MARITIME CYBER SECURITY Archives - Page 5 of 40 - SHIP IP LTD

(www.MaritimeCyprus.com) The International Association of Classification Societies (IACS) has recently published new Unified Requirements for cyber security: E26 and E27. These will be be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024.

The new IACS Unified Requirements (URs) are based on recognized international standards for the cyber security of industrial automation and control systems, such as IEC 62443. In brief, the new IACS URs cover the following main topics:

  • Scope of applicability, including OT systems for important vessel functions
  • Identification and protection against cyber threats
  • Detection of incidents
  • Means to respond and recover
  • Hardening and security capabilities of systems and components

The URs will be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024.

Recommendations

Until the new URs are in force,  product suppliers, shipyards, and ship owners are encouraged to implement cyber security into control systems, ship design and relevant management systems on board. Special attention is recommended for product suppliers of systems within the scope of the URs, as these systems may need further development and design changes to comply with the URs.

These URs will be applied to new ships contracted for construction on and after 1 January 2024 although the information contained therein may be applied in the interim as non-mandatory guidance.

IACS Secretary-General, Mr. Robert Ashdown stated “These two URs on cyber safety provide minimum goal-based requirements for the cyber resilience of new ships and for the cyber security of onboard systems and equipment.  In an increasingly connected and digitised maritime world, these URs represent a significant milestone in IACS’ work to deliver safer shipping in the face of continuously evolving technological developments.”

Source: IACS


The International Association of Classification Societies (IACS) has recently published new Unified Requirements for cyber security: E26 and E27. These will be be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024. Find out more about the Unified Requirements in this statutory news.

IACS unified requirements for cyber security mandatory from 1 January 2024_358x250

Relevant for ship owners and managers, design offices, shipyards and suppliers.

The new IACS Unified Requirements (URs) are based on recognized international standards for the cyber security of industrial automation and control systems, such as IEC 62443. In brief, the new IACS URs cover the following main topics:

  • Scope of applicability, including OT systems for important vessel functions
  • Identification and protection against cyber threats
  • Detection of incidents
  • Means to respond and recover
  • Hardening and security capabilities of systems and components

The URs will be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024. Consequently, the DNV class notation Cyber secure(Essential) will be mandatory from this date.

The technical security requirements of the IACS URs E26 and E27 are fully aligned with DNV’s class notations for cyber security and are covered by the current edition of the DNV class notation Cyber secure(Essential).

For customers who would like, on a voluntary basis, to implement the new IACS cyber security requirements before 1 January 2024, the following items outline how to achieve this in line with the current DNV rules:

  • Systems type approval (TA) in accordance with the current edition of DNV rules for the class notation Cyber secure(Essential) / security profile 1 will meet the IACS URs E26 and E27. The TA process will be amended with the audit of the relevant additional development activities in accordance with IACS UR E27 section 5.
  • Ships and offshore installations assigned the class notation Cyber secure(Essential, +) as per the current edition of DNV rules, will meet the IACS URs E26 and E27. The additional qualifier (+) is needed to extend the scope of systems in accordance with the scope of applicability in IACS UR E26.

DNV will arrange a webinar on the upcoming IACS URs for cyber security on 23 August 2022. The invitation will follow in mid-August.

Source: IACS

New You can now listen to the Insurance Journal articles!

 

In February 2019, a large container ship sailing to New York identified a cyber intrusion on board that surprised the US Coast Guard. Although the malware attack never controlled the vessel’s movement, authorities concluded that weak defenses exposed critical functions to “significant vulnerabilities”.

A maritime disaster did not occur that day, but an alert was raised over an emerging threat to global commerce: computer hacking capable of penetrating shipboard technology that replaces old methods of steering, propulsion , navigation and other key operations. Such leaps in hacking capabilities could cause huge economic damage, especially now when supply chains are already stressed by the pandemic and the war in Ukraine, experts including a senior custodian have said. -ribs.

“We’ve been lucky so far,” said Rick Tiene, vice president of Mission Secure Inc., a cybersecurity firm in Charlottesville, Virginia. “More and more incidents are happening and hackers have a better understanding of what they can do once they have taken control of a working technology system. In the case of maritime – be it the ports or the ships themselves – there is an awful lot that could be done to harm both the network and the physical operations.

