Cyber Security Deadline For Mariners

Experts believe that more crew cyber training is needed as the International Maritime Organisation (IMO) 2021 deadline to incorporate cyber security into management systems looms. Just how much training is required, or whether a designated person aboard shall be assigned as a cyber expert on board, is still up for discussion.
 
From 1 January 2021, ship-owners must include cyber security in ship safety management systems under amendments in IMO’s International Ship Management (ISM) Code. Ship-owners and managers have just four months before a key deadline in cyber risk management is passed and ship security comes under greater scrutiny.
 
Preparations should already be underway to include cyber risks as part of ship’s safety, said Norton Rose Fulbright partner Philip Roche, who said this should include training and security-breach drills. “There are many threats out there,” said Mr Roche during Riviera Maritime Media’s ‘Minimising cost and disruption after a cyber event’ webinar on 6 August, which was the concluding event of a the  Maritime Cyber Security Webinar Week. Ship-owners “need to consider risk management and cyber-attack recovery” Roche  said. “Good safety management requires a plan to be in place now if the ship is to be seaworthy.... cyber security is another risk to be managed as part of the safety management of the ship.
 
This could be policed in the future by port state control, whose inspectors may request information on cyber risk management for a vessel as part of its seaworthiness.
 
In a test for seaworthiness, the ship “must have a degree of fitness, which a prudent ship-owner would require the vessel to have at the commencement of its voyage”. This degree of fitness extends beyond the physical condition of the ship and includes having properly trained crew able to deal with contingencies arising at sea. Such tests are to be considered against the current state of knowledge of the risks and regulations in the industry. “This means port state control would take an interest in cyber training and consider cyber risk management and attack recovery,” said Mr Roche.
 
To ensure a ship is seaworthy today, the ship needs to have reasonable measures to protect against a cyber attack, including trained crews who have good cyber hygiene practices and are aware of risks, and a plan to detect, deal with and recover from a cyber-attack.
 
ISM Code
 
To deal with and recover from a cyber attack, there is plenty of shipping industry guidance available form various maritime organsiations, including the IMO and BIMCO. Key to this preparation is following the ISM Code, which requires that the safety-management objectives of the company provide for safe practices in ship operations and a safe working environment. To follow the ISM Code, owners assess all identified risks to ships, personnel and the environment, establish appropriate safeguards, and continuously improve the safety-management skills of personnel ashore and aboard ships, including preparing for emergencies related both to safety and environmental protection.
 
Owners can look at IMO guidance on cyber security which covers developing and implementing activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event and ship operators need to identify measures to back-up and restore the cyber systems necessary for shipping operations impacted by a cyber event. They must also distinguish between an attack affecting IT and an attack on operational technology (OT)which includes cyber threats to ship propulsion control, steering, navigation and communications systems.
 
Cyber Risks in Ports
 
Further digitalisation in ports is increasing their vulnerability to hackers and cyber-attacks. As more technology is linked to the internet, the frequency of these threats and chances of a successful breach increases.  Cyber security needs to be improved in ports before internet of things (IoT) is introduced into port infrastructure.  With more automation in ports, some of these networks are overlooked by IT teams and could be vulnerable to hackers.
 
Cyber Breach Response
 
In an initial assessment of a cyber breach, a response team must find out how the incident occurred, which IT and/or OT systems were affected, then how that happened. The extent to which the commercial and/or operational data is affected needs to be established, and to what extent any threat remains. Following this initial assessment, a ship’s data, IT and OT systems need to be cleaned, recovered and restored as far as possible to an operational condition by removing threats from the system and restoring software.  A thorough investigation is then needed to understand the causes and consequences of a cyber incident, with support from an external expert, if appropriate. 
 
To prevent a re-occurrence, sip-owners need implement actions from the outcome of the investigation, addressing any inadequacies in technical and/or procedural protection measures. Change on board procedures and work culture to prevent another  cyber breach. 
 
“There needs to be constant reminders of cyber hygiene and someone needs to keep an eye on board, perhaps as a cyber security officer .... Crew can “act as a buffer to reduce the effects of a successful attack” if they are trained and regularly practice, said Mr Roche.
 
Guidance: Key Issues To Address In Onboard Contingency Plans
 
The following is a non-exhaustive list of cyber incidents for contingency plans to consider:
 
• Loss of availability of electronic navigational equipment or loss of integrity of navigation-related data.
• Loss of availability or integrity of external data sources, including but not limited to Global Navigation Satellite Services.
• Loss of essential connectivity with the shore, including but not limited to the availability of Global Maritime Distress and Safety System communications.
• Loss of availability of industrial control systems, including propulsion, auxiliary systems and other critical systems, as well as loss of integrity of data management and control.
• The event of a ransomware or denial or service incident.
  
IMO:        GovUK:          ImproSec:      Safety At Sea:    Riviera:  
 
You Might Also Read: 
 
Maritime Data For Sale On the Dark Web:
 
« British Cyber Security Market 2020
Schoolchildren Are Better At Cyber Security Than Their Teachers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CyTech Services

CyTech Services

CyTech provides unique services and solutions complemented with professional subject matter experts to both the Federal and Commercial sectors.

Navista

Navista

Navista's hardware and software modules are especially designed to ease the deployment of secure networks.

CyberArk Software

CyberArk Software

CyberArk is an established leader in privileged access management and offers the most complete set of Identity Security capabilities.

softScheck

softScheck

softScheck is an IT security consultancy. Services range from pentesting and compliance testing to security auditing of software and IT infrastructure.

Cyber Data-Risk Managers

Cyber Data-Risk Managers

Cyber Data-Risk Managers Pty Ltd is an insurance broker based in Melbourne, Australia specializing in Cyber insurance / Data breach insurance.

Packet Ninjas

Packet Ninjas

Packet Ninjas is a niche cyber security agency with specialized expertise in the use of digital intelligence to strengthen cyber security.

OmniNet

OmniNet

OmniNet delivers the next generation of cybersecurity and is the only provider in the market to move the edge of small businesses to a virtual, omnipresent perimeter.

MASS

MASS

MASS provides world-class capabilities in electronic warfare operational support, cyber security, information management, support to military operations and law enforcement.

Sikur

Sikur

Sikur have developed a communication platform that sets new boundaries for corporate privacy and security.

Swedish Board for Accreditation and Conformity Assessment (SWEDAC)

Swedish Board for Accreditation and Conformity Assessment (SWEDAC)

SWEDAC is the national accreditation body for Sweden. The directory of members provides details of organisations offering certification services for ISO 27001.

AnChain.AI

AnChain.AI

AnChain.AI's analytics platform proactively protects crypto assets by providing proprietary artificial intelligence, knowledge graphs, and threat intelligence on blockchain transactions.

C3.ai Digital Transformation Institute

C3.ai Digital Transformation Institute

The C3.ai Digital Transformation Institute is a research consortium dedicated to accelerating the benefits of artificial intelligence for business, government, and society.

Kralos

Kralos

Kralos are an experienced team of Software and IT experts, specialized in the development of innovative cybersecurity solutions.

Knowit

Knowit

Knowit support customers in the digital transformation, simplify people’s everyday lives and create secure and innovative solutions enabling a sustainable future.

Scope AI

Scope AI

Scope AI is an innovative technology company specializing in quantum security and machine learning.

CyberUpgrade

CyberUpgrade

CyberUpgrade is on a mission to empower executives to gain control over their organization’s cybersecurity.