Professional Documents
Culture Documents
001-Cyber Preparedness in Maritime Industry
001-Cyber Preparedness in Maritime Industry
ISSN: 2454-1532
Abstract - Automation, digitization and integration drive maritime industries now more than ever. The
maritime infrastructure is more reliant on cyber technology. Consequently, cyber security has been a major
cause of alarm in maritime industry. Cyber related incidents involving navigating, movement of cargo, and
other processes threaten lives, environment, property, and considerably disrupt maritime trade movement as
a result of cyber-attacks. Compared to other areas of protection and security, cyber risk management is
more challenging due to lack of information about the cyber-attacks and its impact. Until this information is
acquired, the impact and probability will continue to be uncertain. Recent experience of cyber-attacks in
maritime industry and from other business sectors such as banking, finance and insurance sectors, public
administration and airline industry have shown that any successful cyber-attacks might result in substantial
impact in providing services and compromise on safety of organizations assets. The main objectives of
cyber-attacks in the maritime business include media attention, denial of service, access to system targeted,
selling stolen data, hold the organizations for ransom on stolen data and system operability, organizing
fraudulent movement of cargo, gathering intelligence on precise location of the cargo, ship transportation,
handling plans, circumventing cyber security defenses, financial gain, disruption of economy, gaining
knowledge about critical information/national infrastructure. This paper focuses on the cyberspace risks
related with maritime industry and cyber preparedness in current global context.
Keywords - Dedicated Maritime systems, Cyber Risks, threats and Vulnerabilities; Cyber Security, Cyber
Preparedness.
19
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
Manufactured products, oil, natural gas, raw interconnected cyber systems to provide ship,
materials, and agricultural products move through cargo, passenger, and crew information to
ports every day. While these are manufactured in customs officials around the world. While these
many locations, they are transported to ports via technologies enable maritime industry to be
rail, truck or specifically designed pipelines, efficient and reliable, they introduce risks.
where they are loaded onto ships and barges for Exploitation or disruption of the interconnected
export to other international destinations. cyber systems cause disruption of trade and harm
Worldwide, the maritime business is making the maritime industry.
increasing use of technology for business and
operational functions. Vessels use geographic position system for
Vessel and service operators use computer navigation on exclusively networked GPS, while
systems and inter-connected technologies for using the same technologies for cargo tracking
navigating, communicating, engineering, control. Any disruption, multiple points of failure
movement of cargo, ballast, protection, and via a disruption to the GPS signals or malware,
environmental mechanism. Ports use computer- controls the way the signal is read, exhibited and
generated systems to work with drawbridges, used on the vessel or facility. There are various
control traffic lights, schedule trucks to deliver, intentions for organizations and individuals to
pick up containers and SCADA systems to control exploit these vulnerabilities.
pumps, valves, and pipelines delivering fuel. Those who target the maritime industry include
but are not limited to, or hacktivists, disgruntled
Dedicated Systems employees, cyber criminals, opportunists, state
Emergency systems such as security monitoring, sponsored attacks and terrorists. The motivation
cameras, fire detection, and alarms increasingly of such attacks includes reputational damage,
rely on cyber technology. Various cyber disruption of operations, financial gain,
dependent dedicated systems associated with commercial and industrial espionage, competitive
maritime industry is illustrated in figure1. intelligence, challenge, thrill or political gain.
Understanding cyber security threats and risks is
illustrated below.
Threat Actors
Motivation: Disruption, Espionage and Financial
Gain
Outsider
Hacktivists
Nation State Sponsored
Criminal Syndicates
Terrorists
Insider
Figure 1: Dedicated systems associated to Accidental/Unintentional
maritime industry Malicious Deliberate Insider
Disgruntled Employees
The maritime business uses interconnected cyber
I. CYBER VULNERABILITIES IN
network to enable financial transactions,
MARITIME INDUSTRY
implement contracts, place orders, and perform
related business functions over wireless networks
compared to other businesses. While cyber system exposures in shipboard
The international aspect of maritime systems are startling to professionals, it requires
transportation means that operators use an unusual skill set and precise timing to exploit
20
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
these vulnerabilities to disrupt shipping operations This is enabled by presenting malicious code
or cause alternatively a serious maritime casualty. which targets the movement of cargo and cargo
GPS jamming is one such weakness. management system on-board the ships network.