Rear Admiral Wayne Arguin, deputy commander of Coastguard Prevention Policy, said shipping faces similar cyber risks to other industries – it’s just that the stakes are much higher given that almost 80% of world trade is carried out by sea. Although Arguin declined to put a figure on the frequency of break-in attempts, he said: “I’m very confident that daily networks are being tested, which really reinforces the need to have a plan.”

Anti-stress system

“A potential intentional attack could really stress the system and we’re definitely thinking about how to consolidate that,” Arguin said in an interview. “When you couple that with the sensitivity of supply chain disruptions, it can be devastating to the shipping system.”

This universe includes not only ship operators, but also port terminals and the thousands of logistical links of increasingly interconnected global supply chains.

BlueVoyant, a New York-based cyber defense platform that recently analyzed 20 well-known shipping companies, said progress has been made since 2021, but “there are more cyber defense actions the industry can take to make things more secure”. A broader third-party cyber risk survey showed that 93% of respondents acknowledged having experienced direct breaches related to supply chain weaknesses, with the average number of intrusions rising from 2.7 in 2020 to 3.7 last year, according to Lorri Janssen-Anessi, director of BlueVoyant. external cyber-assessments.

Hackers have hit several major logistics operations already this year. Jawaharlal Nehru Port Trust, India’s busiest container port, suffered a ransomware attack in February. A targeted attack on Washington Inc.’s Expeditors International, a large freight forwarding company, crippled its systems for approximately three weeks and resulted in $60 million in expenses. Blume Global Inc., a Pleasanton, Calif.-based supply chain technology company, said in early May that a cyber incident temporarily rendered its asset management platform inaccessible.

“Vulnerable areas”

“You picked an industry that has a lot of vulnerable areas,” said Jennifer Bisceglie, CEO of Arlington, Va.-based Interos, a supply chain risk management firm.

The shipping industry is the backbone of global trade in goods, but when it comes to cyber vulnerabilities, its wide reach is an Achilles heel. The biggest companies are catching up and, after years of struggling to make money, now have the resources to invest in improved ship-to-shore technology.

Hapag-Lloyd AG, Germany’s largest shipping company, announced in April that it would become the first carrier to equip its entire container fleet with real-time tracking devices. Most major container lines use remote sensors for functions such as monitoring engine performance, maintaining cooling systems or opening a pump valve. Electronic charts and collision avoidance mapping can be updated ashore and shared remotely. Many new ships ordered during this peak profitability period will be equipped with greater online connectivity for shore operations.

Such advancements add visibility and efficiency, but they also potentially make it easier for hackers to work, experts said.

“Vessels were quickly connected to the internet using satellite communications, but without all the other security checks necessary to be safe and secure at sea,” said Ken Munro, security specialist at Pen Test Partners, a cybersecurity company with clients in the maritime industry. . “So now maritime operators are frantically trying to reinstate those controls, but are struggling with decades-old equipment on board that can be very difficult to secure.”

To help guard against threats, the International Maritime Organization, a United Nations agency responsible for safety and security, issued guidelines that companies were supposed to adopt from 2021. Some analysts said these regulations had not had enough of the intended effect and led to a wide range of responses.

System patchwork

“Some have been very proactive and started working long before the regulations,” said Captain Rahul Khanna, global head of maritime risk advisory at Allianz Global Corporate & Specialty, a unit of the Munich-based financial services firm, Allianz SE. “On the other end of the spectrum, you had people who are aware and just doing the bare minimum to get the certificate on their records.”

Even modern ships have a patchwork of systems from different manufacturers that have taken cybersecurity to varying degrees of seriousness, said Andy Jones, the former head of information security at AP Moller-Maersk A/S. , the world’s number 2 container ship. “Some operators have taken this seriously, but with large fleets and vessels that are probably over 30 years old, this is a very heavy order.”

Jakob Larsen, maritime security specialist at Bimco, one of the world’s largest associations representing shipowners, defended the industry’s position on cyber protections as “relatively strong” and on par with other sectors. Although increased digitization brings “more and more attack surface,” he said, instances where operational controls have been hacked are rare and technically difficult to achieve.

