001-Cyber Preparedness in Maritime Industry

International Journal of Scientific and Technical Advancements
ISSN: 2454-1532
Cyber Preparedness in Maritime Industry

N.Kala1, Mahesh Balakrishnan2
Director i/c, Center - Cyber Forensics and Information Security, University of Madras, Chennai – 600005
2
Information Security Consultant, Chennai-600080,
1
kalabaskar@gmail.com
2
mahesh.balakrishnan@live.com
Abstract - Automation, digitization and integration drive maritime industries now more than ever. The
maritime infrastructure is more reliant on cyber technology. Consequently, cyber security has been a major
cause of alarm in maritime industry. Cyber related incidents involving navigating, movement of cargo, and
other processes threaten lives, environment, property, and considerably disrupt maritime trade movement as
a result of cyber-attacks. Compared to other areas of protection and security, cyber risk management is
more challenging due to lack of information about the cyber-attacks and its impact. Until this information is
acquired, the impact and probability will continue to be uncertain. Recent experience of cyber-attacks in
maritime industry and from other business sectors such as banking, finance and insurance sectors, public
administration and airline industry have shown that any successful cyber-attacks might result in substantial
impact in providing services and compromise on safety of organizations assets. The main objectives of
cyber-attacks in the maritime business include media attention, denial of service, access to system targeted,
selling stolen data, hold the organizations for ransom on stolen data and system operability, organizing
fraudulent movement of cargo, gathering intelligence on precise location of the cargo, ship transportation,
handling plans, circumventing cyber security defenses, financial gain, disruption of economy, gaining
knowledge about critical information/national infrastructure. This paper focuses on the cyberspace risks
related with maritime industry and cyber preparedness in current global context.
Keywords - Dedicated Maritime systems, Cyber Risks, threats and Vulnerabilities; Cyber Security, Cyber
Preparedness.
Introduction navigation of ships, seafarers, ship owning and

