Aong focused on mitigating physical risks such as piracy, the maritime shipping industry is currently grappling with a new challenge: how to respond to a dramatic spike in cybersecurity threats.

From February to June 2020, cybersecurity consulting firm Naval Dome documented a 400% growth in attempted hacks against maritime targets. Driven by increased numbers of remote access paths onboard vessels and the convergence of new information technology (IT) targets into traditionally operational technology (OT) environments — as well as the perceived value in targeting an industry that carries nearly 90% of the world’s trade — these attacks represent a serious new threat to the backbone of global commerce.

“This convergence is increasingly more pervasive because of the nature of digitalization trends, like using onboard sensors and tracking data off operational systems for predictive maintenance purposes, that open more attack surfaces on the IT side that can enter into the OT environments,” said Don Ward, senior vice president of Global Services at Mission Secure, a global provider of OT cyber-protection solutions. “We frequently see that clients think they have certain portions of their system on islands – inevitably, in every assessment we find a backdoor into these environments.”

It’s a balancing act that all digitally maturing industries face: deriving efficiency gains from integrating today’s latest technology while limiting the potential vulnerabilities from doing so. The maritime sector is still catching up to its aerospace and automotive counterparts in implementing modern cybersecurity best practices, but malicious actors will not be waiting idly for it to arrive there.

Source: tsi-mag

Riviera Media features a discussion on cyber threats and security for the tanker sector of the maritime industry by Julian Clark, Global Senior Partner at Ince. “The lack of adequate protection is particularly prevalent in relation to cyber-attacks on on-shore and on-vessel operations technology (OT) networks and control systems, as just 42% of organisations protect their vessels from OT cyber threats.”

Clark covers the current state of the industry, insurance considerations, potential consequences, including legal, and the ongoing efforts to achieve compliance and security.

“Tanker operators and managers are not sufficiently protected by being compliant with the new regulation – this is a ‘level-one solution to a level-four threat’ – accordingly, a tick box approach to compliance is far from sufficient.”

Julian Clark, Global Senior Partner at Ince

Source: missionsecure

The British Ports Association and the UK-based risk management firm Astaara have released a new study on the wave of cyberattacks seen by maritime stakeholders over the past four months.

In one high profile attack in May, computer systems at Iran’s Shahid Rajaee port facility at Bandar Abbas, creating traffic jams and serious operational disruption. Astaara believes that the attack came in direct response to a failed Iranian cyberattack on an Israeli water facility in April. (Iran has denied any involvement in the earlier incident.) U.S. officials told the Washington Post that Israeli forces orchestrated the retaliatory hack on Shahid Rajaee.

While attacks from criminal groups are far more common than suspected state-sponsored hacking, the overall upward trend is driving increased interest in security, according to Astaara. “Now, more than ever, the advantages of [digitalization] should be capable of being realized, but only if the corresponding management resilience and recovery plans are in place and practiced,” said Robert Dorey, CEO of  Astaara. “Processes need to be continually reviewed and updated as necessary, training provided, and new approaches to monitoring assessed and adopted.”

He noted that the new remote-work alternatives to standard operations like surveys and marine superintendent spot inspections have created new vulnerabilities for shipowners. Remote working has been identified as a major risk for security, as the attack surface is broadened.

Criminals realize this and do not care about the human cost of Covid-19, or their crimes. They are not interested in the morality of their action. Instead they are interested in disruption and making money; they see Covid-19 as an opportunity,” said Dorey.

According to Astaara, the way to fight back is to practice basic cyber hygiene and to invest an appropriate amount in security. Currently, cybercrime nets around $2 trillion per year for criminals worldwide – compared with the $150 billion a year spent by companies and individuals in protecting systems. “When you have ever more stringent regulations, a user population that is innovative in breaking the rules, and an external environment that is hostile to say the least, you cannot afford not to invest in your security, and to protect those aspects of business that depend on others for their delivery,” Astaara and BPA advised in the white paper.

Source: maritime-executive

Source: thedigitalship

When Maersk fell victim to the NotPetya ransomware cyber-attack in 2017 (resulting in a loss of over £300M³ ), it highlighted that no shipping company is immune to cyber-attack – even IMO has been hacked. Cyber risk has been on the IMO agenda for some time and on 1 January 2021, MSC 428(98) was finally adopted. Tanker operators and managers are not sufficiently protected by being compliant with the new regulation – this is a ‘level-one solution to a level-four threat’ – accordingly, a tick box approach to compliance is far from sufficient.

The lack of adequate protection is particularly prevalent in relation to cyber-attacks on on-shore and on-vessel operations technology (OT) networks and control systems, as just 42% of organisations protect their vessels from OT cyber threats⁴. Additionally, an alarming 92% of the estimated costs arising from a cyber-attack are uninsured⁵ and the access and limits of cover are often restricted, which has serious risk-management implications for tanker owners and operators.

