As with many industries adapting smarter and more efficient technologies, the introduction of increased connectivity in maritime shipping operations is driven by a variety of reasons. Improvements to operational effectiveness requires real-time information, and in case of ships, it is crucial to have the latest information on weather and precise routing to ensure an optimal voyage. Smart shipping systems requiring remote access to data are being introduced for operational benefits, whilst the International Maritime Organisation (IMO) recommends equipping vessels with enhanced communication systems to attract young professionals wanting to stay in contact with family and friends.
Whilst the push to implement increased levels of connectivity is driving innovation in Maritime operations, vessel owners need to remain wary that introducing new technology in into legacy vessel systems can pose an increased risk and provide a greater attack surface for cyber-attacks. Therefore, it is important to take into consideration the risks and recommended actions to make your shipping operations cyber secure.
Risk Vs. Reward – Important considerations when implementing new technology
There are important reasons for the shift towards improvements in connectivity, relating to safety, efficiency and emergency purposes. As the maritime industry has low margins, it is important to monitor engine operations, fuel usage and act upon deviations. The lack of expertise onboard requires the monitoring to be performed remotely, which is also valid for monitoring other aspects such as engine room variables which allow for early detection of electronic or mechanical issues. In the case of serious medical issues, remote access to on-shore doctors ensures necessary assistance in emergency scenarios. Having internet access on-board will also provide support to seafarers by means of CCTV security to assist law enforcement or naval agencies in gathering information on pirate threats.
In order to have access to these services or communicate externally, vessels require connectivity to on-shore stations. Although by implementing newer technologies into existing legacy systems, it can pose to the risk to vessel security as these implementations were not taking into consideration at the design stage. Looking at statistics from the UNCTAD Review of Maritime Transport 2017, 58.08% of general cargo ships are over 20 years in operation, with the average lifespan being 25.21 years old. Considering the industrial control systems in these vessels could have been designed more than 20 years ago, introducing higher levels of connectivity to these ships could increase the risk exponentially.
According to the IMO, fifty-five thousand ships are navigating the world’s oceans, bringing cargo or passengers from one place to another. Next to cargo (including hazardous oil & gas products) and passengers, ships are hosting hundreds of thousands of seafarers. An intentional misdirection of a vessel could cause enormous environmental disasters (e.g. the Exxon Valdez – 42 millions of crude oil), fatalities (Costa Concordia – 32 deaths) and huge financial losses. It is imperative to prevent manipulation in steering, amongst other systems as a result of a successful breach in security.
Adhering to proven industry standards
The Department For Transport (DfT-UK) together with the IEC has published in 2017 the Code of Practice: Cyber Security for Ships. Therein is clearly indicated that the Maritime Sector can fall victim to cyber attacks if insufficient measures have been implemented, stating expected threats include cyber misuse, activist groups, espionage, organized crime, terrorism and warfare. Ultimately, these actions destroy or delay maritime activities and are roadblocks for business.
In order to mitigate the risk of a possibly disastrous breach in maritime security, the resiliency of the ship infrastructure must be improved significantly to withstand malicious hacking attempts. It is important to know the current level of cyber resiliency within your shipping operations. The best starting point to start implementing cyber security best practices is to begin with a Cyber Security Assessment (CSA) against the IEC62443 (the de facto International Industrial Control Systems Cyber Security Standard). The assessment will provide critical information about the possible vulnerabilities in the ship’s infrastructure, as well as external communications systems.
Taking the first step to increasing cyber resilience
The ISPS states that inspections require specialist knowledge, so it is important to contract a trusted party with extensive knowledge in securing industrial process control environments at sea. Applied Risk is highly experienced in securing maritime operations and can support your shipping company in safeguarding your maritime assets and complying with industry regulations. Our cyber security experts can perform on-site vessel assessments against the IEC62443 and provide recommendations to create low-risk business operations. This will form the basis of the Cyber Security Plan which will fulfil part of the requirements by UK and European legislation and the ISPS Code (par 8.1 – 8.10). For more information about performing a security inspection, submit a contact request at our website here.