other related activities.
Maritime Industry Cyberattack
The maritime industry includes all enterprises Cyberattack is an offensive exercise that targets
engaged in the business of designing, computer information systems, infrastructure,
constructing, manufacturing, acquiring, operating, computer networks, or personal computer devices.
supplying, repairing and/or maintaining vessels, An attacker is a person or process that attempts to
or component parts. The industry manages and access data, functions or other restricted areas of
operates shipping lines, and customs brokerage the system without authorization, potentially with
services, shipyards and dry docks. Maritime malicious intent. A cyber-attack can be employed
transport is responsible for about 85% of global by nation-states, individuals, groups, society or
trade. The act of carriage of cargo using shipping organizations. A cyber-attack may originate from
services offered by shipping lines, the processes an anonymous source. A cyber-attack may steal,
involved in getting the cargo from the alter, or destroy a specified target by hacking into
manufacturers warehouse to the receiver’s a susceptible system. Cyber-attacks can range
warehouse including arranging for shipping from installing spyware on a personal computer to
services offered by the shipping lines using the attempting to destroy the infrastructure of entire
ships and anything related to the ocean, sea, ships, nations. Cyber-attacks have become increasingly
sophisticated and dangerous.
19
N. Kala and Mahesh Balakrishnan, “Cyber Preparedness in Maritime Industry,” International Journal of Scientific and Technical
Advancements, Volume 5, Issue 2, pp. 19-28, 2019.
ISSN: 2454-1532
Manufactured products, oil, natural gas, raw interconnected cyber systems to provide ship,
materials, and agricultural products move through cargo, passenger, and crew information to
ports every day. While these are manufactured in customs officials around the world. While these
many locations, they are transported to ports via technologies enable maritime industry to be
rail, truck or specifically designed pipelines, efficient and reliable, they introduce risks.
where they are loaded onto ships and barges for Exploitation or disruption of the interconnected
export to other international destinations. cyber systems cause disruption of trade and harm
Worldwide, the maritime business is making the maritime industry.
increasing use of technology for business and
operational functions. Vessels use geographic position system for
Vessel and service operators use computer navigation on exclusively networked GPS, while
systems and inter-connected technologies for using the same technologies for cargo tracking
navigating, communicating, engineering, control. Any disruption, multiple points of failure
movement of cargo, ballast, protection, and via a disruption to the GPS signals or malware,
environmental mechanism. Ports use computer- controls the way the signal is read, exhibited and
generated systems to work with drawbridges, used on the vessel or facility. There are various
control traffic lights, schedule trucks to deliver, intentions for organizations and individuals to
pick up containers and SCADA systems to control exploit these vulnerabilities.
pumps, valves, and pipelines delivering fuel. Those who target the maritime industry include
but are not limited to, or hacktivists, disgruntled
Dedicated Systems employees, cyber criminals, opportunists, state
Emergency systems such as security monitoring, sponsored attacks and terrorists. The motivation
cameras, fire detection, and alarms increasingly of such attacks includes reputational damage,
rely on cyber technology. Various cyber disruption of operations, financial gain,
dependent dedicated systems associated with commercial and industrial espionage, competitive
maritime industry is illustrated in figure1. intelligence, challenge, thrill or political gain.
Understanding cyber security threats and risks is
illustrated below.
Threat Actors
Motivation: Disruption, Espionage and Financial
Gain
Outsider
 Hacktivists
 Nation State Sponsored
 Criminal Syndicates
 Terrorists
Insider
Figure 1: Dedicated systems associated to  Accidental/Unintentional
maritime industry  Malicious Deliberate Insider
 Disgruntled Employees
The maritime business uses interconnected cyber
I. CYBER VULNERABILITIES IN
network to enable financial transactions,
MARITIME INDUSTRY
implement contracts, place orders, and perform
related business functions over wireless networks
compared to other businesses. While cyber system exposures in shipboard
The international aspect of maritime systems are startling to professionals, it requires
transportation means that operators use an unusual skill set and precise timing to exploit
20
ISSN: 2454-1532
these vulnerabilities to disrupt shipping operations This is enabled by presenting malicious code
or cause alternatively a serious maritime casualty. which targets the movement of cargo and cargo
GPS jamming is one such weakness. management system on-board the ships network.
GPS Jammers produce a signal on the same Once the malware is planted in the freight
frequency comparable to that from the Global management system, the malicious code allows
Navigation Satellite Systems (GNSS) at a very remote management of the cargo manifest.
close range, overriding the dependable signal. The Cocaine was trafficked through a port embedding
incidents related to jamming signals are the malware.
particularly difficult to locate when operated in a Ransomware is additional tool for unsettling the
thickly populated area. Disrupting shipboard shipping industry, a technique to introduce a virus
navigation requires a GPS jammer to be placed in into a shipboard network using phishing/spear
the vicinity of the GPS probes onboard the ship phishing emails with attachments, facilitating
and control through steering of a regulated area. downloading from the internet, or through a
Interference in the GPS signal would activate an storage device. Any computer connected to the
alarm on the navigation system, enabling a network is locked out unless a ransom is paid.
priority to manual systems to autopilot. There are growing reports of logistics
organizations being affected. Some organizations
It is questionable that the interference of GPS pay via multiple payment mechanisms to maintain
signals places a vessel in a dangerous position, their functioning and decrease disruptions.
provided the signal officer is alert and acts in Vendors for warranty purposes control cargo and
accordance with his or her training and propulsion systems through remote monitoring
procedures. While this example portrays a radio which presents another dimension of
signal manipulation, not a cyber-attack, it still vulnerabilities. The unintentional introduction of
exposes the risks of navigation in an example that malware vis-à-vis targeted malicious attacks is
discloses the tip of the iceberg. serious-and much more likely to occur. Various
The voyage data recorder (VDR) is another area stakeholders have access to critical systems,
to show cyberspace vulnerabilities. which increases the opportunity for introduction
A VDR resembles an aircraft's black box and of malware in maritime trade.
essential component during investigations. It Obsolescence in technology Old and obsolete
accounts inputs like bridge audio and VHF operating systems are seldom updated, one of the
communications; vessel's position, speed, and leading causes for significant exposures in
heading; watertight and re door status; radar, monitoring and detection systems. Safety,
ECDIS, AIS, and echo depth sounder data; and communications, freight control, ballast water
other information, as required by international management, engineering, environmental control,
regulations. Hackers can control data captured by and other systems are equally vulnerable to such
the VDR. cyber-attacks.
For instance, a hacker can use this vulnerability to Third-party access Third parties visiting the ships
shield the cause of an attack or get rid of evidence require a connection to one or more computers on
of criminal activity on-board a vessel. Although board resulting in linking the ship to shore.
the risks related with VDR vulnerabilities is Operators, engineers, mechanics, port officials,
marginal since VDRs don't directly control the agents, vendors, board the ship and plug in
movement of a vessel, such vulnerabilities could storage devices, laptops and tablets. Some require
cause major harm when planned with other the use of removable media to update computers,
malicious activities. copy data and/or perform other tasks.
Cargo system and movement of cargo is another Customs officials and port officials board ships
part that causes substantial distractions at a port and demand using a computer to “print official
during freight movement. This has become a documents” through removable media. Lack of
proven method for trafficking goods into a port. control to access onboard systems result in
21
ISSN: 2454-1532
disruptions to operate the ship, e.g. during dry- CYBER RISK