The devastating effects of a cyber-attack are not only financial and reputational, but crucially also legal. Tanker owners could face real challenges in order to establish due diligence and protect themselves legally if an incident arose from their vessel being cyber-compromised. They can expect cargo interests and others to raise arguments that there was a failure to make use of available cyber-security protection systems to ensure they were adequately protected.

In relation to the concept of due diligence and the application of the Hague Visby Rule Article IV Rule (ii) defences, shipowners will need to show due diligence in relation to protecting their vessels against a cyber-attack. The duties of due diligence are generally not delegable, so while a contractual provision ensuring that the manufacturer takes responsibility for cyber-integrity creates a potential right of recourse, this does not itself provide a defence to a claim. Additionally, where there are systems available in the market that can provide protection against a cyber-attack, and an owner has failed to implement appropriate measures or is unable to show they have an effective system in place to address cyber-risk, such omissions could amount to recklessness, giving rise to a possibility to break limitation.

We can expect to see claimants raising issues of unseaworthiness where they suffer loss or damage as a result of a vessel being cyber-compromised.

It is critical for tanker owners and operators to take an integrated, comprehensive approach to protecting their organisations against cyber threats. Our recent venture with Mission Secure (leaders in providing military-grade cyber security for OT systems) to launch an industry-first, integrated legal advisory, consultancy and technology cyber-security solution, addresses this market need by providing both advisory and action to fully protect companies beyond the current regulatory guidelines.

Source: rivieramm

Before starting at at Telenor Maritime, Toni was the CEO of KNL Networks, which was acquired by Telenor Maritime in 2020. Before Co-founding KNL Networks in 2011, Toni worked at the University of Oulu as a research scientist and Doctoral student from 2008 to 2011. He is a former electronic warfare officer in the Finnish Defence Forces and has 20 years of hands-on radio experience. Toni is a former member of the Arctic Council Task Force on Telecommunications Infrastructure in the Arctic (TFTIA).

With KNL onboard, Telenor Maritime believes its new platform can help facilitate the digitalization of the shipping industry, with secure, reliable and cost-effective sharing of data right across the globe. The webinar will address opportunities and challenges in maritime digitalization and cyber security. Onboard capabilities in cybersecurity and IT are often somewhat limited. Most of onboard equipment are not designed to be connected, so devices their selves don’t provide sufficient security. Cybersecurity has become one of the biggest threats to the industry.

We look forward to learning more about cyber security!

Source: nme

No one is likely to forget 2020 in a hurry. The pandemic had a seismic effect on all our lives and livelihoods, exerted a significant impact on trading and, out of urgent necessity, transformed working practices the world over. The availability of high-speed, high-quality connectivity has been an invaluable asset, enabling organisations to maintain their business continuity.

The corresponding downside has been an alarming escalation in the incidence of cybercrime, and some very high-profile shipping companies have recently borne the brunt of these attacks. Already suffering from the disruption caused by lockdown measures and market volatility, an additional setback was extremely unwelcome and costly for these companies.

The regrettable fact is that the same critical pressure which forced organisations everywhere to rapidly move so many aspects of their operations online conversely represented a golden opportunity for hackers. All four of the most prominent container operating firms fell victim to malware or ransomware attacks within months of each other, in effect compromising almost 60% of the world’s container traffic.

Vulnerabilities

These exceptional circumstances only exacerbated a problem which was already growing long before the pandemic took hold – namely, that the maritime industry has been conspicuously slow to fully acknowledge the vulnerabilities that accompany the digital revolution. Companies which view the cyber realm as too complex and nebulous to engage with can often fail to grasp the financial, operational and reputational damage a cyber event can wreak until their own businesses have already been impacted.

Underestimating their own susceptibility, usually through a lack of understanding at management level, is a recurrent issue. Many shipowners assume that since their vessels can operate independently from shoreside teams, then the cyber risk is negligible. However, ships communicate to shore via mobile phones, emails, Zoom calls, etc, and these are all vectors of infiltration into a ship’s onboard network.

Such vulnerabilities actually stem from head office; this is where the patching is driven from, where upgrades in IT and technology originate, and where shipowners exchange data with engine manufacturers, fuel suppliers, clients and financiers. Most importantly, it is also where training and education programs are organised. If that side of the equation is poorly managed, there’s a fair chance that the vessels won’t be optimally managed from a cyber perspective either.

Consistent benchmark

The salutary experiences endured even by the ‘big scalps’ mentioned earlier have sent shockwaves throughout the industry, prompting a significant intensification of threat awareness. In addition, the introduction on January 1 of the 2021 IMO Cyber Security Guidelines can only have a beneficial influence upon the take-up of effective maritime cyber risk management programs.

