Managing cyber risk
Asset safety and cyber protection are high on owners’ agenda. But growing threats, in the form of data theft or sabotage of operations as a result of cyber security breaches, are little understood. We talk through the risks, and possible ways to address them.
Cyber crime takes two main forms: data theft, and sabotage of operations. Attacks range from denial-of-service, to phishing and use of ransomware. Attacks can compromise key navigation systems such as GPS, AIS and ECDIS, causing the vessel to stray off path and risk collision or takeover by pirates. Hackers may also target the Dynamic Positioning (DP) system, or the Planned Maintenance System (PMS) to disrupt operations or cause damage to the asset. Onshore cargo management systems can also be hacked to arrange transport of drugs or other illicit goods.
Various standards exist, including NIST Cyber Security Framework and BIMCO’s Guidelines on Cyber Security Onboard Ships, which are following a risk-based approach. At Bureau Veritas, we have been working to address cyber security and safety for a number of years, and have an in-house dedicated marine cyber security expert team working alongside our maritime risk experts.
We have developed class notations to help owners address cyber safety and security issues onboard. These also crucially cover the protection of communication systems for data collection and remote access – a major vulnerability due to the high exposure level security risk analysis
Focusing on software change management to ensure that installations of new software versions are properly tracked, our SW-Registry notation provides recognition of compliance with the latest IACS UR E22. Owners must create and maintain a certified register of software used in onboard systems.
This voluntary notation seeks to prevent external attacks on connected ships through remote access. It protects the exchange of data between ship and shore, covering the communications system and its immediate environment. A security risk analysis is required to identify and mitigate the main vulnerabilities.
Furthermore, three levels of cyber security notations are being developed in close cooperation with industry partners – for step-wise entry into force in 2018 and 2019:
1. CYBER MANAGED
Controls security through manual procedures, including traceability and change management, making it readily applicable to newbuilds and ships in service. A security risk analysis methodology with a practical standard template is proposed, which can be performed in-house by the ship manager. No specific equipment needs to be installed, but the notation does include minimum technical requirements for remote access management and network connections.
2. CYBER SECURE
Controls security with automatic software using on-board technical equipment, making it most suitable for newbuilds. The rules are based on asset cyber security by design philosophy and include specific mandatory requirements for connected on-board equipment with high level of criticality.
In-depth security control making through an onshore Security Operation Center monitoring a fleet of assets. The notation covers active threat detection at sea for network traffic and systems activity, live status of equipment vulnerabilities and local and remote incident response capabilities. Security Operation Center connections are part of the perimeter and cloud usage is covered.
Photo credits ©Damen Shipyards