II.
docking and layups. Risk is the uncertainty on achieving
In such cases, it is challenging to recognize if organization’s objectives.
malicious code has been embedded in the onboard Cyber risk means any risk of financial loss,
systems. It is suggested that sensitive data is disruption or damage to the reputation of an
removed from the ship and reinstalled on organization from some sort of failure of its
returning to the ship. Where possible, systems information technology systems.
should be scanned for malware prior to use. OT The following are some of the maritime cyber
systems should be tested to check that they are risks which can materialize and their potential
functioning correctly. impact for businesses and the ships they operate.
Some IT and OT systems are remotely accessible The same is illustrated in Table 1.
and may operate with an uninterrupted internet
connection for remote monitoring, data collection, TABLE 1: Cyberspace Risks Associated With
and ongoing maintenance functions, protection Maritime Industry.
and security. These systems can be “third party Group Objective / Motivation Impact
systems”, whereby the vendor remotely monitors
Risk
and manages the systems. These systems could
include two-way data flow and upload-only. Communication Deleting data Disruption Destruction of
The following systems and work stations work Data

with remote access are: AIS Spoofing Modification Penetration of
 Bridge and engine room systems and work Penetration AIS
stations on the ship’s administrative Controlled Signal Entire vessel
network navigation Modification
 Cargo such as containers with temperature GPS jamming Disruption Onboard
control systems or specialized communication
consignment that are tracked remotely disrupted
 Stability decision support systems
Penetrating Exploitation of Remote attacks
 Hull stress monitoring systems
satellite vulnerabilities
 Navigational systems including Electronic
communications
Navigation Chart (ENC) Voyage Data
APT Pre-install Business Destruction of
Recorder (VDR), dynamic positioning
(DP) malware disruption data
 Freight handling and stowage, engine, and Interruption of Malicious Business
freight management and load planning services intention operations

systems Access Controls Alternative Ghost Drugs smuggled
 Safety and security networks, such as Services Shipping
CCTV (closed circuit television) Bypassing Penetrating Access to
 Specialized systems such as drilling customs systems containers
operations, blow out preventers, subsea Fraudulent Perform Inappropriate
installation systems actions different roles access rights
 Emergency Shutdown (ESD) for gas Penetration Modification - Unauthorized
tankers, submarine cable installation and Code Exploits Code access
repair. Activists Geopolitical Cause harm to Loss of business

Damage to operations Media attention
intangible assets
Inefficiency in
22
ISSN: 2454-1532
operations
Dos/DDoS Install malware Malicious Denial of

