks; and to prepare for attacks. Even though it’s grotesque and difficult, critical infrastructure ports are targeted daily by terrorists around the world.”

The program’s priority is to protect critical port infrastructure, enhance maritime domain awareness, improve portwide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities.

This is the second major grant Port Canaveral has received for security projects in the last two years. In September 2018, Port Canaveral was awarded $1.15 million in federal and state grants for upgrades to its port security operations and cybersecurity detection and prevention systems.

Murray said ensuring the safety and securing of the port and surrounding community is a top priority.

Source: floridatoday

ABSG Consulting Inc. (ABS Consulting), a subsidiary of ABS focused on safety and risk management, and American Steamship Owners Mutual Protection and Indemnity Association, Inc. (the American Club) have joined forces to provide education, training and insurance guidance that address maritime cyber security.

As digital transformation in the maritime industry brings both opportunities and new challenges, owners and operators are relying more on smart technologies and operational data to drive decisions and run their businesses. Comprehensive cyber security programs are not only necessary to protect operations but are also critical to protect the overall safety of crew and the environment. More frequent cyber attacks, increased digitalization and emerging global regulatory focus are adding to immediate demands to address and reduce cyber risk across the industry’s value chain. Cyber security has become a business imperative and new measures will have an impact on how maritime vessels and facilities will be covered by insurers.

“The safety and security of our members is a priority. Having a better understanding of the tools available, the programs that can be implemented and the integration of these in the marine industry will help us provide better services to shipowners and charterers globally,” says Dr. William Moore, Director of Loss and Prevention at the American P&I Club. The work we are going to do with ABS Consulting is going to help us identify how to enhance our policies, and the offerings we need to incorporate to improve the coverage and services we offer to our members.”

“Collaborating with the American Club to build education programs for their members and industry will give us a better understanding of the real challenges we are collectively facing,” says Ian Bramson, Global Head of Cyber Security of ABS Group. “This alliance enables us to develop the tools, training and services that support compliance and help ship owners and operators put protections in place to secure their vessels – from the design and construction phases through continuous operation over their service life.”
Source: tankeroperator

About the American Club
American Steamship Owners Mutual Protection and Indemnity Association, Inc. (the American Club) was established in New York in 1917. It is the only mutual Protection and Indemnity Club domiciled in the entire Americas and its headquarters are in New York, USA. The American Club has been successful in recent years in building on its U.S. heritage to create a truly international insurer with a global reach second-to-none in the industry. Day-to-day management of the American Club is provided by Shipowners Claims Bureau, Inc. also headquartered in New York. The Club is able to provide local service for its members across all time zones, communicating in a large number of different languages, and has subsidiary offices located in London, Piraeus, Hong Kong, Shanghai and Houston, plus a worldwide network of correspondents. The Club is a member of the International Group of P&I Clubs, a collective of 13 mutuals which together provide Protection and Indemnity insurance for some 90% of all world shipping.

P&I Insurance
Protection and Indemnity insurance (commonly referred to as “P&I”) provides cover to shipowners and charterers against third-party liabilities encountered in their commercial operations; typical exposures include damage to cargo, pollution, death/injury or illness of passengers or crew or damage to docks and other installations. Running in parallel with a ship’s hull and machinery cover, traditional P&I cover distinguishes itself from usual forms of marine insurance by being based on the not-for-profit principle of mutuality where Members of the Club are both the insurers and the assureds.

About ABS Group
ABSG Consulting Inc. (ABS Consulting) is part of ABS Group of Companies, Inc., a wholly owned subsidiary of ABS, one of the world’s leading marine and offshore classification societies. Through its operating subsidiaries, ABS Group provides data-driven risk and reliability solutions and technical services that help clients confirm the safety, integrity, quality and efficiency of critical assets and operations. Headquartered in Spring, Texas, ABS Group operates with more than 1,000 professionals in over 20 countries serving the marine and offshore, oil, gas and chemical, government and industrial sectors.

Source:

en.portnews.ru

In the Spring Edition of ITNOW, I wrote an article on why we should be moving away from traditional cyber security and focussing on cyber mission assurance and cyber resiliency techniques. This meant framing cyber security in a manner that focussed on the outcomes the organisation needs to achieve with the preparedness to expect, and the ability to respond and recover in response to an adverse cyber effect.