“This idea that someone can take over a ship and do all kinds of things, when it might be technically possible for a really skilled hacker who has the time to do it, in reality it’s not really something we see,” Larsen said. “Theoretically, yes, it can happen and of course we have to constantly stay up to date with our defenses and watch out for new threats.”

“Huge under-reporting”

Khanna said there was “huge under-reporting” when ships are attacked and “those who say they weren’t just don’t know”.

There is consensus within industry and government that there needs to be more information sharing. “Everyone has to be all in on this game and understand when there are vulnerabilities — getting this information out quickly will be one thing that will continue to help use closed doors,” the Coast Guard’s Arguin said.

For some observers, a wake-up call about the stakes at stake came in March 2021, when the Ever Given – one of the world’s largest container ships – ran aground and blocked traffic in the channel. from Suez for almost a week. The crash, attributed in part to high winds, cut off much of Europe’s trade with Asia and upended supply chains for several weeks.

“The Suez incident made everyone realize that global supply chains are actually quite vulnerable,” Munro said. “It’s not that Suez was a hack – it wasn’t – but it so easily could have been.”

Source: https://rushhourtimes.com/cyber-hackers-prowling-ship-controls-threaten-another-big-shock/


The maritime industry serves a critical role in the global supply chain. But the industry also relies on its own supply chain. In the part-3 of our cyber risk management series, we will take a look at how the maritime supply chain works and how cyber risks can arise from the imbalance of responsibilities, the ship operator’s lack of control and the disconnect in regulation.

The maritime industry serves a critical role in the global supply chain. But the industry also relies on its own supply chain. Everything from fuel for the engines to food for the crew needs to be delivered to ships around the world for the industry to function. This supply chain extends to the supply and maintenance of onboard computing equipment and applications that support vessel operations. The ship owner and operator frequently relies on the supply chain to ensure such equipment and applications are always up to date, well maintained and secure. Every software component onboard a vessel creates some cyber risk, but this research has identified specific areas of concern including the imbalance of responsibilities, the ship operator’s lack of control and the disconnect in regulation.

Every software component onboard a vessel creates some cyber risk, but this research has identified specific areas of concern including the imbalance of responsibilities, the ship operator’s lack of control and the disconnect in regulation.

RESPONSIBILITY

Under a charterparty, the ship owner has an express obligation to ensure the ship is seaworthy before, at the beginning of and throughout the voyage. The owner must demonstrate that they have exercised due diligence to ensure seaworthiness of the vessel.

The obligation on seaworthiness cannot be delegated to third parties. This means that the ship owner must demonstrate they have exercised the due diligence to ensure that any onboard systems must be secure enough not impact the seaworthiness of the vessel, even if the system is supplied, installed or maintained by a third party.

According to our industry survey, conducted as part of this research, 78% of shoreside employees at shipping companies have cyber risk management procedures in place for dealing with third parties such as suppliers. However, the same survey found that just 55% of industry suppliers are asked by customers to prove they have cyber risk management procedures in place. This statistic demonstrates a clear gap in the industry’s due diligence of managing supply cyber risk.

Cyber experts interviewed in compiling this report repeatedly pointed to significant risks that exist across the maritime supply chain caused by suppliers not working to an acceptable standard of security. This spans everything from developing systems that are vulnerable even to basic cyber intrusions in the first place, poor practices during installation to insecure practices when visiting the vessel for system maintenance.

The responsibility of the supply chain in relation to cyber risk management of vessel operations is not clear. Equipment or service supply contracts generally clarify responsibilities and obligations in relation to defects in the supplied equipment or deficiencies in the service. However, responsibilities requiring the supplier to ensure a reasonable level of cyber risk management are not explicitly stated in most cases. To make matters worse, shipping cyber emergency response plans are not often developed in cooperation with key suppliers. Where they are, it is rare that exercises or drills are performed involving the supply chain, so lessons on the critical actions that ship owners need their suppliers to perform during a cyber incident are never uncovered, tested and improved.

