Digital

Managing cyber risk

08.17.18

Asset safety and cyber protection are high on owners’ agenda. But growing threats, in the form of data theft or sabotage of operations as a result of cyber security breaches, are little understood. We talk through the risks, and possible ways to address them.

Autonomous Tugboat - Courtesy of Damen Shipyards

What is the threat?

Modern ships and platforms make use of increasingly complex information technology. Systems and infrastructure are highly integrated, and collect extensive data, which is often accessible remotely as systems become part of the Internet of Things. As such they present an attractive target for hackers, whose motivations can range from financial gain to sabotage or a desire to gain access to intellectual property.
After some recent high profile maritime incidents, the issue is increasingly of concern for owners and operators as a cyber attack could have major consequences, including loss of life or asset.

Cyber crime

Cyber crime takes two main forms: data theft, and sabotage of operations. Attacks range from denial-of-service, to phishing and use of ransomware. Attacks can compromise key navigation systems such as GPS, AIS and ECDIS, causing the vessel to stray off path and risk collision or takeover by pirates. Hackers may also target the Dynamic Positioning (DP) system, or the Planned Maintenance System (PMS) to disrupt operations or cause damage to the asset. Onshore cargo management systems can also be hacked to arrange transport of drugs or other illicit goods.

Cyber Safety & Security

Cybersecurity and cyber safety: know the difference

Cyber safety focuses on maintaining system reliability and availability, and ensuring safety and maintenance. It is not concerned with malicious attacks. Instead, it seeks to identify and mitigate system flaws or human behavior that could compromise safety and efficient running of the system.

Cyber security, by contrast, focuses on reducing the likelihood and impact of unauthorized access to hardware and software systems

How can you protect your vessel and operations?

Various standards exist, including NIST Cyber Security Framework and BIMCO’s Guidelines on Cyber Security Onboard Ships, which are following a risk-based approach. At Bureau Veritas, we have been working to address cyber security and safety for a number of years, and have an in-house dedicated marine cyber security expert team working alongside our maritime risk experts.

We have developed class notations to help owners address cyber safety and security issues onboard. These also crucially cover the protection of communication systems for data collection and remote access – a major vulnerability due to the high exposure level security risk analysis


SW-Registry

Focusing on software change management to ensure that installations of new software versions are properly tracked, our SW-Registry notation provides recognition of compliance with the latest IACS UR E22. Owners must create and maintain a certified register of software used in onboard systems.

SYS-COM

This voluntary notation seeks to prevent external attacks on connected ships through remote access. It protects the exchange of data between ship and shore, covering the communications system and its immediate environment. A security risk analysis is required to identify and mitigate the main vulnerabilities.

Furthermore, three levels of cyber security notations are being developed in close cooperation with industry partners – for step-wise entry into force in 2018 and 2019:

1. CYBER MANAGED 

Controls security through manual procedures, including traceability and change management, making it readily applicable to newbuilds and ships in service. A security risk analysis methodology with a practical standard template is proposed, which can be performed in-house by the ship manager. No specific equipment needs to be installed, but the notation does include minimum technical requirements for remote access management and network connections.

2. CYBER SECURE

Controls security with automatic software using on-board technical equipment, making it most suitable for newbuilds. The rules are based on asset cyber security by design philosophy and include specific mandatory requirements for connected on-board equipment with high level of criticality.
 

SECURITY OPERATION CENTER

In-depth security control making through an onshore Security Operation Center monitoring a fleet of assets. The notation covers active threat detection at sea for network traffic and systems activity, live status of equipment vulnerabilities and local and remote incident response capabilities. Security Operation Center connections are part of the perimeter and cloud usage is covered.

Gijsbert de Jong

Our cyber security related notations seek to provide a holistic yet pragmatic response to cyber threats. At the highest level, live threat detection keeps owners continually protected.

Gijsbert de Jong Marine Marketing & Sales Director

Photo credits ©Damen Shipyards