9th January, 2016. London: In order to secure the shipping industry against the threat of cyber attacks has launched a set of guidelines. BIMCO or Baltic and International Maritime Council is one of the world’s largest shipping organization consists of 130 countries with about 2300 members including shop owners, managers, operators, broker and agents who provide technical information, advice and education to develop and maintain industry standards.
BIMCO’s comprehensive guide on cyber security published in January 2016 gives a detailed insight on understanding the cyber threat, assessing and reducing the risk and development of contingency plans. Operational Technology (OT) and Information Technology (IT) are increasingly being networked together as technology continues to develop with each passing day. Since it is more frequently connected to the worldwide web, it ushers greater risk of odious attacks to ships’ systems and increases the chances of unauthorized access. Risk could also be posed in the form of onboard individuals who have access to the ships’ operating systems and therefore, use removable media to introduce malware.
Cyber security has been much talk about over the past few years, owing to the rapid development of technology and systems. In 2013, BIMCO’s Executive Committee had highlighted the importance of cyber security. The Council gathered information over 2013 and 2014 in order to deal with cyber security needs and challenges in the maritime sector. In March 2014, it was decided that BIMCO would develop a industry guidance on cyber security for ships. It is imperative to be prepared for the consequences of a cyber threat. The latest cyber security guidelines have been designed by a group of international shipping organizations with the assistance of numerous stakeholders to develop resilient approach towards cyber security for onboard ships. Although these approaches could be ship and company specific, they should be governed by national regulations and appropriate standards. The guidelines have been developed jointly with International Chamber of Shipping (ICS), Cruise Lines International Association (CLIA), Intercargo and Intertanko. Navigation systems such as GNSS, ECDIS, VDR, AIS and Radar/ARPA together with cargo management systems and propulsion monitoring systems, including every system which corresponds with the shoreside networks are vulnerable to cyber threats.
Cyber Risk Management is being regarded as a complimentary measure over the existing security and safety risk management requirements, as mentioned in the International Safety Management (ISM) Code and the International Ship and Port Facility Security (ISPS) Code. In order to run ship operations efficiently and securely, cyber security should be considered by every level of the company i.e. from the senior managers to the crew on board. The Cyber Security Guidelines have been introduced to create awareness and develop understanding of cyber security. Wherein international standards and guidelines already cover the aspects of cyber security for shoreside operations, the Cyber Security Guidelines focus on the how to handle the cyber security issues faced by the shipping industry for onboard ships. These guidelines cover the below points:
- How to create awareness of security, safety and commercial risks for shipping companies in case there is no cyber security measure available.
- How to connect equipment, shipboard OT and IT infrastructure.
- How to impart required and necessary information and access to the users of the systems in the ships.
- How to protect data used on onboard ships.
- How to provide authorization for users especially during maintenance and on board support
- How to protect data being exchanged between the shore and the ship. In the event of a cyber threat, in order to maintain the security and the commercial viability of the ship, a response plan is required which can immediately recover data and systems and take back the operations to normal at the earliest.
Cyber Risk is specific to the ship, company, trade and operation. Cyber risk is more challenging because there is hardly any red flag with regards to the incidents and their impacts. Individuals and organizations exploit cyber credibility for numerous reasons. Opportunists, Activists, State sponsored organizations, criminals and terrorists have several benefits such as financial and political gain, damage of reputation and commercial and financial espionage. They are essentially equipped with the skills and resources to threaten a ship’s security. Moreover, the cyber security case could also be of an on board employee compromising data unknowingly. Whatever maybe the case, it is imperative to adhere by the cyber security guidelines at any cost.
Cyber attacks could of two types: a targeted attack or an untargeted one. During the former attack, the ship’s data systems are the primary and intended target. In an untargeted attack, a company or ship’s data systems are one of many targets. Cyber attacks are conducted in stages. Sometimes activists take a long period of time to make elaborate preparations and before bringing down their target. Ships and companies should have appropriate access to contingency plans in order to effectively respond to cyber threats. Due to the complexity and severity of cyber incidents, sometimes it might become challenging for the ship or the company to appropriately respond to them. In such cases, external expert assistance needs to be sought in order to minimize compromised operation and make recovery work easier. Contingency plans should be tested periodically to sustain efficiency. The development of this framework is based on industry standards and best practices created through collaboration between private sectors and national authorities. The cyber security guidelines rely on numerous existing standards, practices and guidelines to enable critical infrastructure providers to achieve reliance.
Risk Management programs offer the competency to quantify and communicate adjustments to the cyber security set up of an organization. Risk can be handled in a variety of ways- by mitigating it, transferring it, avoiding it or accepting it. In order to handle this aspect efficiently, the on board employees, the other crew personnel and the owners should be aware of the causes and effects of a cyber incident. Only then they can determine the accepted risk level and when to trigger alarm. Therefore, the cyber security knowledge is mandatory for everyone operating in the maritime industry.