CONTROL

Though a ship’s hull and machinery may remain the same throughout its life, the average commercial vessel has at least 50 distinct systems that contain computing and software components. To the ship operator and their crew, these components are often “black boxes” and there is very little technical knowledge beyond the minimum necessary to operate them, identify a fault or make minor fixes. Certainly, the ship operator is not able to integrate any cybersecurity controls, such as deploying antivirus software or test for any existing defenses, without explicit permission from the equipment manufacturer. Any attempt to do so is generally considered to violate conditions for warranty.

Operators are not entirely powerless. There are actions they can take to regain some control of securing the supply chain of onboard systems.

Of those maritime organisations that reported being the subject of a cyber attack in the last three years, 3% said the attack resulted in them paying a ransom. The average ransom paid was US$3.1 million.

While a small number of system manufacturers have proactively taken steps to shore up the cyber protection of the equipment they manufacture and the applications that are provided alongside these, the vast majority of shipping equipment manufacturers have done very little to provide ship operators assurance around this.

This problem is exacerbated by integrators that are not sufficiently knowledgeable in cybersecurity, making decisions leading to insecure configurations and integrations that may undo the security designed into the equipment in the first place. The nature of shipping operations means that when equipment breaks down and needs replacing or repair, it must be dealt with quickly and efficiently as delays can be incredibly costly. Replacements are frequently bought on short order, and purchases are determined by convenience, not security.

This results in a major disconnect between the exposure for the ship operator and their ability to control the risks. However, operators are not entirely powerless. There are actions they can take to regain some control of securing the supply chain of onboard systems. Getting a clear understanding of the inventory of these computing systems and how they are connected is an excellent starting point.

According to data from CyberOwl, 54% of the ships monitored by CyberOwl have between 40 and 180 connected devices onboard. This includes expected devices such as business workstations, PCs, printers and company phones. Most alarming is that on many vessels monitored by the company, systems that were thought to be isolated, such as cargo computers and engine monitoring systems, were found to be connected to the onboard business IT network somehow.

REGULATION

The main regulation for cyber risk management in shipping relates to the IMO resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The resolution gives effect to a requirement for an approved SMS to incorporate cyber risk management. Shipping administrations must ensure that cyber risks are appropriately addressed in the SMS no later than the first annual verification of the company’s Document of Compliance (DoC) after 1 January 2021.

Though a ship’s hull and machinery may remain the same throughout its life, the average commercial vessel has at least 50 distinct systems that contain computing and software components.

As this regulatory instrument is implemented via the DoC, it places the burden of regulatory compliance solely on the ship owner. This also follows in the majority of maritime cyber risk management guidelines, that are mainly focused on the actions ship owners can take to cyber secure their ships. For the manufacturer of onboard systems and provider of software based services for shipping systems, the requirements are a lot less clear.

Several Classification Societies have developed some type approvals specifically relating to incorporating minimum cyber security standards within the design of ship equipment and systems. However, unlike for equipment such as voyage or safety critical apparatus, these are voluntary and do not affect the certification of the ship. At the time of writing, based on a search of the public databases of the type approvals granted, there is minimal uptake of these voluntary type approvals.

Interviews conducted during this research suggest the lack of clarity and some level of prescription is creating confusion and frustration. It results in a level of subjectivity for the ship owner who is now required to ensure their SMS incorporates appropriate cyber risk management of their supply chain in order to be granted their DoC, but cannot point to any minimum standards that their supplier must comply with.

Download the full report here

CYBER SECURITY MANAGEMENT SERIES

In the last few years, the maritime industry has made great progress in improving its approach to cyber risk management, but significant gaps remain. This report developed in collaboration with CyberOwl and HFW explores the gaps that exist between the industry’s perceptions of cyber security and reality, taking into account the views of more than 200 stakeholders from across the industry, including cyber security experts, seafarers, shoreside managers, industry suppliers, and C-suite leaders.

Over the coming weeks, we will be sharing a series of articles on the state of cyber risk management in the maritime industry, and we will also uncover the great disconnects that exist across the industry where expectations and reality don’t match up, cyber risk management efforts are lacking, or risks that are unique to maritime exist.

