APA, a global provider of software, services and data analysis for the maritime industry, said it has received the ISO 27001:2013 certification on information security management, validating the company’s adherence to international best practices on data management and security.
ISO 27001:2013 is an international standard that defines the requirements for a comprehensive information security management system, enabling organizations to safeguard the confidentiality, integrity and availability of data. The certification, which was delivered by classification society Bureau Veritas (BV), covers all of NAPA’s activities, products, services and locations. It confirms that robust data security systems are incorporated throughout NAPA’s processes and product development to protect the information entrusted by its customers against security risks, such as data leaks, hacks, or cyberattacks.
Upon receiving the certification, NAPA’s CEO, Mikko Kuosa, called on all shipping stakeholders to join NAPA in taking tangible and proactive steps together to build cyber resilience across the industry. As the number of cyberattacks and incidents is on the rise, Mr Kuosa urged maritime companies to ensure that their data, which is critical to their safety and operations, is protected by robust security systems.
“The data-driven insights made possible by greater connectivity onboard have enabled a giant leap forward in safety, emergency response, and voyage optimization – and there is no turning back. The benefits of connectivity are tremendous, and the increased digitalization in maritime also comes with the important responsibility of putting the right safeguards in place to maintain a cyber secure system at sea. In this context, the industry needs guarantees that its business-critical data is in safe hands and must demand the highest standards from its partners. This is why at NAPA we are dedicated to having robust security procedures in place to protect the sensitive data that is entrusted to us, as we help shipping companies sail more safely and sustainably,” said NAPA’s CEO Mikko Kuosa.
“At NAPA, we are proud to be spearheading best practices for the industry, with our comprehensive information security policy which guarantees that all confidential information is managed and stored with appropriate procedures in place. This means that users can safely take full advantage of the collaboration benefits and improved communication that our connected systems enable. Today, we are delighted to see our industry-leading practices formally recognized by the prestigious ISO certification,” Mikko Kuosa added.
In late June 2017, AP Moeller Maersk was forced to shut down its container operations in the Port of Los Angeles as their IT systems were infected with a ransomware which caused disruption to the booking systems. The company suffered damages amounting to USD 300 million.Cyber-attacks targeting the maritime sector are growing rapidly across the world and in Asia. Hackers are narrowing their focus on companies in the sector which are seen as tempting targets due to a perceived lack of cyber security investment and potential for significant operational disruption.Solutions are being developed by international bodies in the maritime industry to try to improve cyber safety. Discuss what those solutions are, whether their improvements are sufficient, as well as any further improvements required.
On 12 May 2017 cyber-security hit public consciousness in a big way when Wannacry ransomware brought down the NHS as the worm-driven malware spread around the globe hitting hundreds of thousands of computers.
Then security researcher Malwaretech, AKA Marcus Hutchins, registered a domain that acted as a kill switch, making him a hero. SC Media UK was happy to give him an award for his achievement, and later when his exploits brought him to the attention of law enforcement and he was arrested in the US for teenage black-hat hacking, creating code that was used in banking malware, SC suggested that he’d done enough to deserve a pardon. Ultimately the judge in his court case took a similar view.
The story is now told in a highly watchable documentary, WANNACRY: THE MARCUS HUTCHINS STORY, on Unlocked, the online magazine for digital culture created by Kaspersky and available on YouTube. Well worth viewing.
Shipping is the engine of the global economy, making up some 90% of world trade. That’s not easy to express in monetary terms, although experts estimate it at over $10 trillion a year. Maritime blockchain could transform this industry and bring multiple benefits to importers, exporters, transporters, ship owners, and even governments.
Blockchain at sea: How technology is transforming the maritime industry !
Blockchain technology has the potential to revolutionise the maritime industry and bring it into the 21st century. This complex ecosystem could greatly benefit from a robust digital platform to exchange data in real time.
In fact, the industry has been testing maritime blockchain applications since 2017. Some of the most important shipping companies, such as Maersk, Hyundai Merchant Marine, and Maritime Silk Road Platform, have teamed up with tech giants to create blockchain shipping systems to streamline maritime logistics.
Maritime blockchain speeds up document flows
One of the main benefits of introducing blockchain to the maritime industry is cutting down bureaucracy. For international shipments, companies and customs officials are forced to fill out over 20 different types of documents (most of them paper-based) to move goods from exporter to importer.
