Shipping sets watch for [not so] distant cyberthreats

Maritime industry bodies consider pre-emptive measures to thwart cyberthreats

By Morand Fachot

Piracy has posed a major security threat to mariners everywhere, from Asia to the Mediterranean, since time immemorial. In the future, threats from armed gangs boarding ships and holding vessels and crews for ransom may be replaced by ones from cyberspace. Every day, many institutions, establishments and individuals are the targets of cyberattacks. While the maritime industry has yet to record a major cyber incident, it recognizes that it is only a matter of time before some of its assets are targeted. As a result, it is taking pre-emptive measures, which include the adoption of International Standards, to mitigate the possibility of cyberattacks and their potential impact.

Large container ship
Most global trade is transported by sea on vessels such as this large container ship (Photo: Maersk)

Armed piracy still a major threat to shipping

Armed robbery and piracy against ships still poses a significant threat to shipping; it is concentrated in certain areas but has dropped 44% since 2011 when Somali pirates were most active. The International Chamber of Commerce (ICC) International Maritime Bureau (IMB) 2015 annual report on "Piracy and armed robbery against ships" recorded 246 incidents worldwide in 2015 (as against 245 in 2014 and 439 in 2011). Nearly 60% of these incidents (147) took place in Southeast Asia. The report indicates that 203 vessels were boarded, that there were also 27 attempted attacks and 15 hijackings and that 333 crew were victims of various acts of violence ranging from kidnapping to being kept hostage, being injured or even killed (one case). Bulk carriers, tankers of various types and container and cargo ships made up some 90% of the targets. The cost to the industry represents billions of dollars. However a new, less spectacular form of piracy, cyberpiracy, looms on the horizon. It may prove far more costly and quite possibly no less dangerous to the shipping industry.

Cyber incidents on ships are not unusual

Cyberattacks on a broad range of sectors for fraudulent or malicious reasons are widely reported on a nearly daily basis. Financial losses, which are often considerable, are also detailed. The maritime industry has yet to make headlines in this domain. However, this doesn't mean that it is not targeted or that it is safe. Cyberattacks against maritime assets would have particularly serious ramifications since around 80% of global trade by volume and over 70% of global trade by value is carried by sea and is handled by ports worldwide, according to UNCTAD, the United Nations Conference on Trade and Development.

Furthermore, ships represent very high value assets. The cost of an 18 000 Twenty Foot Equivalent Unit (TEU) container ship, one of the largest types currently sailing, is around USD 200 million. If its cargo is included, it can be worth one billion dollars or more.   

The International Maritime Organization (IMO), the UN specialized agency with responsibility for the safety and security of shipping and the prevention of marine pollution by ships, is now considering cyber security matters together with other bodies and relevant international organizations.

Gert-Jan Panken, a senior executive from Inmarsat, the global satellite communication company set up by the IMO, told participants to a recent Maritime Cyber Risk Management Summit held in London, that 43% of seafarers reported having worked on vessels that had been compromised by a cyber incident, which could have constituted malware insertion, digital virus attack or software updating issues. Some 95% of cyber incidents were human-related, yet only 10% of crew surveyed had received some form of cyber security training, according to Marine Electronics & Communications. This fact points to a major weakness that should, however, be relatively easily remedied by applying appropriate training measures.

Humans are not alone as the weakest links

Outdated software and ships not designed with modern cyber security in mind are two existing vulnerabilities that have been identified in a study led by Plymouth University’s Maritime Cyberthreats Research Group. The paper, published in Engineering and Technology Reference, notes that maritime-related systems for navigation, propulsion, and cargo-related functions can be the targets of cyber-attacks. It points out that “the [maritime] sector is probably the most vulnerable aspect of critical national infrastructure”.

Cyber incidents could affect a number of systems and points of entry. Some of these were identified by speakers at the Maritime Cyber Risk Management Summit. They include the Automatic Identification System (AIS), Global Positioning System (GPS) and inputs to the Electronic Chart Display and Information System (ECDIS). They could also come from connection to online services over satellite communications, in-port WiFi, or through contractors providing remote monitoring services, or engineers updating shipboard system software. The Global Maritime Distress and Safety System (GMDSS) developed by the IMO is seen as another potential target of cyber attacks.

IEC TC 80: Maritime navigation and radiocommunication equipment and systems, is involved in developing International Standards for many of these systems.

It has published 12 Standards covering various aspects of GMDSS (based on IMO resolutions) in the IEC 61097 series. It has also developed International Standards for AIS and ECDIS.

Growing awareness from the sector

A number of maritime industry organizations and bodies have highlighted the potential risks posed by cyber incidents and are preparing for these.