Source: https://thetius.com/3-things-that-make-the-maritime-supply-chain-vulnerable-to-cyber-threats-and-what-to-do-about-them/


Cyber pirates hijacking on-board technology for key operations appear to be an emerging threat to world trade. The current economy, following the pandemic and the commencement of a war in Ukraine, is particularly vulnerable.

In February 2019, a large container ship sailing for New York identified a cyber intrusion on board that startled the US Coast Guard. Though the malware attack never controlled the vessel’s movement, authorities concluded that weak defenses exposed critical functions to “significant vulnerabilities.”

A maritime disaster didn’t happen that day, but a warning flare rose over an emerging threat to global trade: cyber piracy able to penetrate on-board technology that’s replacing old ways of steering, propulsion, navigation and other key operations. Such leaps in hacking capabilities could do enormous economic damage, particularly now, when supply chains are already stressed from the pandemic and the war in Ukraine, experts including a top Coast Guard official said.

Source: https://shippingwatch.com/carriers/article14193887.ece

Five years ago this week, Maersk said a cyber attack crippled its computer network, affecting its port terminal operations from India to the Netherlands, rippling across to nearly 60 countries and eventually causing as much as $300 million in damages.

It was, as Andy Jones refers to it in the parlance of cyber security experts, an “extinction event.”

Jones is the former chief information security officer at Maersk Line, and he has a podcast that recounts the event that unfolded and is worth listening to for advice on how to deal with hacking threats and actual intrusions.

The NotPetya attack in 2017 that hit Maersk and other global businesses seems so long ago given the bust-to-boom wave the shipping industry has ridden since then. Imagine if something that widespread happened today, as ports still struggle with economic imbalances caused by the pandemic.

Cyber threats are nothing new to maritime shipping and logistics more broadly. Every month seems to bring another event. Last week, UK delivery giant Yodel said its systems were compromised, though a spokesman said Monday the delivery network and customer service functions were fully operational.

Warning Flare

Now some experts, including a top US Coast Guard official, are sounding the alarm again about the rising risks not just on land, but on ships themselves. Such potential breaches of operational technology could do huge economic damage at a time when global supply chains are already frayed. (Click here for the full story today.)

Shipping is using much of its windfall profits from the pandemic era to upgrade technology, creating more digital linkages from land to water that are both a welcome step in a paper-laden business and a worry unless cyber precautions are taken.

“Ships and their systems were never designed to be connected in this manner and even a modern ship is a patchwork of different systems from different manufacturers who have all taken cyber security in various degrees of seriousness,” Jones said via email. “Some operators have taken this seriously, but with substantial fleets and ships that are probably over 30 years old, it is a very tall order.”

Across industry and government, there’s agreement that there needs to be more unified approach and more information sharing.

“Everybody needs to be all-in in this game and understand when there are vulnerabilities — getting that information out quickly is going to be thing that continues to help us close doors,” US Coast Guard Real Admiral Wayne Arguin told Bloomberg.

Brendan Murray in London

Source: https://www.bloomberg.com/news/newsletters/2022-06-28/supply-chain-latest-ships-embracing-tech-upgrades-see-cyber-risks-rise


Our new associate member Port Technology International held an online cybersecurity event for ports and terminals yesterday for over 200 maritime and port professionals. Opening the conference, IAPH Data Collaboration chairman Pascal Ollivier (president, Maritime Street) made a keynote on key insights and practices based on the work completed by over 20 authors from our membership ranks for the IAPH Cybersecurity Guidelines for Ports and Port Facilities. The document  was recently endorsed by IMO during FAL-76 and will be mentioned in MSC-FAL.1/Circ.3, effectively establishing a port industry standard alongside the BIMCO cybersecurity guidelines for shipping. In addition, two authors of the guidelines (Max Bobys of Hudson Cyber and Gadi Benmoshe of Marinnovators) took part in the panel discussion on how ports and terminals can build effective resilience against evolving cyber threats.

 


The Nigerian Maritime Administration and Safety Agency (NIMASA) has taken delivery of additional mobile assets for enhanced maritime security under the banner of its Deep Blue Project. The main objective of the project is to secure Nigerian waters up to the Gulf of Guinea. The Project has three categories of platforms to tackle maritime security on land, sea, and air.