Most of these documents fail to provide real-time visibility and data quality, which often causes setbacks in financial settlements. These types of delays and inefficiencies are hard to accept in a data-driven, digital world.
An international consortium of shipping companies and European customs has tested a blockchain solution that eliminates printed shipping documents from the process. Not only did blockchain speed up operations, but this pilot proved how organisations in the maritime industry can save hundreds of millions of dollars annually.
Blockchain not only makes cargo checks faster, it also minimises the risk of penalties for customs compliance that are levied on customers.
The maritime industry can also benefit from predictive analytics
Big data is having a huge impact on the industry, thanks to its potential to optimise operations, improve cybersecurity, and increase the overall efficiency of the supply chain.
However, data alone can’t change the way the maritime industry works. Companies, ports, and governments need to analyse the information to reap real benefits from the findings. This industry generates about 100-120 million data points every day. It was impossible for existing technologies to gather and analyse this amount of data efficiently.
Blockchain can help by placing the crucial data in one place and creating a unique platform for solution providers, ports, and agents that operate along the supply chain.
By tracking cargo in real time using blockchain technology, shipping companies and ports can plan land procedures ahead of time, speeding up terminal works and cutting down costs. They can also use data to make educated predictions that enhance their operations and increase efficiency.
Maritime blockchain increases trading safety and transparency
The maritime industry includes multiple parties. Most of these communicate through lengthy paper chains, making it impossible to track shipments currently. This, combined with high transaction volumes, leads to little or no transparency in most processes.
Blockchains can secure the integrity of any record, reducing the risk of damaged or missing shipments. By replacing the old paper system, all parties involved have access to information, making it easier to plan operations efficiently and save on costs.
The information stored in the blockchains is impossible to delete or edit without leaving traces, so this transparency also increases security.
It reduces data entry errors and can improve fraud detection. Maersk’s collaboration with IBM, for example, also stipulates the development of means to streamline customs and security inspections, as well as tracking shipping containers for commercial purposes.
Maritime blockchain and cost efficiency
The blockchain-based Bill of Lading created by Maersk and IBM showed in early tests that administrative costs could be reduced by as much as 15% of the value of shipped goods, thanks to tracking shipping containers and eliminating paper documents.
It may seem like a small percentage, but that could create savings of $1.5 trillion globally.
Besides costs related to documentation, companies can also significantly reduce expenses caused by data entry errors, procedural delays, and discrepancies.
Blockchain technology is transforming the maritime industry
The maritime industry is still struggling with high costs and a high level of pollution. Blockchain technology can help with both issues, by cutting down administrative costs and providing environment-friendly solutions. All while protecting the industry against cybercrime and piracy, and ensuring a fairer deal for all parties involved.
The emerging risk associated with cyber threat requires not only better training for seafarers, but also spreading awareness of best cyber security practices, argued Peter Broadhurst, Senior VP of Safety and Security, Inmarsat Maritime, adding that there is still ‘a long way to go’ when it comes to effective cyber protection.
Whether in pursuit of personal data or money, cyber crime is now a big and highly automated business, ready to strike at the most vulnerable part of an organisation’s defences 24/7, anywhere in the world.
Speaking on a panel at the World Economic Forum earlier this year, A.P. Møller-Maersk Chairman Jim Hagemann Snabe revealed that responding to the NotPetya ransomware attack of June 2017 had required the reinstallation of 4,000 new servers, 45,000 new PCs, and 2,500 applications, all within ten days. During this period, the company reverted to manual systems.
In hitting a company equipped with experienced cyber security specialists, NotPetya showed that the cyber threat is as real for shipping as it is for any other connected business, especially where legacy systems proliferate.
If the warning should be sinking in, an Inmarsat Research Programme report, The Industrial IoT on land and at sea (2018) suggests that maritime minds are slow to change. The unique study drew on testimony from 750 survey respondents across a range of industries to establish preparedness and perceptions regarding the adoption of IoT-based solutions.
The survey found 87% of maritime respondents saying they believed that their cyber security arrangements could be improved. It also saw more of them identifying data storage methods (55%), poor network security (50%) and potential mishandling/misuse of data (44%) as likely to lead to breaches in cybersecurity than outright cyberattack (39%).
