The International Maritime Organization is a specialized agency of the United Nations, responsible for measures to improve the safety and security of international shipping and to prevent pollution from ships. It is also involved in legal matters, including liability and compensation issues and the facilitation of international maritime traffic. It currently has 174 Member States.
According to the IMO, maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.
In 2017, the IMO adopted Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). According to the resolution, an approved SMS should take into account cyber risk management. It asked for assurance that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
The same year, IMO developed MSC-FAL.1/Circ.3 on Guidelines on maritime cyber risk management that covers maritime cyber risk management measures to safeguard shipping from current and emerging cyber threats and vulnerabilities.
According to MSC-FAL.1/Circ.3, vulnerable systems could include, but are not limited to:
1. Bridge systems;
2. Cargo handling and management systems;
3. Propulsion and machinery management and power control systems;
4. Access control systems;
5. Passenger servicing and management systems;
6. Passenger facing public networks;
7. Administrative and crew welfare systems; and
8. Communication systems.
According to MSC-FAL.1/Circ.3, the distinction between information technology (IT) and operational technology (OT) systems should be considered. Information technology systems may be thought of as focusing on the use of data as information. Operational technology systems may be thought of as focusing on the use of data to control or monitor physical processes. Furthermore, the protection of information and data exchange within these systems should also be considered.
While these technologies and systems provide significant efficiency gains for the maritime industry, they also present risks to critical systems and processes linked to the operation of systems integral to shipping. These risks may result from vulnerabilities arising from inadequate operation, integration, maintenance and design of cyber-related systems, and from intentional and unintentional cyberthreats.
Threats are presented by malicious actions (e.g. hacking or introduction of malware) or the unintended consequences of benign actions (e.g. software maintenance or user permissions). In general, these actions expose vulnerabilities (e.g. outdated software or ineffective firewalls) or exploit a vulnerability in operational or information technology. Effective cyber risk management should consider both kinds of threat.
Vulnerabilities can result from inadequacies in design, integration and/or maintenance of systems, as well as lapses in cyber discipline. In general, where vulnerabilities in operational and/or information technology are exposed or exploited, either directly (e.g. weak passwords leading to unauthorized access) or indirectly (e.g. the absence of network segregation), there can be implications for security and the confidentiality, integrity and availability of information.
Additionally, when operational and/or information technology vulnerabilities are exposed or exploited, there can be implications for safety, particularly where critical systems (e.g. bridge navigation or main propulsion systems) are compromised.
Effective cyber risk management should also consider safety and security impacts resulting from the exposure or exploitation of vulnerabilities in information technology systems. This could result from inappropriate connection to operational technology systems or from procedural lapses by operational personnel or third parties, which may compromise these systems (e.g. inappropriate use of removable media such as a memory stick).
The IMO makes clear that effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
It is clear that cybersecurity is the new challenge for the maritime industry.
A new cybersecurity culture is necessary. It refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, values, and expectations of customers regarding cybersecurity. Managers and employees must be involved in the prevention, detection, and response to deliberate malicious acts that target systems, persons, and data.
We tailor the program to meet specific requirements. You may contact us to discuss your needs.
The program has been designed for all persons in the maritime industry that have authorized access to systems and data. This includes ship managers, port managers, harbour masters, ship superintendents, security officers, IT managers, port authorities, and entities operating within ports.
The program is beneficial to suppliers and service providers of the maritime industry.
One hour to one day, depending on the needs, the content of the program, and the case studies. We always tailor the program to the needs of each client.
Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.
Course synopsis, recommended training modules
Understanding the guidelines on cyber security onboard ships, produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and WORLD SHIPPING COUNCIL.
- Understanding the challenges,
- Threats and vulnerabilities,
- Ship to shore interface,
- Risk exposure,
- Risk assessment made by the company and by third-parties,
- Protection and detection measures,
- Defence in depth and in breadth,
- Procedural protection measures,
- Respond to and recover from cyber security incidents,
- Losses arising from a cyber incident,
- Best practices, what to remember at all times.
Who is the “attacker”?
- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.
- Cyber Pirates.
- Hacktivists and the maritime industry.
- Professional criminals and information warriors.
- Cyber-attacks against passengers, baggage, cargo, catering, systems, staff, and all persons having authorized access to systems and data.
How do the adversaries plan and execute the attack?
- Step 1 – Collecting information about persons and systems.
- Step 2 – Identifying possible targets and victims.
- Step 3 – Evaluation, recruitment, and testing.
- Step 4 - Privilege escalation.
- Step 5 – Identifying important clients and VIPs.
- Step 6 – Critical infrastructure.
Employees and their weaknesses and vulnerabilities.
- Employee collusion with external parties.
- Blackmailing employees: The art and the science.
- Romance fraudsters and webcam blackmail: Which is the risk for the maritime industry?
What do we need? How can it be exploited?
- a. Speed and convenience.
It is difficult to balance speed, convenience, and security.
- b. Effective and efficient access to the web site, computers, and systems.
Examples of challenges and risks.
- c. Great customer service.
Example - how it can be exploited.
- d. A nice facility and great housekeeping.
Example - “The cleaning staff’s hack”.
- e. Food, drinks, and entertainment.
Point-of-sale (POS) fraud and challenges.
Credit card cloning.
- f. Internet access.
Honeypots, rogue access points, man-in-the middle attack.
- g. Security.
Unauthorized access is a major problem, and social engineering is a great tool for attackers.
- h. Privacy.
The maritime industry is considered one of the most vulnerable to data threats.
- i. Money (if they can sue the service provider for negligence).
What must be protected?
- Best practices for all employees that provide services and have authorized access to systems and data.
- What to do, what to avoid.
- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.
- Trojan Horses and free programs, games, and utilities.
- Reverse Social Engineering.
- Common social engineering techniques
- 1. Pretexting.
- 2. Baiting.
- 3. Something for something.
- 4. Tailgating.
- Clone phishing.
- Whaling – phishing for executives.
- Smishing and Vishing Attacks.
The online analogue of personal hygiene.
- Preparing and maintaining records.
- Entering and retrieving data into computer systems and devices.
- Researching and compiling reports from outside sources.
- Maintaining and updating files.
- Responding to emails and questions by telephone and in person.
- Ensuring that sensitive files, reports, and other data are properly tracked.
- Dealing with personnel throughout the company as well as external parties, customers, suppliers, service providers.
- The cyber breach affecting Cosco's operations in the US Port of Long Beach, starting from an employee in Ukraine responding to an email with the NotPetya Malware.
- The cyber attack against Australian defense shipbuilder Austal.
- The US Coast Guard attacked with Ryuk ransomware.
- 50 significant cyber security breaches reported in 2017, increased to 120 in 2018, 310 in 2019, over 500 in 2020, with substantially more going unreported, all in the maritime industry.
- What has happened?
- Why has it happened?
- Which were the consequences?
- How could it be avoided?
Closing remarks and questions.
For more information, you may contact us.