Importantly, these guidelines provide a consistent benchmark, a framework within which companies can measure their cyberattack preparedness. No one yet knows how punitively the new rulings will initially be enforced, but setting an example by detaining vessels for insufficient cyber protection might be the most bluntly effective means of getting the message across.

The US Coast Guard has already issued three tiers of detention for cyber deficiencies, by which any vessel arriving in a US port with a malfunctioning critical system will be detained until the issue has been resolved.
(For more details, see: https://www.westpandi.com/publications/news/november-2020/uscg-notice-of-implementation-of-cyber-hygiene-and/ )

This will inevitably take time, and a detained ship won’t be making any money while it’s off-hire. The resultant lost earnings whilst the vessel is detained would not be recoverable by loss of hire or delay insurance, which usually specifically exclude delays when the detention relates to non-compliance with international or national regulations.

Whilst the Nordic Marine Insurance Plan, for example, advises that a delay caused by a cyber attack could be covered under clause 5.1.B (Hull and Machinery perils) as, de facto, it would stop the ship from operating, this may not be true under other underwriters’ policies. As the vessel is technically damaged, the costs of fixing it would be recoverable less the applicable deductible. However, if the H&M Policy contains a Cl. 380 exclusion clause, computer breakdown due to a cyber attack would not be covered. If the breakdown occurred because of an ordinary bug in a software update, it would be covered regardless of a Cl. 380-style exclusion clause. If the breakdown was covered under the H&M, LoH (Loss of Hire) would respond unless there was also a Cl. 380 exclusion in the LoH policy.

A further complication for insured parties is the LMA 5403 clause, introduced by Lloyds in November 2019. In order to establish whether or not they are covered in the event of a cyber incident, attribution/causation must now be pursued to ascertain whether the incident arose from negligence or deliberate interference by a malicious insider or third party; and, if deliberate, whether this was a state sponsored move or an act of terrorism. We are of the view that the market approach is not constructive and creates uncertainty.

Due diligence

Where the Hague-Visby Rules oblige shipowners to exercise due diligence in making their vessels seaworthy prior to the commencement of any voyage, it is now incumbent upon them to prove that they are also applying cyber due diligence – everything from updating patches and running security checks to making sure passwords aren’t glued under keyboards, ensuring that crews are properly trained in cyber security and aren’t, for example, letting visitors charge their phones through USB ports on the network, and so on.

BIMCO has now also issued a cyber clause for charterparties, which in essence says that not only will parties use their best efforts to prevent cyberattack, but will also make sure that subcontractors do likewise. Liability could be problematic to establish here, particularly for charterers in terms of confirming which standards the parties will be judged against.

Underwriting

From an underwriting perspective, P&I Club mutual policies currently have no cyber exclusions, so if an assured were to have a collision, say, because they’d been hacked and lost control of their ship, they’d still be covered. The exception to this would be where a ship’s systems are hacked by terrorists or a belligerent power; such instances would then fall to war risk underwriters, not cyber underwriters – an important distinction.

As mentioned above, Cl. 380 or the more recent market standard cyber exclusion clauses are generally applied to other insurance policies. The assured’s options are either to simply “buy out” the exclusion or consult specialist providers like Astaara who can provide a global package cover that is far more comprehensive than alternatives which just reinstate the Cl. 380 or similar exclusions.

The key for all concerned is to plan and proceed methodically. Cyber risk management is about doing the basics well, which doesn’t necessarily require a huge investment. By making it a priority, driven by the Board from the top down so that factors such as using multi-factor authentication and ensuring antivirus software is up to date become an ingrained daily habit for all employees, companies will address what might look like minor issues, but which could otherwise have a disproportionately large impact on their business.

The 2021 IMO Cyber Security Guidelines: what you need to know

In practice, shipowners will need to demonstrate a full understanding of mandated cyber security protocols by conducting a comprehensive inventory of all at-risk onboard and offshore systems, including IT and OT equipment.

Vessels will then be subject to a cyber risk analysis and evaluation to assess their vulnerability and the mitigation measures which have been or need to be applied on board.

Thereafter, shipowners can implement the cyber risk management program best suited to their vessels and equipment, establishing crisis management strategies and incorporating crew training procedures which clearly demarcate their specific roles and responsibilities.

Based upon the National Institute of Science and Technology cyber framework, the 2021 IMO Cyber Security Guidelines involve five basic steps.

1: Identifying risk
2: Detecting risk
3: Protecting assets
4: Responding to risk
5: Recovering from attacks.

