Does shipping need to thrash out a new legal framework regarding cyber attacks? Chief correspondent Jason Jiang investigates.
With the acceleration of digitalisation across maritime, the cyber threat to shipping is racing ahead of efforts by industry bodies and regulators to combat the menace.
IBM’s 2016 Cyber Security Intelligence Index showed that transportation was the fifth most cyber-attacked industry.
In June, shipping giant Maersk suffered a cyber attack, which caused a major breakdown at the company and affected all business units including container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers.
Maersk admitted this month that the cyber attack will wipe as much as $300m off its books.
Splash understands that Maersk was not the only shipowner to have been laid low by June’s NotPetya attack.
Mate Csorba, principal specialist at classification society DNV GL’s Marine Cybernetics services, has noticed that the awareness of cyber risks has been increasing rapidly in the shipping industry over the past few years.
Judging from the feedback DNV GL received from customers, Csorba says it is not just the “big players” who are seriously contemplating third-party verification of their assets’ cyber security.
“Of course, it takes more than a single investment. One could spend tens or hundreds of thousands of euros on hardware/software, and might still end up compromised by a malicious attacker with a gadget worth 100 euros. This is why we are working to continuously improve our skills and techniques, and why owners and operators also need to be aware that rather than a one shot they must continuously be addressing cyber security, including hardware, software, and also the human factor,” Csorba says.
According to Csorba, when it comes to regulations, IMO and IACS have already had this issue on their radar. MSC 98 agreed in June that there is an urgent need to raise awareness on cyber risk threats and vulnerabilities, and adopted resolution MSC.428(98) on maritime cyber risk management in management systems.
“Stricter regulations could, of course, harden security, but would come at a price in a cost-sensitive market. However, there is already a lot that shipping companies can do, for example by following the existing recommended practices developed by the industry, such as the DNV GL Recommended Practice (RP) on Cyber Security Resilience Management,” Csorba says. Developed in cooperation with customers, the RP provides guidance on risk assessment, general improvements to cyber security, and the verification of security improvements and management systems.
Philip Tinsley, manager of maritime security at shipowning body BIMCO, says there is no current legal legislation which directly tackles cyber security within the maritime industry. Initiatives such as guidelines and best practice are currently the only guidance available to ship operators and owners.
According to Tinsley, new legislation, which will see the adoption of cyber threats being appropriately assessed and managed within the existing International Safety Management (ISM) Code is fully supported by BIMCO. This new initiative, which was proposed by the US this year to IMO, has achieved industry support and will be implemented in 2021.
Last year, IMO released its interim cyber security guidelines and earlier this month, BIMCO published its own recommendations based on the IMO directives.
Jens Monrad, senior intel analyst at FireEye iSIGHT Intelligence, also agrees that digitalisation could potentially introduce more cyber security threats to the maritime industry and it is critical for organisations to have the necessary security foundation in place to tackle the growing issue.
“Unfortunately, many organisations buy into the notion, that technology only will save them, where the key challenge is the lack of insight into own infrastructure, lack of internal resources and lack of intelligence, allowing organisations to minimise the gap between discovery and recovery of a cyber security threat,” Monrad warns.
Monrad anticipates that the cyber threats and thus risks continue to increase since there are no political agreements on the rule of engagement, and no global political settlement or cooperation between law enforcement and nations.
John Boles, who previously worked for the FBI and is now a director at consulting firm Navigant, believes that the current digitalisation transformation in the maritime industry is definitely bringing more cyber security concerns.
In Boles’ opinion, every aspect of the maritime industry is becoming more connected and reliant on computers and software-driven operations, which has created significant risks from all types of attack vectors; from hackers, cyber criminals and nation states, to simple computer malfunctions and unintentional human errors.
“In most instances, when considering new technology, cost and efficiency are the primary concern, not security. Naturally, the digital transformation is improving operations; however, the unintended consequence of digitisation is exposure to new risks because of our increased dependence on software and computers and an exponentially expanded potential attack surface,” Boles says.
Boles reckons the challenge will be in making cyber security laws and requirements applicable and enforceable across multiple jurisdictions, given the maritime industry’s global nature.
“Security requirements that are truly binding and effective will most likely come from the industry itself and from groups like P&I Clubs, IMO, BIMCO, Lloyd’s, and others. Maritime cyber insurance carriers are also likely to have significant impact on security practices,” Boles says, suggesting incentivising information sharing, both formally and informally, of cyber practices, attacks, and consequences from those events as a good first step in improving the global maritime cyber security set-up.
Krishna Uppuluri, the digital leader at GE’s Marine Solutions, reckons that the cyber security challenge should be viewed in two zones: OT security – core equipment controls and automation and IT security – digitalisation and information. “A regulation framework would serve OT security much better due to the larger risks. IT security can evolve its natural course as long as the two zones are properly separated,” Uppuluri maintains.
Peter Broadhurst, senior vice president of safety and security at Inmarsat Maritime, believes prescriptive regulations are unlikely to keep up with the rate of technological change.
The guidelines for cyber security best practice offered by BIMCO last year used a risk-based approach. Inmarsat was consulted at the drafting stage and continues to believe that this approach offers greater resilience against evolving threats. Inmarsat is also supporting an International Association of Classification Societies (IACS) working group, which is formulating more detailed cyber-security recommendations.
Inmarsat has developed a Unified Threat Management system, designed to be integrated with its Fleet Xpress service, which already provides a pathway for putting the BIMCO guidelines into practice. It protects shipboard systems by analysing data through an onboard controller in a way tailored to maritime traffic, also looking for incursions into the vessel’s LAN from infected malware, USB sticks or other devices. Any compromised server is isolated automatically to protect the network and the ship operator alerted to the breach.
“Clearly, crew don’t want to make their own jobs more difficult, but surveys we have commissioned suggest that while around half of seafarers have experienced a cyber security incident, over 90% have had no cyber security training. Inmarsat is firmly convinced that training and the implementation of cyber best practice is a straightforward and effective way of lowering the risk of malware, phishing or virus infections,” Broadhurst says.
Norma Krayem, senior policy advisor & co-chair of cybersecurity and privacy at law firm Holland & Knight, stresses that the recent global cyber security attacks which hit Maersk and others must be an immediate wake-up call to the industry.
“While the IMO has been looking at cyber security, in 2016 only voluntary guidelines were agreed to, not mandatory. There is a very short window for the sector to create voluntary guidelines and demonstrate it is sufficient to address the risk or it will only be a matter of time before new legislative and regulatory mandates are handed down,” Krayem says.
The US Department of Homeland Security and the US Coast Guard issued updated guidance in 2016 that required disclose of cyber security attacks and in July 2017, the Coast Guard issued a request for comment on a new Navigation and Vessel Investigation Circular (NVIC) 05-17 which states that existing Maritime Transportation Security Act requirements are applicable to cyber security related threats. It also addresses Cyber Governance and Cyber Risk Management Implementation Guidelines.
“Ultimately, it remains to be seen if a new legal framework is needed, however, risk and security have always been part of the maritime regime, it may be that the sector does not understand the risk enough to see that existing legal frameworks may be flexible enough to cover cyber as well,” Krayem concludes.