Given the self-diagnosis, it is perhaps surprising to find that only 25% of maritime respondents said they were working on new IoT-based security policies.
In fact, Inmarsat’s research exposed ambivalence as one of shipping’s leading feelings towards IoT-based solutions. With some owners engaging at the level of blockchain, others take their lead from their need to comply with regulation: this is an industry which simultaneously sustains just over 30% of shipping respondents as ‘IoT leaders’ and just under 30% as ‘IoT laggards’, the report says. For every owner signed up to the benefits of condition-based monitoring and predictive maintenance based on real-time connectivity, there appears to be another for whom maintenance is something that takes place at regular and predictable intervals, or whenever is most convenient.
Inconsistent views on cyber security also appear free to coexist with immature ones. Around 70% of respondents identify reducing marine insurance premiums as a main driver for IoT uptake, where insurers have shown themselves as especially sensitive to cyber threats. At the same time, other studies have found attitudes such as “I’m not the target /we have security in place, don’t we?/I will be protected by AntiVirus” alive and well among seafarers.
For those prepared to engage in the IoT, ships today sustain crews in small numbers, representing both an opportunity and challenge for automation, and indeed for cyber security. On the one hand, low crew numbers align strongly with operational technology that is remotely updated, self-managing and supported by automated security and from third parties and OEMs, such as voyage planning, weather routing, navigation, fuel management, etc. On the other hand, the opportunities to ‘patch’ embedded operational technologies (OT) safely are not frequent, and patches usually require certification by control system manufacturers.
The broader point, though, is that cyber security is not just about software patching and systems configuration. Ship operators do not buy computer processors, disk storage and software and then build them into a system: they procure turnkey systems. Again, shipboard engineers may well be IT-literate, but no space has been made on the crew roster for cybersecurity specialists.
In these circumstances, the integrity of the systems on ships is best maintained by software which can identify, contain and resolve threats wherever they appear in the network. Such Unified Threat Management (UTM) detects all deviations from the ‘known good’ configuration as anomalies and potential threats to security and can update securely, even during operation. Some specialist functions such as a deep analysis of alerts or security forensics will need to be delivered remotely.
Inmarsat believes that a collaborative approach – that includes shipboard systems, but also the crew operating them and the processes involved – is vital to develop the maturity response demanded by multiple threats from cyber villains, whatever their origin. For this reason, we have been working with some of the best security-focused experts available to tailor products and services to meet shipping’s requirement.
As noted, however, software is only part of the answer: cyber security and vigilance for ‘the human element’ and a well thought-out recovery strategy to mitigate against multiple, automated assaults are also critical. Failures in processes and mistakes by people can present the security loophole that, if unchecked by the UTM, compromise the entire network.
Weaknesses at the first line of defence (to phishing, plugging infected USB in, downloading from untrusted source etc.) are common but, in the case of satellite-connected ships, it is also common to see updates turned off and no AV software in operation. Today, cyber security training is not compulsory for the world’s 1.6 million seafarers, while expertise in antivirus software is inevitably more likely to be based ashore.
As far as awareness is concerned, it is fair to say that there is likely to be more temptation to risk plugging in a memory stick that might be infected once a vessel is under way. Creating awareness for seafarers and staff is a continuous task because good cybersecurity practice is shipping’s first line of defence against ‘attack’.
Inmarsat recently participated in discussions with academics at the World Maritime University in Malmö over what future classroom-based and e-learning cyber security course content might include for Maritime Safety and Security Diploma students.
Inmarsat is not and does not aspire to be a training company, but it is an interested party. As such, we are fully aware that training is not just a tick box exercise and must be backed up with monitoring and reinforcement. We also know that using tools to identify breaches of policies such as USB usage help reinforce the message: constant reminders and real-life examples are often the quickest ways to stop bad practice.
But to address the cyber security risks of the future effectively, we need the involvement of ship designers, builders, regulators, verifiers, equipment manufacturers, service providers and, of course owners and operators. We were therefore one of the founding partners in a Joint Working Group run by the International Association of Classification Societies (IACS) whose members survey and certificate more than 90% of the world’s commercial vessels, ensuring that ships are fit-for-purpose and comply with safety and quality regulations.