Source: hellenicshippingnews

Interview: Manolis Lazaridis, CEO of the Diaplous Group

“There are two types of companies, those that have been hacked and those that will be” said Robert Mueller FBI Director “….and there is a third type, those that have been hacked and simply don’t know it yet” added Mr. Lazaridis, CEO of the Diaplous Group, already having a long and rising carrier in the maritime industry. The Diaplous Group started out as a private maritime security company (PMSC) in 2010, providing services to the owners and operators of vessels in high-risk areas. Over the decade, Diaplous has grown into the world’s most compliant, approved and certified MRM provider serving stakeholders of the maritime industry. The group maintains six offices internationally and a client base of over 930 shipping companies globally.

Q: What triggered you to establish DIAPLOUS-CYBER?

A: During the last decade, there was a rapid growth and evolution of cybercrime. Attackers developed more sophisticated tools and techniques to penetrate into a company’s network, which increased both the number of cyber-attacks and data breaches.  

Therefore, DIAPLOUS-CYBER was born to apply cutting edge cyber security technologies and holistic solutions for companies to maintain 

business continuity in adverse conditions. We carry the vast anti-piracy experience of the Diaplous group from the physical world over to cyberspace, and are able to draw on leading providers in our service offering. Our NATO-trained experts brought over engineering capabilities and we are now able to monitor vessels via the Cyber Defence Operations Center (CDOC) and implement countermeasures in near real-time. 

To enhance our services further, we are also partnering with Alpha Marine Consulting in offering Cyber Risk Assessment and Cyber Risk Management.

Q: Is cyber security expensive? 

A: “Cybersecurity is not expensive is priceless” compared to the overall damage a company can experience after a cyber security incident. Recovering from such an incident can cost a company even a six-digit amount of money, let alone the reputational damage, putting many out of business. 

One of the most known examples is the cyber-attack targeting Maersk, which cost the company almost $300 billion.

This is why we are firm believers that businesses should take a proactive approach to cyber security and invest on it before a cyber incident takes place. 

Q: What is the situation in the maritime industry?

A: Our experience so far has shown that, unfortunately, the majority of the Greek shipping companies is not aware of the importance of cyber security and does not consider cyber-attacks as a potential threatening risk. A common misconception is that only large businesses are a potential target for cyber attackers. This is a myth! In fact, cyber-attacks on smaller businesses are more common than many might think.

Through our series of webinars, we are trying to raise the Greek industry’s awareness about cyber security and educate our participants as much as possible on this topic. We have already organized successfully three webinars and we are planning to offer more during the following months, covering different topics around cyber security and defence.

Q: How should a cyber incident be handled? Is there an analogy with the typical “marine incident”?

A: A cyber incident should be treated as a marine incident, and the measures to be taken to deal with it will depend on its severity. In fact, in every Management System there must be a categorization of events based on their actual or potential impact. Each category of events will mark defined actions and reaction times, the manning of the crisis response team and other actions on the part of the company and the ship. 

There is, therefore, an obligation for each company to organize a Response Plan, which should be combined with the existing Emergency Response Plan.

At the same time, we must stress the importance of the mandatory annual drills and readiness exercises which can be combined with penetration tests.  It becomes clear, then, that the success of dealing with a cyberattack depends on the training and preparedness of the participants and their familiarity with the procedures and obligations.

Q: How useful and necessary is the penetration testing?

The penetration test is an essential tool for any company in order to identify the vulnerabilities of its IT and OT systems as it offers the ability to detect all the effects of a cyber-attack. It is also the most useful tool for risk assessment as, from a technical point of view, it will provide us with more complete information than any other method of approaching and assessing weaknesses.

The penetration test must be done in the company and at least in a percentage of its fleet and must be repeated at regular intervals to confirm the effectiveness of the corrective actions taken each time.

It should be noted that charterers, and especially oil companies, now require penetration testing during both TMSA Office Audits on both the company and the ships.

Source: cyprusshippingnews

Source: cruiseandferry

Inmarsat, the world leader in global, mobile satellite communications, has released a new, free of charge report covering new International Maritime Organization obligations and their implications for cruise ship and ferry professionals. The obligations enter into force next year and the report aims to support owners, managers and captains on compliance as they work to protect passenger ship cyber security.

Published by the Inmarsat Research Programme, Cyber Security requirements for IMO 2021 offers unique insights into Inmarsat’s cyber security experience and examples of real cyberattacks on vessels, providing cruise ship and ferry owners, managers, captains, engineers and technical officers with a guide to the criteria for compliance. By IMO resolution, passenger ship Safety Management Systems must be documented as including cyber risk management under the International Safety Management Code no later than the first annual audit after 1 January 2021.

The 40-page document highlights the way threats continue to adapt and evolve, reporting a fourfold increase in cyberattacks on maritime targets that coincides with the industry’s move to home-based working through the Covid-19 pandemic. It also provides a comprehensive explanation of the often misunderstood distinctions between anti-virus software and network endpoint security.

Source: hellenicshippingnews