A September 2015 information paper on cyber risk by the Joint Hull Committee (JHC), which brings together underwriting representatives from both Lloyd’s and the International Underwriting Association of London(IUA) notes that "the risk of a loss to a ship as a result of cyber disruption is foreseeable, but is not yet a reality".

The Baltic and International Maritime Council (BIMCO), the world’s largest international shipping association, published guidelines on cyber security onboard ships in January 2016. BIMCO Secretary General Angus Frew said at the time that the aim of these guidelines was “to provide the shipping industry with clear and comprehensive information on cyber security risks to ships”. He added that they “should help companies take a risk-based approach to cyber security that is specific to their business and the ships they operate”.

Canada and the United States submitted a framework document for cyber risk management (CRM) to the IMO Facilitation Committee in January 2016. These “Guidelines on the facilitation aspects of protecting the maritime transport network from cyberthreats”, list five functional elements – identify, protect, detect, respond, recover – “which taken together can form the foundation of an effective CRM system”.

Cyber risk management guidelines rest on International Standards

A common thread to all these documents is that they show clearly that all the measures recommended to be taken to ensure better cyber security rest on a number of International Standards, many of which are developed by ISO/IEC JTC 1/SC 27: Security Techniques.

ISO/IEC JTC 1/SC 27 is a Subcommittee of ISO/IEC JTC 1, the Joint TC formed by the IEC and the International Organization for Standardization (ISO) to prepare International Standards for Information Technology.

The Guidelines submitted by Canada and the US to IMO list the following CRM-related Standards and Technical requirements (TR) developed by ISO/IEC JTC 1/SC 27:

ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements

ISO/IEC TR 27019:2013, Information technology – Security techniques – Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry

ISO/IEC 27031:2011, Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity

ISO/IEC 27033-3: 2010, Information technology – Security techniques – Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues

ISO/IEC 27039:2015, Information technology – Security techniques – Selection, deployment and operations of intrusion detection systems (IDPS)

The BIMCO Guidelines focus on “issues facing the shipping industry onboard ships” but gives the “ISO/IEC 27000 series of Information Security Management Systems (ISMS) standards” as an example of international standards and guidelines that “cover cyber security issues for shoreside operations.”

As for the JHC, its Cyber Risk Assessment Guidance background checks state that shipping companies should carry out “a thorough threat assessment, contemplating (...) the current level of compliance with international security standards (ISO/IEC 27001 / ISO/IEC 27002, NERC [North American Electric Reliability Corporation] 1300, ISA/IEC 62443). The IEC 62443 series of IS, TS and TR on Industrial communication networks/network and system security, is developed by IEC TC 65:  Industrial-process measurement, control and automation.

Cyber incidents may not stay limited to cargo theft and smuggling for long

In recent years a number of cyber incidents focusing on cargo rather than vessels have been reported.

In June 2013 Belgian and Dutch police broke a drug smuggling ring after tracking down hackers who had penetrated shipping companies computers to follow the movement of containers loaded with drugs to let traffickers locate the right containers and remove them undetected.

Pirates have also been found to have hacked a shipping company’s computers to locate valuable cargo, according to findings published in a data breach investigation report by Verizon. “They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate – and that crate only – and then depart the vessel without further incident,” the report notes.

So far no major shipping disaster has resulted from cyber attacks. However, the industry considers this to be a possibility, as previously mentioned reports indicate. Insurers also worry about the possibility of a shipping disaster resulting from a cyber incident. In its 2015 Safety and Shipping Review, Allianz Global Corporate & Specialty notes that “A cyber-attack could result in a total loss, leading to substantial insurance claims for hull, cargo and protection & indemnity underwriters. It could even involve multiple vessels from the same company”.

Allianz says that the cost of a maritime disaster involving two megaships could reach USD 2 billion.

The trend towards increased automation and ongoing work on the introduction of remotely operated unmanned vessels, may see cyber incidents on shipping assets increase in the future.

Reports and recommendations from the IMO and the maritime sector organizations show that the cyberthreats are being taken seriously; these reports also show that International Standards developed by the IEC on its own or within ISO/IEC JTC 1 are seen as central to protecting shipping against these threats.

Gallery
Tripolitan pirate ship US naval crew boarding a Tripolitan pirate ship in the Mediterranean in 1804 (Painting: Naval Historical Center, US Department of the Navy)
Hoegh Osaka car carrier Hoegh Osaka car carrier intentionally grounded in the Solent after listing (Photo: Geni, GFDL, Wikimedia Commons)
Large container ship Most global trade is transported by sea on vessels such as this large container ship (Photo: Maersk)
The Queen Mary 2 Navigation and communication equipment on bridge of the Queen Mary 2 ocean liner (Photo: Cunard)
Rolls-Royce ship concept Rolls-Royce remote and autonomous ship concept (Image courtesy of Rolls-Royce plc)