NIST SP 800-160 defines cyber resiliency as: ‘the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.’

What do we mean by cyber safety?

Cyber Safety is a relatively new term but for this article The Royal Academy of Engineering, in their March 2018 document ‘Cyber Safety and Resilience’, defines cyber safety as ‘the ability of digital systems to maintain adequate levels of safety during operation, including in the event of a cyberattack or accidental event, protecting life and property’.

What this means is we have to understand and incorporate into our risk assessment, a consideration of what the potential impact is of a cyber event on the safe and secure operation of a safety-critical system, and therefore what controls and mitigations we need to introduce to ensure that the risk is as low as reasonably practical (ALARP).

What this approach doesn’t cover is recognising the overlaps between cyber security and Safety. We know all too well that we need to adopt an approach of layered security, or defence-in-depth, to protect and defend our systems; making it hard for our adversaries to achieve their goals. It would be wrong of us, however, to believe that we can stop every single attack. It is for this reason why our systems have to be resilient and have to be able to continue mission-essential functions during periods of attack. This means ensuring that these systems remain safe to operate and can continue their safety-critical functions. Starting at the higher level of abstraction makes it easier to spot the similarities of H&S to cyber security and therefore identify cost and resource savings.

So, what is new?

A key question you might ask is whether there is anything new by considering safety as part of the totality of cyber risk. The answer is quite simple: Yes. My major concern with current cyber security approaches is that they focus almost entirely on the risks to information, and therefore the risks this presents to the organisation (business objectives):

What is the risk to the confidentiality, integrity, and availability of the information? My perspective is that very few organisations ask the (additional) key questions:
What is the risk to the system itself and the wider environment? (I.e. Is it the system itself which is the target, rather than it information it processes?)
What is the risk to the people using the system or those who are reliant on its undisrupted operation?

With the rapidly increasing prevalence of the internet of things and cyber-physical systems, this consideration needs to be considered by all industrial sectors. Let’s not forget that it was the compromise of programmable logic controls by Stuxnet that caused a series of centrifuges to rotate rapidly outside of their set parameters resulting in their physical destruction. If that effect can be achieved on a standalone system, then what can happen on a networked system?

What is important is that I am not suggesting that organisations need to conduct considerably more work to understand the safety considerations of their systems, but instead they need to understand the potential hazards that may be introduced should safety-critical functions be disrupted due to a cyber event. Once these hazards have been identified they can be assured through existing cyber security standards and frameworks. The key is we need to ensure that our cyber systems are not just ‘Secure to Operate’ but also ‘Safe to Operate’.

For the purpose of this article, I’ve made the broad assumption that organisation have taken a system-level approach to understanding the overall threats to the organisation (System) rather than focussing on a component-driven approach and building up (further advice on this is available from the National Cyber Security Centre (NCSC). Starting at the higher level of abstraction makes it easier to spot the similarities of H&S to cyber security and therefore identify cost and resource savings.

Why should an organisation care?

I’d urge you to read a short article written by Nick Richards in Tripwire during 2018 ‘Why Cyber security is the New Health and Safety’ Nick argues that in order to prevent serious damage that could be caused by a cyber-attack, including the risks to individual safety, organisations should pay as much attention to cyber-security as they do to Health and Safety (H&S).

The ultimate aims of cyber-security and H&S are aligned. They are all designed to prevent loss to the organisation, its assets, and its personnel. There is another point to make which is that all assurance teams have an obligation to work together since all are trying to prevent the same types of losses albeit through different causes.

What happens if a building management system is compromised during a period when H&S is vital? The consequences of a ‘hack’ on this system which causes security doors and barriers to fail closed when they should fail open could be catastrophic. Ultimately, the H&S consequences directly relate to IT and mitigations should be employed with the input of both specialist functions.

It wouldn’t be an article on safety without mentioning the HSE

The TRITON malware, designed to disable safety-critical functions within the industrial setting, was discovered during 2017 within a Saudi Arabian petrochemical plant. Although the malware was discovered and contained before it was able to do any actual damage. One aspect which may have enabled this is the convergence of IT and operational technology (OT). I’m not going to speculate on what vulnerabilities may have afforded access to the attackers in this instance, instead I’m going to say something that should be obvious. We need to understand the risks posed by the convergence of these different technologies; that are beyond the scope of this article.