GPS Jammers produce a signal on the same Once the malware is planted in the freight
frequency comparable to that from the Global management system, the malicious code allows
Navigation Satellite Systems (GNSS) at a very remote management of the cargo manifest.
close range, overriding the dependable signal. The Cocaine was trafficked through a port embedding
incidents related to jamming signals are the malware.
particularly difficult to locate when operated in a Ransomware is additional tool for unsettling the
thickly populated area. Disrupting shipboard shipping industry, a technique to introduce a virus
navigation requires a GPS jammer to be placed in into a shipboard network using phishing/spear
the vicinity of the GPS probes onboard the ship phishing emails with attachments, facilitating
and control through steering of a regulated area. downloading from the internet, or through a
Interference in the GPS signal would activate an storage device. Any computer connected to the
alarm on the navigation system, enabling a network is locked out unless a ransom is paid.
priority to manual systems to autopilot. There are growing reports of logistics
organizations being affected. Some organizations
It is questionable that the interference of GPS pay via multiple payment mechanisms to maintain
signals places a vessel in a dangerous position, their functioning and decrease disruptions.
provided the signal officer is alert and acts in Vendors for warranty purposes control cargo and
accordance with his or her training and propulsion systems through remote monitoring
procedures. While this example portrays a radio which presents another dimension of
signal manipulation, not a cyber-attack, it still vulnerabilities. The unintentional introduction of
exposes the risks of navigation in an example that malware vis-à-vis targeted malicious attacks is
discloses the tip of the iceberg. serious-and much more likely to occur. Various
The voyage data recorder (VDR) is another area stakeholders have access to critical systems,
to show cyberspace vulnerabilities. which increases the opportunity for introduction
A VDR resembles an aircraft's black box and of malware in maritime trade.
essential component during investigations. It Obsolescence in technology Old and obsolete
accounts inputs like bridge audio and VHF operating systems are seldom updated, one of the
communications; vessel's position, speed, and leading causes for significant exposures in
heading; watertight and re door status; radar, monitoring and detection systems. Safety,
ECDIS, AIS, and echo depth sounder data; and communications, freight control, ballast water
other information, as required by international management, engineering, environmental control,
regulations. Hackers can control data captured by and other systems are equally vulnerable to such
the VDR. cyber-attacks.
For instance, a hacker can use this vulnerability to Third-party access Third parties visiting the ships
shield the cause of an attack or get rid of evidence require a connection to one or more computers on
of criminal activity on-board a vessel. Although board resulting in linking the ship to shore.
the risks related with VDR vulnerabilities is Operators, engineers, mechanics, port officials,
marginal since VDRs don't directly control the agents, vendors, board the ship and plug in
movement of a vessel, such vulnerabilities could storage devices, laptops and tablets. Some require
cause major harm when planned with other the use of removable media to update computers,
malicious activities. copy data and/or perform other tasks.
Cargo system and movement of cargo is another Customs officials and port officials board ships
part that causes substantial distractions at a port and demand using a computer to “print official
during freight movement. This has become a documents” through removable media. Lack of
proven method for trafficking goods into a port. control to access onboard systems result in
21
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
22
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
operations
23
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
Cyber security strategy aligned with organizations There are threat agents which exposes the
objectives vulnerability to cyber incidents in maritime
Designed with cooperation from industry as well.
management and other stakeholders The cyber controls implemented by the
enterprise onboard its ships.
Effective metrics developed for cyber Stakeholder management is one of the key
security strategy and execution factors in the operation and chartering of a
ship providing accountability for the IT
Optimally address
infrastructure.
o Strategic alignment Critical business and sensitive information
o Risk Management shared with shore-based service providers,
o Resource management including terminal information and where
o Value Delivery applicable, to the public authorities to be
o Assurance process controlled.
o Performance measurement The availability and use of computer-
o Integration controlled critical systems for the ship’s
Business processes, training, safety of the safety and for environmental protection.
ship and the environment need to be
focused more. These factors should be considered and relevant
Awareness on how the organization controls incorporated into the company cyber
interacts with customers, suppliers, security policies, physical and safety management
systems, and ship security plans.
authorities and co-operation between the
Users of these guidelines need to refer to specific
parties need to be coordinated. national, international and flag state conventions,
Allocate the budget to execute a full risk principles, regulations, procedures in addition to
assessment and develop or acquire pertinent international and industry standards and
solutions to be implemented in the best practices when designing, developing and
organization. implementing cyber risk management processes
associated to maritime trade.
