Ships are increasingly using systems that rely on digitization, integration, and automation. As a result, security of data and other sensitive information has become a major concern of maritime.
Cyber attacks may lead to economic loss and/or costs of restoring the lost data. According to a global economic study, cybercrime is one of the world’s fastest-growing and most lucrative industries. At least $445 billion was lost last year, up around 30 percent from just three years earlier.
Cyber-attacks can be defined as deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyber-attacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft. Cyber-attack is also known as a computer network attack (CNA).
A successful cyber-attack can have several implications relevant to insurance: Loss of life, personal injury, pollution, loss of property, business interruption, loss of production, loss of data and loss of reputation. From a cargo perspective, there are in particular concerns related to the potential risks and implications of cyber-attacks directed at unmanned truck convoys and mega hubs.
The ISO intends to complement the work on cybersecurity, using the ISO/IEC 27000 series.
During the SAFETY4SEA Cyber Masterclass, Mr. Max J.Bobys, VP Global Strategies, HudsonAnalytix, gave a presentation with the aim to initially characterize the rapidly evolving cyber threat landscape and place it in maritime industry context.
Cyber risks can be either malignant or due to innocent breach caused by a lack of awareness or insufficient understanding about systems and how they interact with each other. It is important, therefore, to have the right protocols in place to counter cyber threats.
- IMO Milestones
November 2014: IMO’s Maritime Safety Committee (MSC) supported a Canadian / U.S. recommendation to develop voluntary guidelines on maritime cyber security practices. The purpose being to protect and enhance the resilience of cyber systems supporting the operations of ports, vessels, marine facilities and other elements of the marine transportation system.
May 2016: MSC approved new “Interim guidelines on maritime cyber risk management”, providing high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. The guideline refers also to additional guidance and standards. In July 2017, the interim guidelines were superseded by an IMO circular informing of the now approved Guidelines on maritime cyber risk management.
June 2017: MSC adopted a resolution on maritime cyber risk management in safety management systems. Member Governments are encouraged to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
- United States Milestones
June 2015: USCG released its Cyber Strategy guidance document. The document presents the agency’s vision for operating in the cyber domain and outlines the agency’s goals and objectives for its three stated strategic priorities: defending cyberspace, enabling operations and protecting infrastructure.
December 2016: USCG published a cyber-security policy letter regarding the criteria and process for the reporting of suspicious activity and breach of security and added cybersecurity to the list of security items covered by the 2002 Maritime Transportation Security Act (MTSA). This could also mean penalties of up to USD 25,000 per cyber preparedness violation.
Mid -July 2017: USCG announced a request for public comments to its Navigation and Vessel Inspection Circular (NVIC) 05-17: “Guidelines for addressing cyber risks at MTSA regulated facilities”.
July 2017: The U.S. House Intelligence Committee required that the Undersecretary for Homeland Security for Intelligence and Analysis investigate cybersecurity vulnerabilities and threats to ports and maritime shipping, and report back within six months.
- United Kingdom Milestones
August 2017: UK Goverment announced a statement of intent to update and strengthen data protection laws through a new Data Protection Bill. Firms could face up to GBP 17 million fines if they fail to protect, and transport are among the essential services that will need to safeguard against hackers.
Shipping Industry’s contribution
January 2016: An industry group published new “industry guidelines on cyber security onboard ships”. A 2nd edition of the guidelines was published in July 2017, with the inclusion of among others a new paragraph on insurance cover
Unlike other international standards and guidance on cyber security, the industry guidelines focus on the distinctive issues on board ships. A revised version 3 of the guidelines is currently worked on by the industry group.
June 2016: IACS founded a Cyber Systems Panel. The Panel is focusing on developing recommendations as a first step, to be followed later by new unified requirement on system integration for safety critical shipboard systems. The Panel is also exploring a possible certification scheme for software providers for essential systems by IACS members. An update of UR E 22, covering on board use and application of programmable electronic systems, is under consideration by a project team. IUMI is among the industry partners in a joint working group with IACS on cyber systems.
December 2017: BIMCO and Comité International Radio-Maritime (CIRM) presented a proposed industry-wide standard for software maintenance. The aim is to reduce the number of cyber-attacks on vessels, and the support of organizations and IMO Member States is encouraged. The International Standardization Organization (ISO) has been approached to request the development of an international standard based on the BIMCO/CIRM standard, which may take 3-4 years for completion.
The EU GDPR Regulation
In an effort to eliminate the aforesaid risks and set the principal for transparent use of personal data, the EU adopted in 2016 the General Data Protection Regulation (GDPR) which from the 25th of May 2018 onwards will be directly applicable to all EU Member States. The regulation requires all organizations providing services or handling data related to EU citizens, to comply with it, even if the organizations are not located in EU. The way in which a business manages a data breach has a direct impact on the final cost. This will become even more the case under the GDPR. Reputational damage is irrevocably linked if the response to a cyber incident is inadequate.
e-Navigation vs cyber security
The e-Navigation IMO initiative is defined as
The harmonized collection, integration, exchange, presentation and analysis of maritime information on board and ashore by electronic means to enhance berth to berth navigation and related services, for safety and security at sea and protection of the environment.
Operators should incorporate e-Navigation Best Practices as an integral part of their Bridge Resource Management (BRM).
The e-Navigation Strategy Implementation Plan, approved by MSC 94 in November 2014, contains a list of tasks required to be conducted in order to address:
- Improved, harmonized and user-friendly bridge design.
- Means for standardized and automated reporting.
- Improved reliability, resilience and integrity of bridge equipment and navigation information.
- Integration and presentation of available information in graphical displays received via communication equipment.
- Improved communication of VTS Service Portfolio (not limited to VTS stations).
According to IMO these tasks when completed will provide the industry with harmonized information in order to start designing products and services to meet the e-navigation solutions.
Actions to be taken by industry stakeholders
- Stick to the industry guidelines on maritime cybersecurity practices and their implementation
- Be aware of your systems and the way they interact with each other
- Implement risk assessment procedures properly
- Support the development of e-Navigation through the IMO
Relevant key documents and links
IMO:
- 1/Circ.1526: Interim Guidelines on Maritime Cyber Risk Management, 1 June 2016.
- Resolution MSC.428(98): Maritime cyber risk management in safety management systems, adopted 16 June 2017.
Industry Guidelines: The guidelines on cyber security on board ships, 2nd edition, July 2017.
Marsh: The risk of cyber-attack to the maritime sector, July 2014
United States:
- Coast Guard : CG-5P Policy letter: Reporting suspicious activity and breaches of security, 14 December 2016.
- NIST Cybersecurity framework
- US Government Accounting Office (GAO): Report on “Maritime Critical Infrastructure protection”, June 2014.
European Union:
- European Network and Information Security Agency: Analyses of cyber security aspects in the maritime sector, November 2011.
- EU Directive 2016/1148: Concerning measures for a high common level of security of network and information systems across the Union, 6 July 2016.
- EU GDPR: Rules for the protection of personal data inside and outside the EU.
- The Directive on security of network and information systems (NIS Directive)
IACS:
- New UR on system integration for safety critical shipboard systems (under consideration)
- Certification of software providers under consideration.
- Revised UR E 22 regarding on board use and application of programmable electronic systems under consideration.
ABS: Guidance note on the application of cybersecurity principles to marine and offshore operations, Volume 1: Cybersecurity, February 2016.
UK Department for Transport & Maritime and Coastguard Agency: Port cyber security code for operations and staff members, 16 August 2016.
DNV GL: Recommended practice 0496 – Cyber security resilience management for ships and mobile offshore units in operation, September 2016.