The NCSC recognise that there is a need to apply an integrated approach which adapts and applies best practice from both the safety and security communities. The 14 principles within the NCSC Cyber Assessment Framework (CAF) provides useful guidance for ‘organisations managing cyber-related risks to public safety’ (one of the three broad areas where NCSC believe the guidance is useful).

We can’t talk about safety without mentioning the Health and Safety Executive (HSE). Back in March 2017, the HSE published its guidance OG86 ‘Cyber Security for Industrial Automation and Control Systems (IACS)’. Although this guidance is primarily aimed at HSE Inspectors, particularly around applying a consistent approach to regulation, this document is freely available to all organisations and provides useful guidance on how compliance might be achieved. If you know me, you know how much I hate a compliance-based approach as it encourages a ‘do-minimum’ mentality, but I fully support that this is guidance that takes us in the right direction.

International Maritime Organisation (IMO) resolution on cyber risk management

What has prompted me to write this article is the imminent enforcement of the International Maritime Organisation Resolution MSC.428(98) – ‘Maritime Cyber Risk Management in Safety Management Systems’. If you haven’t guessed from the title, what this resolution requires is that organisations within the maritime industry ensure that cyber risk is appropriately included within their respective safety and environmental management systems (SEMS). I’m not intending to go into the detail of the resolution, it is easily searchable on the IMO website. Instead, I want to focus on the core message.

We need to be able to ensure that we can safeguard shipping from cyber-attacks and have processes in place to improve resiliency for when these are successful. The IMO resolution provides a massive step forward as it allows shipping companies to simply complement existing safety and security management practices already established by the IMO with cyber risk management practices.

What we do need to remember is a ship may be in service for some decades and therefore will have been designed and built during a period when the cyber threat was different. That does not preclude the organisation, however, from having the appropriate policies and processes in place to respond to a cyber-event.

The resolution is an excellent step forward to ensuring that maritime organisations consider the impacts that cyber events could, and would likely have, on safety. The resolution, however, is not prescriptive on how this should be achieved but it does provide guidance on how a maritime organisation should approach the assessment of cyber risk. Interestingly, the supporting document MSC-FAL.1/Circ.3 maps some of the considerations, which are not exhaustive, to the NIST Cyber Security Framework function areas (identify, protect, detect, respond, recover).

You might sense a bit of repetition in this article as this takes me back to an earlier point. I am not suggesting that organisations that already have cyber risk management processes have to conduct a significant amount of further work. Existing methodologies can be used to help assess the impacts that a cyber event can help on safety. This is possible through the use of ISO27001 and the NIST CSF, as well as other frameworks, to ensure that systems are both designed and operate in a manner that is safe and secure. They just have to be conducted and viewed through a safety lens; i.e. what would prevent that system from operating safety?

But another question I have is: Has cyber been considered as apart of the SEMS for the other sectors, namely rail, aviation, automotive? If the answer is they haven’t, then maybe they need to.

What is the takeaway?

Organisations need to ensure that both cyber security and cyber safety risks are understood, documented, and ensure that processes are in place to manage these at a level which is ALARP for both H&S and security. The mitigations should be planned jointly to maximise effectiveness. The message is simple. Gone are the days of considering cyber security and H&S separately. We must ensure that we follow an integrated approach that ensures that our systems are both secure and safe to operate.
Source: bcs

Nippon Kaiji Kyokai (“ClassNK”) joined the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC) as part of a growing list of maritime community partners. This is an innovative relationship between the two nonprofit organizations aimed at strengthening vessel and shoreside cyber risk management. The partnership provides ClassNK with actionable insights from community-sourced cyber threat intelligence to reinforce ClassNK’s Cyber Security Guidelines to help prevent cyber incidents from negatively impacting the safety and security of maritime operations. ClassNK is the first classification society and the first non-U.S. organization to formally join the MTS-ISAC, helping broaden the reach of the MTS-ISAC’s efforts to support the maritime community.

