BIMCO, CLIA, ICS, Intercargo and Intertanko have launched a set of cyber security guidelines to help the global shipping industry prevent major safety, environmental and commercial issues that could result from a cyber incident onboard a ship.
The cyber guidelines are a first for the shipping industry, says Angus Frew, Secretary General of BIMCO. “BIMCO has led the way to identify potential cyber vulnerabilities for ships – and their implications – based on the latest expert research. The aim is to provide the shipping industry with clear and comprehensive information on cyber security risks to ships enabling shipowners to take measures to protect against attacks and to deal with the eventuality of cyber incidents.”
Cyber threats are changing all the time – and BIMCO and the other industry associations will regularly update the cyber guidelines to ensure shipping companies have the latest information available.
Types of cyber attack
In general, there are two categories of cyber attacks which may affect companies and ships:
• Untargeted attacks, where a company or a ship’s systems and data are one of many potential targets; or
• Targetted attacks, where a company or a ship’s systems and data are the intended target.
Untargeted attacks are likely to use tools and techniques available on the internet which can be used to locate known vulnerabilities in a company and onboard a ship. Examples of some tools and techniques that may be used in these circumstances include:
• Social engineering. A non-technical technique used by potential cyber attackers to manipulate insider individuals into breaking security procedures, normally, but not exclusively, through interaction via social media.
• Phishing. Sending emails to a large number of potential targets asking for particular pieces of sensitive or confidential information. Such an email may also request that an individual visits a fake website using a hyperlink included in the email.
• Water holing. Establishing a fake website or compromising a genuine website in order to exploit visitors.
• Ransomware. Malware which encrypts data on systems until such time as the distributor decrypts the information.
• Scanning. Attacking large portions of the internet at random.
Targeted attacks may be more sophisticated and use tools and techniques specifically created for targeting a particular company or ship. Examples of tools and techniques which may be used in these circumstances include:
• Spear-phishing. Similar to phishing but the individuals are targetted with personal emails, often containing malicious software or links that automatically download malicious software.
• Deploying botnets. Botnets are used to deliver Distributed Denial of Service (DDoS) attacks; and
• Subverting the supply chain. Attacking a company or ship by compromising equipment or software being delivered to the company or ship.
Determination of vulnerability
The growing complexity of ships, and their connectivity with services provided from shoreside networks via the internet, makes onboard systems increasingly exposed to cyber attacks. In this respect, these systems may be vulnerable either as a way to deliver a cyber attack, or as a system affected because of a successful cyber attack.
In general, stand-alone systems will be less vulnerable to cyber attacks compared to those attached to uncontrolled networks or directly to the internet. Care should be taken to understand how critical shipboard systems might be connected to uncontrolled networks. When doing so, the human element should be taken into consideration, as many incidents are initiated by personnel actions. Onboard systems could include:
Cargo management systems
Digital systems used for the management and control of cargo, including hazardous cargo, may interface with a variety of systems ashore. Such systems may include shipment-tracking tools available to shippers via the internet. Interfaces of this kind make cargo management systems and data in cargo manifests vulnerable to cyber attacks.
The increasing use of digital, networked navigation systems, with interfaces to shoreside networks for update and provision of services, make such systems vulnerable to cyber attacks. Bridge systems that are not connected to other networks may be equally vulnerable, as removable media are often used to update such systems from other controlled or uncontrolled networks. A cyber incident can extend to service denial or manipulation, and therefore may affect all systems associated with navigation, including ECDIS, GNSS, AIS, VDR and Radar/ARPA.
Propulsion and machinery management and power control systems
The use of digital systems to monitor and control onboard machinery, propulsion and steering make such systems vulnerable to cyber attacks. The vulnerability of such systems can increase when they are used in conjunction with remote condition-based monitoring and/or are integrated with navigation and communications equipment on ships using integrated bridge systems.
Access control systems
Digital systems used to support access control to ensure physical security and safety of a ship and its cargo, including surveillance, shipboard security alarm, and electronic “personnel-on-board” systems.
Passenger servicing and management systems
Digital systems used for property management, boarding and access control may hold valuable passenger related data.
Passenger facing public networks
Fixed or wireless networks connected to the internet installed on board for the benefit of passengers, for example guest entertainment systems. These systems should be considered as uncontrolled and should not be connected to any safety critical system on board.
Administrative and crew welfare systems
Onboard computer networks used for administration of the ship or the welfare of the crew are particularly vulnerable when they provide internet access and email. They can be exploited by cyber attackers to gain access to onboard systems and data. These systems should be considered uncontrolled and should not be connected to any safety critical system on board.
Availability of internet connectivity via satellite and/or other wireless communication can increase the vulnerability of ships. The cyber defense mechanisms implemented by the service provider should be carefully considered but should not be solely relied upon to secure every shipboard systems and data.
The guidelines are available for download here.