Phishing Reputational intent services
Spear Phishing damage Selling stolen
Backdoor Extract data
information Disruption in
supply chain
Espionage Commercial Financial gain Selling stolen
Industrial data
Reconnaissance
for further
attacks
Cyber insurance Coverage of To cover Payouts are
cyber insurance malicious act excluded for
Figure 2: Cyber-attacks in the maritime trade
is excluded of cyber cyber attacks
attacks Cyber Preparedness
Network Breach Penetration of Disruption of
enterprise information business While it is not possible to mitigate all the cyber
network and systems incidents, prevention mechanisms is very
subsequently important to reduce the overall risks to the public
ships
and maritime industry. Cyber risk assessment
should be focused at board level of an
Obsolescence Legacy systems Lack of review Vulnerabilities
organization, rather than operations or IT
are not updated on information exploited
department.
systems
People Posting Financial gain Shipping routes Primary drivers for cyber preparedness
information in available in  Regulatory compliance
public forums public domain  High frequency and cost related to cyber
Social Penetrating Denial of security incidents
engineering maritime critical services  Concerns over reputational damage
authorities  Loss of information
Employees Inadvertent Denial of Cyber preparedness starts with designing and
charging downloads of services developing a cyber-security program with the
personal devices malicious following elements.
onboard the ship content • Defined desired outcomes and objectives
Privacy Data transfer Transfer of Inappropriate for cyber security.
across borders personal data privacy • Determine current state
information regulations • Gap Analysis
• Develop strategy and create roadmap
Based on the risks mentioned above, the • Develop program to implement cyber
following are the cyber-attacks in the maritime security
business which are classified as targeted and • Manage Program
untargeted attacks. The same is shown in figure 2.
23
ISSN: 2454-1532
Cyber security strategy aligned with organizations There are threat agents which exposes the
objectives vulnerability to cyber incidents in maritime
 Designed with cooperation from industry as well.
management and other stakeholders  The cyber controls implemented by the
enterprise onboard its ships.
 Effective metrics developed for cyber  Stakeholder management is one of the key
security strategy and execution factors in the operation and chartering of a
ship providing accountability for the IT
 Optimally address
infrastructure.
o Strategic alignment  Critical business and sensitive information
o Risk Management shared with shore-based service providers,
o Resource management including terminal information and where
o Value Delivery applicable, to the public authorities to be
o Assurance process controlled.
o Performance measurement  The availability and use of computer-
o Integration controlled critical systems for the ship’s
 Business processes, training, safety of the safety and for environmental protection.
ship and the environment need to be
focused more. These factors should be considered and relevant
 Awareness on how the organization controls incorporated into the company cyber
interacts with customers, suppliers, security policies, physical and safety management
systems, and ship security plans.
authorities and co-operation between the
Users of these guidelines need to refer to specific
parties need to be coordinated. national, international and flag state conventions,
 Allocate the budget to execute a full risk principles, regulations, procedures in addition to
assessment and develop or acquire pertinent international and industry standards and
solutions to be implemented in the best practices when designing, developing and
organization. implementing cyber risk management processes
associated to maritime trade.
 Identify systems that are important to
IT and OT systems, enterprises need to consider
operation, safety and environmental auditing the third party service providers and
protection. vendors on software, hardware and maintenance
 Assign the persons responsible for setting services they provide. Some companies use
cyber policies, procedures and enforce different providers responsible for software and
monitoring. cyber security checks. The growing use of big
 Determine where secure remote access data, smart ships and the “internet of things” will
should use multiple defense layers and result in information available to cyber attackers
where protection of networks should be and the potential attack surface to cyber criminals.
disconnected from the internet. This makes the need for robust approaches to
 Identification of needs for training of cyber risk management important both now and in
personnel. the future.
III. APPROACH TO CYBER RISK MANAGEMENT
Risk management addresses cyber-related risks by

extending security controls to technologies in
24
ISSN: 2454-1532
maritime trade. Risk management in maritime and further develop best practices and additional
trade, much like any other operational or financial implementation recommendations and
risk, involves identifying risks, analyzing risks incorporating cyber risk management into existing
quantitatively or qualitatively, evaluating risks, safety management systems as provided by the
and finally treating risks responding to incidents, foundational guidelines.
and recovering from an incident by implementing A target of the first annual review of the
continuous improvement mechanisms. company's Document of Compliance after
The shipping company should decide the January 1, 2021 was affirmed by this resolution to
implementation of a cyber-risk management be addressed by safety management system which
program and include guidance for various became the first mandatory deadline in the
personnel of the organization, from the CEO maritime industry for establishment of cyber-
down to the deck plates. Many establishments related risks, and it is a critical step in protecting
have pursued to define how cyber risk the maritime transportation system and the
management should be implemented on ships, and industry as a whole from the ever-growing array
agreed to follow the Cyber security Framework of cyber threats.
developed by the National Institute of Standards One industry publication highlighting
and Technology (NIST). foundational elements is “The Guidelines on
The NIST framework was developed in 2014. Cyber Safety and Security On-board Ships”. A
The framework was designed to be an umbrella proactive approach to embed cyber risk
framework so that it could cater to any sector, management into the existing safety culture
ranging from financial or medical to before a significant incident occurs.
transportation or security. It defines five The table 2 illustrates various global maritime
functional elements that form the backbone of a cyber security regulations.
thorough cyber risk management program.
Additional guidelines and best practices were Cyber Security Regulations
derived within the maritime industry from this
framework. The table 2 illustrates various global maritime
The Inter-national Maritime Organization (IMO)'s cyber security regulations.
Maritime Safety Committee (MSC) developed
guidelines providing high-level recommendations TABLE 2: Various global maritime
to safeguard maritime trade from current and Cyber Security Regulation
evolving cyber-related threats and vulnerabilities. USA  Development of maritime
The IMO guidelines on Maritime Cyber Risk regulations since Sept 2016
Management were finalized in July 2017 as MSC-  Require incident reporting
FAL.1/Circ.3. since Jan 2017
These guidelines were an important landmark in  Draft navigation and vessel
the management of cyber risks in the maritime inspection circular NVIC 05-17
industry. They implement the five functional (hearing)
elements detailed in the NIST framework, with France  Recommendations on maritime
the goal of embedding these elements into all cyber security from Sept 2016
aspects of operations of the company and Norway  Norwegian Maritime
personnel management in the same way industry Authorities’ report “Digital
has embraced safety culture by adopting and vulnerabilities in the maritime
safeguarding through safety management systems. sector” by DNV GL from April
In June 2017, the IMO's Maritime Safety 2015
Committee published resolution 428(98) Cyber
Netherland  Dutch Data Processing and
Risk Management in Safety Management
Cyber security Notification
Systems. The focus was to empower organizations
25
ISSN: 2454-1532
Obligation Act, since Jan 2017 Management systems are one of the major
Japan  Development of Japanese suggestions given by them. Though the guidelines
guideline for cyber security are not mandatory, the member governments are
applicable to maritime assets encouraged to apply them.
supported by DNV GL since Cyber threat assessment in maritime industry
2016 should have a holistic approach inclusive of
Germany  IT-Sicherheitsgesetz from June people, process and technology and operations as
2015 –includes ports but not illustrated in figure 3.
ships
India  Guidelines on maritime Cyber
Safety, 2017
There is a market demand for more consideration