Both vessel and shoreside cybersecurity efforts will be under increasing scrutiny starting in 2021. The International Maritime Organization (IMO) has a deadline of January 1, 2021 for Maritime Cyber Risk Management to be addressed in Safety Management Systems. Meanwhile, the U.S. Coast Guard will be inspecting Maritime Transportation Security Act of 2002 regulated facilities for cyber risk management efforts for the first time starting with annual inspections occurring on or after October 1, 2021. Both of these organizational efforts have signaled to maritime stakeholders that cybersecurity is a priority that must be addressed to ensure safe and secure MTS operations.

Hirofumi Takano, Executive Vice President at ClassNK, explains, “We have been working with the International Association of Classification Societies (IACS), maritime stakeholders and cyber security professionals to understand and promote cybersecurity best practices across the maritime transportation system (MTS). By joining the MTS-ISAC, we will have increased visibility to current, real-world examples of cyber threats targeting MTS stakeholders. This provides us an opportunity to reinforce how, and periodically update, ClassNK’s Cyber Security standards to provide our stakeholders with the latest security recommendations to protect their assets from cyber threats. With IMO 2021 right around the corner, this relationship is perfectly timed to add increasing value to our stakeholders, and we are excited to be a part of the active and growing MTS-ISAC community. We hope ClassNK stakeholders will quickly understand the value of this partnership.”

“We are excited that ClassNK is bringing a proactive, classification society perspective into the MTS-ISAC community,” adds Scott Dickerson, the MTS-ISAC’s Executive Director. “The MTS community’s resiliency is improved when we can quickly address cyber risks with meaningful cybersecurity controls. ClassNK joining the MTS-ISAC is a perfect example of how community partnerships provide win-win situations while reinforcing to stakeholders how the implementation of guidelines and recommended security controls can reduce their exposure to risks the community is actively seeing. The MTS-ISAC’s Board of Directors understands the importance of cyber risk prevention efforts and are supportive of the inclusion of class societies into our information sharing ecosystem as a key component to building a stronger culture of community cybersecurity.”

The MTS-ISAC, which was formed in February of this year, has seen rapid adoption of its Cybersecurity Information Sharing Services, and has produced a number of maritime cybersecurity advisories sourced from member shared information. The MTS-ISAC strives to incorporate best practices into their intelligence products so that MTS critical infrastructure stakeholders can be better protected. While ClassNK is the ISAC’s first international member, it anticipates additional international stakeholders to be joining the community.

Source:

hellenicshippingnews.com

Violent attacks against ships and their crews have risen in 2020, with 77 seafarers taken hostage or kidnapped for ransom since January, reveals the ICC International Maritime Bureau’s (IMB) latest piracy report.

The Gulf of Guinea off West Africa is increasingly dangerous for commercial shipping, accounting for just over 90% of maritime kidnappings worldwide. Meanwhile ship hijackings are at their lowest since 1993. In total, IMB’s Piracy Reporting Centre (PRC) recorded 98 incidents of piracy and armed robbery in the first half of 2020, up from 78 in Q2 2019.

The increasing threat of piracy adds to hardships already faced by hundreds of thousands of seafarers working beyond their contractual periods due to COVID-19 restrictions on crew rotations and international travel.

“Violence against crews is a growing risk in a workforce already under immense pressure,” says IMB Director Michael Howlett. “In the Gulf of Guinea, attackers armed with knives and guns now target crews on every type of vessel. Everyone’s vulnerable.”

So far this year, 49 crew have been kidnapped for ransom in the Gulf of Guinea and held captive on land for up to six weeks. Rates are accelerating, with 32 crew kidnapped in the past three months alone. And incidents are happening further out to sea: two-thirds of the vessels were attacked on the high seas from around 20 to 130 nautical miles off the Gulf of Guinea coastline.

IMB PRC urges vessels to report any attacks promptly. It can then liaise with coastal agencies, international navies and vessel operators, encouraging a quick response to deter piracy and armed robbery and improve the security of seafarers. IMB PRC also broadcasts to shipping via GMDSS Safety Net Services and email alerts to Company Security Officers.

“We need to change the risk-to-reward ratio for pirates operating within the Gulf of Guinea. Without an appropriate and proportionate deterrent, pirates and robbers will get more ruthless and more ambitious, increasing the risk to seafarers,” says Howlett.