Two unmanned aircraft systems, nine interceptor patrol boats and 10 armored vehicles have been added to the existing assets earlier procured by the Nigerian Federal Government and commissioned by President Muhammadu Buhari .

Dr. Bashir Jamoh, Director General of NIMASA, thanked President Buhari for his sustained support in the fight against sea piracy and other maritime crimes and said the additional equipment will improve on the gains recorded in securing the Gulf of Guinea and Nigerian maritime domain.

Jamoh also described the recently held Gulf of Guinea Maritime Collaboration Forum in Abuja as a success in rallying international support in the suppression of maritime insecurity. He recommended Nigeria’s Suppression of Piracy and other Maritime Offenses (SPOMO) Act to support maritime law enforcement and said other countries are considering replicating it.

In addition to the new acquisitions, NIMASA’s assets include the Command, Control, Communication, Computer, and Intelligence Center (C4i) for intelligence gathering and data collection, 600 specially trained troops for interdiction, special mission vessels, fast interceptor boats, and surveillance and rescue aircraft.


Marlink and Bureau Veritas have signed a memorandum of understanding (MoU) to facilitate the fast transfer of vessel data for monitoring and compliance in areas including cyber security, carbon emissions, and safety.

The MoU forms the basis for communications firm, Marlink, to provide smart connectivity for the remote digital and safety services provided by the classification society. With a crossover of marine clients, the partners will offer a stronger cyber-strengthened digital framework via the Marlink network.

The organisations will also assess opportunities to use data that can lower ship operating costs, save fuel, and drive compliance, according to a statement. The agreement will also support shipyards in the implementation of ‘open-source’ cyber-secure systems, available also to third-party application providers, start-ups, and software developers.

Matthieu de Tugny, Bureau Veritas president, Marine & Offshore, said: “This is a partnership with real purpose whose foremost point is to take action to integrate digital tools and services that can bring value for shipowners and encourage and further develop cyber-secure, innovative Class operations.”


The agreement links Marlink’s smart hybrid connectivity with the remote digital and safety services provided by BV. Having identified crossovers in their mutual customer base, the partners will collaborate to help enable maritime stakeholders to more easily adopt cyber-strengthened digital tools and applications using the Marlink network.

The partners have put in place a working group to support shipowners around improving the cyber security of vessel data collection and facilitating compliance with regulation. This aims to support remote and digital operation modes on a journey to smarter, remote and, ultimately, autonomous ships with zero-emissions.

The duo has also identified the need for dedicated channels of co-operation recognising a common interest in removing the barriers to smarter, cleaner vessel operations. The organisations will seize opportunities to work outside the silos that have held back the industry from accessing data that can lower operating costs, save fuel and drive compliance.

The partner program will be expanded over time, with a proactive approach towards new areas of collaboration bringing in new initiatives where possible, ultimately leading the industry into new eras around smart shipping, unmanned and autonomous vessels. As well as simplifying implementation of cyber security standards for shipyards, the agreement is ‘open source’ enabling third party application providers, start-ups and software developers to participate where appropriate.

“This is a partnership with real purpose whose foremost point is to take action to integrate digital tools and services that can bring value for shipowners and encourage and further develop cyber-secure, innovative Class operations,” said Matthieu de Tugny, president, Bureau Veritas, Marine & Offshore. “BV is dedicated to helping our clients understand and manage the challenges of decarbonisation and adopt the digital tools that can support the transition.”

“Shipowners face huge efficiency and compliance challenges over the next decade and these need to be considered now to create a future-proof path that can integrate core operational components onboard and ashore,” said Tore Morten Olsen, president, maritime, Marlink. “Digitalisation is critical to improving voyage optimisation and vessel performance, achieving regulatory compliance and meeting ESG goals, but shipowners shouldn’t have to act as project managers – this partnership means they can streamline and simplify their digital journey based on Class guidelines and recommendations.”


Company DETAILS

SHIP IP LTD
VAT:BG 202572176
Rakovski STR.145
Sofia,
Bulgaria
Phone ( +359) 24929284
E-mail: sales(at)shipip.com

ISO 9001:2015 CERTIFIED