of cyber risks since 2017. Those include
 Tanker Management and self -assessment
(TMSA) no.3 was published in April 2017
by including two elements especially for
cyber security. These include:
o Element 7, which talks about
Change management
o Element 13, which talks about
Maritime Security
 KPIs and third party audits
o Software management procedures

covers all shipboard and shore
systems Figure 3: Holistic approach to cyber security
o Actively promoting cyber security Conclusion
awareness Addressing the risks and vulnerabilities through a
o Policy and procedures include cyber-security program helps the maritime
cyber security industry to be prepared in the cyber world in the
o Charters demand TSMA audits of current global environment. Obtaining the
definitive information about the cyber-attacks in
ships and TMSA 3 to be met from
the business sectors helps maritime industry and
1st Jan. 2018 onwards the other organizations to be proactively prepared
in the cyber arena. Cyber risk management
Owing to the impact of cyber risks – it should be through the risk identification, risk assessment,
addressed in safety management of systems risk evaluation and risk treatment will drive the
according to the International Maritime automation, digitization and integration in the
Organization, the Maritime Safety committee maritime trade.
agreed that there is an urgent need to raise the
awareness on cyber risks and threats and REFERENCES
IV.
vulnerabilities. Integration cyber risks as a part of 1. The guidelines on Cyber security onboard
safety management systems (ISPS and ISM ships (2018), Bimco, CLIA, ICS, Intercargo,
Codes). MSC 98 adopted resolution MSC.428
(98) on Maritime Cyber Risk Management in
26
ISSN: 2454-1532
Intermanager, Intertanko, IUMI, OCIMFand

World Shipping Council.
2. Advanced Persistent Threat Awareness
(2014), ISACA, Available online:
www.isaca.org/cyber
3. Cyber Security resilience Management for
ships and mobile offshore units in operation
(2016). Available online:
http://www.dnvgl.com
4. Guidelines on Maritime Cyber Safety (2017)
IRCLASS, Indian Register of Shipping
5. International Union of Marine Insurance
(IUMI).(2017). Ship Operation Safety &
Security
6. ISM Code Examples of Cyber Security audit
findings: Simple steps to get started (2017).
Available online: www.dnvgl.com/rpcs.
7. ISTQB Standard glossary of terms used in
Software Testing
8. W., Lin, Tom C. (14 April 2016). "Financial
Weapons of War"
9. https://www.theirm.org/knowledge-and-
resources/thought-leadership/cyber-risk/
27
ISSN: 2454-1532
28

001-Cyber Preparedness in Maritime Industry

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

001-Cyber Preparedness in Maritime Industry

Uploaded by

Copyright:

Available Formats

International Journal of Scientific and Technical Advancements

Cyber Preparedness in Maritime Industry

Introduction navigation of ships, seafarers, ship owning and

disruptions to operate the ship, e.g. during dry- CYBER RISK

The following systems and work stations work Data

 Freight handling and stowage, engine, and Interruption of Malicious Business

freight management and load planning services intention operations

repair. Activists Geopolitical Cause harm to Loss of business

Dos/DDoS Install malware Malicious Denial of

Risk management addresses cyber-related risks by

There is a market demand for more consideration

o Software management procedures

Intermanager, Intertanko, IUMI, OCIMFand

You might also like