Shipping Association’s Report – A Reminder that Maritime Cyber Threats & Risks are for Real

Hacking cars seems to be so last year with the increasing cyber related incidents on the maritime industry. There are no doubts regarding the fact that maritime cyber attacks are still prevalent and are for real. The high-value cargo that is sailed across continents makes this industry a sweet spot for malicious actors to reap profits by disrupting it. Groups of world’s largest shipping association’s have joined hands to spread awareness regarding best practices that could be implemented to decrease the impact of various cyber threats.

The report titled “The Guidelines on Cyber Security Onboard Ships” covers various aspects of cyber security including risk assessment and risk management for the standard technology used by ship owners. Apart from pointing out at cyber incidents from the past that involved cases of compromised systems of ships, the reports also exposes the threat arising in the Operating Technology (OT) procured from external supply chains.

The false sense of preparedness to counter cyber attacks in the maritime industry must be countered with measures that forces obligatory compliance to cyber security guidelines at an industrial level. Commenting on this, Dirk Fry, chair of BIMCO’s cyber security working group and Director of Columbia Ship Management Ltd said,

The industry will soon be under the obligation to incorporate measures to deal with cyber risks in the ship’s safety management system.  

Cyber Risk Assessment Can Help in Preventing Major Disruptions in the Maritime Industry 

The report suggests that risk assessment of onboard systems must be done on a regular basis. This would play a vital role in determining the capabilities of the onboard systems to counter sophisticated cyber attacks. A thorough evaluation of various areas relating to key shipping operations must be done so that such areas are identified.  Protection and mitigation measures can then be implemented based on the study and its outcome. Self assessing risks is fruitful but then the report highlights the fact that such assessments derive best results when complimented by a third-party auditor. The report also sheds light on the process to be followed while assessing risks like pre-assessment activities, ship assessment, vulnerability review and the final phase being reporting the vulnerability to the manufacturers of the equipment. 

All cyber risks are not derived from attacks and some can happen due to outdated or incompatible systems. One such security incident pointed out in the report shows how the software upgrade resulted to Electronic Chart Display and Information System (ECDIS) failure because  the outdated operating system where incapable of running the software updates. This resulted in a failure in the navigational systems also known as ECDIS and also resulted in hefty financial implications. Such incidents can be averted if proper risk assessments are done resulting to proper servicing of the systems.

There is a fine line that needs to be taken cognizance of when reviewing the risks involved in Operational Technology (OT) and Information Technology (IT). An IT failure could cause a delay in clearance or unloading process but a failure of OT can cause harm to people. It is important that regular system vulnerability scans be done to determine whether the key operational systems are not affected with virus or malware.

An incident mentioned in the reports shows how a dormant malware sneaked into crucial systems of a ship through a USB used by the technician who did the software installations. The worm was detected due to a systems vulnerability scan initiated by the IT department  and also shows how a well formulated vulnerability review which is also a part of risk assessment can be helpful. This incident also helps in understanding how important it is for ship owners to assess the risks arising from supply chain.

Click here to access the report.