In one recent case commended by IMB, the Nigerian Navy responded promptly to a distress call from a fishing vessel boarded and hijacked by armed assailants in Ivory Coast waters. As a result the crew were saved and the ship was prevented from being used as a possible mother vessel to carry out further attacks.

In another incident, a product tanker was attacked while underway around 127 nm off Bayelsa, Nigeria. Eight armed pirates kidnapped ten crew as well as stealing cash, personal valuables, and ship’s property. IMB PRC contacted regional and international authorities, and a Nigerian Navy Security Vessel was dispatched. A nearby sister vessel helped the four remaining crewmembers to sail the tanker to a safe port. The kidnapped crew were released three weeks later.

Singapore Straits

The Singapore Straits saw 11 incidents in the first half of 2020, raising the risk of collisions in this busy shipping channel, especially at night. Although most are opportunistic – low-level attacks that are aborted once the alarm is sounded – two reports in May 2020 indicated crew were threatened with knives, taken hostage and injured.

There were ten attacks in Indonesian anchorages and waterways in Q2 2020, up from five in Q1 2020.

Americas – Call for more reporting

IMB is recording more incidents in new areas of Latin America, but says many attacks go unreported, making the problem more difficult to tackle.

The four attacks that were reported in Mexico all targeted offshore vessels and happened within a span of 11 days in April. One anchored accommodation barge was boarded by six people wearing face masks and armed with automatic weapons and pistols. They attempted to enter and opened fire, leading to an injured crewmember and three damaged windows. The Master raised the alarm, sent a distress message, informed the Chief Security Officer, and the crew mustered in the citadel. The incident was reported to the Marine Control and a naval boat was dispatched, but the attackers escaped with the barge’s high value project equipment.

Incidents continue to be reported off Callao Anchorage, Peru, while vessels off the coast of neighbouring Ecuador have recorded incidents each year since 2017, with at least three container ships attacked while underway in Q2 2020. In one case, two crew were taken hostage for the duration of the robbery and in another the perpetrators fired on the ship when they were unable to gain access.

Somalia

No incidents were reported off Somalia. Vessels are urged to continue implementing Best Management Principles (BMP5) recommended practices while transiting these waters. The Somali pirates still maintain the capability for carrying out attacks.

IMB Piracy Reporting Centre

Since 1991, the IMB PRC’s 24-hour manned center remains a single point of contact to report the crimes of piracy and armed robbery. The Centre not only assists ships in a timely manner, it also provides the maritime industry, response agencies and governments with transparent data received directly from the Master of the vessel under attack, or its owners.

Source: iccwbo

Newer Posts

Older Posts

MARITIME CYBER SECURITY Archives - Page 32 of 40 - SHIP IP LTD

Cyber security

The Biggest Challenges and Best Practices to Mitigate Risks in Maritime Cybersecurity

Challenges in Maritime Cybersecurity

Maritime Cyber Threat Landscape

Best Practices for Mitigating Maritime Cyber Threats

Bakker Sliedrecht services ships Anthony Veder remotely via AR-glasses

Elbit Tested Shipborne Tactical UAS

Port Canaveral wins $908,015 federal grant to upgrade security measures

American P&I Club and ABS Consulting join forces to drive cyber awareness for maritime insurance

American P&I Club and ABS Consulting Join Forces to Drive Cyber Awareness for Maritime Insurance

Why we need to start considering safety as part of cyber security

What do we mean by cyber safety?

So, what is new?

Why should an organisation care?

It wouldn’t be an article on safety without mentioning the HSE

International Maritime Organisation (IMO) resolution on cyber risk management

What is the takeaway?

ClassNK Joins the Maritime Transportation System ISAC to Help Address Cybersecurity Risks

Crew kidnappings surge in seas off West Africa, IMB reports

News

Navigating Rising Maritime Purchasing Expenses in 2025

Recent Cybersecurity Incidents and Regulatory Developments in the Maritime Industry (March 2025)

Navigating Maritime ESG: Upcoming Regulations and Compliance Strategies

Quick Menu

Company DETAILS

ISO 9001:2015 CERTIFIED