Identify systems that are important to
IT and OT systems, enterprises need to consider
operation, safety and environmental auditing the third party service providers and
protection. vendors on software, hardware and maintenance
Assign the persons responsible for setting services they provide. Some companies use
cyber policies, procedures and enforce different providers responsible for software and
monitoring. cyber security checks. The growing use of big
Determine where secure remote access data, smart ships and the “internet of things” will
should use multiple defense layers and result in information available to cyber attackers
where protection of networks should be and the potential attack surface to cyber criminals.
disconnected from the internet. This makes the need for robust approaches to
Identification of needs for training of cyber risk management important both now and in
personnel. the future.
III. APPROACH TO CYBER RISK MANAGEMENT
24
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
maritime trade. Risk management in maritime and further develop best practices and additional
trade, much like any other operational or financial implementation recommendations and
risk, involves identifying risks, analyzing risks incorporating cyber risk management into existing
quantitatively or qualitatively, evaluating risks, safety management systems as provided by the
and finally treating risks responding to incidents, foundational guidelines.
and recovering from an incident by implementing A target of the first annual review of the
continuous improvement mechanisms. company's Document of Compliance after
The shipping company should decide the January 1, 2021 was affirmed by this resolution to
implementation of a cyber-risk management be addressed by safety management system which
program and include guidance for various became the first mandatory deadline in the
personnel of the organization, from the CEO maritime industry for establishment of cyber-
down to the deck plates. Many establishments related risks, and it is a critical step in protecting
have pursued to define how cyber risk the maritime transportation system and the
management should be implemented on ships, and industry as a whole from the ever-growing array
agreed to follow the Cyber security Framework of cyber threats.
developed by the National Institute of Standards One industry publication highlighting
and Technology (NIST). foundational elements is “The Guidelines on
The NIST framework was developed in 2014. Cyber Safety and Security On-board Ships”. A
The framework was designed to be an umbrella proactive approach to embed cyber risk
framework so that it could cater to any sector, management into the existing safety culture
ranging from financial or medical to before a significant incident occurs.
transportation or security. It defines five The table 2 illustrates various global maritime
functional elements that form the backbone of a cyber security regulations.
thorough cyber risk management program.
Additional guidelines and best practices were Cyber Security Regulations
derived within the maritime industry from this
framework. The table 2 illustrates various global maritime
The Inter-national Maritime Organization (IMO)'s cyber security regulations.
Maritime Safety Committee (MSC) developed
guidelines providing high-level recommendations TABLE 2: Various global maritime
to safeguard maritime trade from current and Cyber Security Regulation
evolving cyber-related threats and vulnerabilities. USA Development of maritime
The IMO guidelines on Maritime Cyber Risk regulations since Sept 2016
Management were finalized in July 2017 as MSC- Require incident reporting
FAL.1/Circ.3. since Jan 2017
These guidelines were an important landmark in Draft navigation and vessel
the management of cyber risks in the maritime inspection circular NVIC 05-17
industry. They implement the five functional (hearing)
elements detailed in the NIST framework, with France Recommendations on maritime
the goal of embedding these elements into all cyber security from Sept 2016
aspects of operations of the company and Norway Norwegian Maritime
personnel management in the same way industry Authorities’ report “Digital
has embraced safety culture by adopting and vulnerabilities in the maritime
safeguarding through safety management systems. sector” by DNV GL from April
In June 2017, the IMO's Maritime Safety 2015
Committee published resolution 428(98) Cyber
Netherland Dutch Data Processing and
Risk Management in Safety Management
Cyber security Notification
Systems. The focus was to empower organizations
25
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
Obligation Act, since Jan 2017 Management systems are one of the major
Japan Development of Japanese suggestions given by them. Though the guidelines
guideline for cyber security are not mandatory, the member governments are
applicable to maritime assets encouraged to apply them.
supported by DNV GL since Cyber threat assessment in maritime industry
2016 should have a holistic approach inclusive of
Germany IT-Sicherheitsgesetz from June people, process and technology and operations as
2015 –includes ports but not illustrated in figure 3.
ships
India Guidelines on maritime Cyber
Safety, 2017
26
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
27
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
28
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.