Maritime Industry Not Cyber-Ready, I had the opportunity to observe the maritime industry up close when I was director of security for the Port of Tacoma (almost six years ago). My observation then was that the people who make up the industry have never thought of themselves as technology companies or even being attuned to what technology can do for their businesses. A telling comment came from the deputy director at the port. Apple iPads had recently been fielded (2010) and I suggested purchasing an iPad for each of the port’s elected commissioners. His reply went something like, “Here in the maritime industry we are not oriented on technology, nor progressive in that area.” This from a top 10 port. There are many more small companies that move goods, have trucks, drivers, etc., and really don’t understand their vulnerability. See the article below for survey results of the industry.
Homeland Security Today: Survey Finds U.S. Maritime Industry Unprepared for Cyber Attacks
Rapidly evolving technologies deployed throughout the U.S. maritime industry to increase efficiency and competitiveness present significant cybersecurity risks that the industry is unprepared to shoulder, according to the Jones Walker LLP Maritime Cybersecurity Survey.
The law firm’s survey reflects the responses of 126 senior executives, chief information and technology officers, non-executive security and compliance leaders, and key managers from U.S. maritime companies.
The respondents represent key sectors in the maritime industry and include professionals from small, mid-size, and large companies.
The survey found that nearly 80% of large U.S. maritime industry companies (those with more than 400 employees) and 38% of all industry respondents reported that cyber attackers targeted their companies within the past year. Ten percent of survey respondents reported that the data breach was successful, while 28% reported a thwarted attempt.
Small and mid-size companies are far less prepared than larger companies to respond to a cybersecurity breach. All respondents from large organizations indicated they are prepared to prevent a data breach, while only 6% of small company (1 to 49 employees) respondents and 19% of mid-size company (50 to 400 employees) respondents indicated preparedness.
The survey discovered that many small and mid-size companies lack even the most fundamental protections, exposing them to huge potential losses. 92% of small company and 69% of mid-size company respondents confirmed they have no cyber insurance.
In contrast, 97% of large company respondents have cyber insurance coverage.
Less than 15% of companies are using multi-factor authentication for remote access, or providing off-site backups in physically secure locations. 60% said they are unprepared to deal with negative public opinion, blog posts, and media reports after a data breach; 49% are unprepared to minimize the loss of customers’ and business partners’ trust and confidence after a data breach; 70% are unprepared to respond to a data breach involving business confidential information and intellectual property; and 70% are unprepared to respond to the theft of sensitive and confidential information that requires notification to victims and regulators.
The majority of respondents (69%) expressed confidence in the maritime industry’s cybersecurity readiness, while a minority (36%) believe that their own companies are prepared. Lee says there is a real disconnect between how stakeholders view the maritime industry’s overall preparedness level versus how they see their own shops. “By and large, they view the industry as prepared, but their own companies as unprepared. That is like saying that my neighborhood is safe, but my house is a hotbed of crime,” he said. “What I take away from this is that the respondents are likely wrong about the industry, and right about their own companies.”
OCIMF published the third edition of its Tanker Management and Self-Assessment guide (TMSA3) in April 2017. As of 1 January 2018, this will replace the TMSA2 and tanker owners will be required to follow the new self-assessment procedure.
So are there any major changes?
Well actually, yes. The latest TMSA version introduces an entirely new element – Maritime Security (element 13). The new element aims “to establish and maintain policies and procedures in order to respond to and mitigate identified security threats covering all company activities including cyber security.”
In complying with the aim, security plans should be put in place, which also address cyber security risks, and should cover shored-based locations, vessels and personnel.
Are there any tools available to help tanker members comply with the Maritime Security element?
Yes, resources are available and the best thing is they are free!
IET Standards in conjunction with the Department for Transport have created a comprehensive code of practice for cyber security onboard ships. This code follows on from previous work the Department for Transport has done on port cyber security.
Additionally, an industry working group (which included OCIMF) have created Guidelines on Cyber Security onboard Ships.
What other changes are there?
Elements 6, 6A and 10 have all had revisions, with element 10 now incorporating the OCIMF Energy Efficiency and Fuel Management paper that had previously been a supplement to TMSA2. Additionally TMSA3 also has 19 more KPIs than TMSA2 showing the focus on continuous improvement.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.