Since BIMCO (Baltic and International Maritime Council) first published its cyber security guidelines in 2016 and followed by IMO’s (International Maritime Organization) Resolution MSC 428(98) Maritime Cyber Risk Management guidelines in 2017, the maritime sector saw a gradual progression of cyber safety awareness.
Subsequently, OCIMF (Oil Companies International Marine Forum) published cyber safety chapters in its Ship Inspection Report Program in 2018. This was followed by IACS’ (International Association of Classification Societies) technical guidelines in 2021, which stipulated all new builds from 2024 onwards to be cyber-compliant.
Today, we are not short of maritime cyber security threats happening in onshore ports and offices and offshore vessels and rigs as well, despite the above-indicated efforts in compliance and safety framework.
Unfortunately, cyber security in the maritime industry is fundamentally an unceasingly dynamic “team sport”. With 500,000 new viruses emerging globally every day, incidents are expected to grow. With the existing compliance frameworks, has the maritime sector ever started, or has it even started to cyber protect effectively?
The answer, in my opinion, is no.
Urgent need for cyber security
Looking back slightly a decade or so, the maritime industry faced major challenges such as a global industry-wide slowdown, various forms of oil crisis, sulphur emission control, and before long, the arrival of the global covid pandemic.
Would there still be an appetite for cyber protection? Unfortunately, whether the appetite is there, cyber protection is fast becoming an urgent mandate impacting businesses and operations, rather than a question of necessity.
With chapters and chapters of cyber-related controls published by authorities, do ship owners know where to begin in the first place?
Cyber protection is never a matter of throwing money into it and hoping that the matter will be taken care of by itself. The ship owners need clear and concise directions and actionable insights to kick-start their long-term journey to achieve strong maritime cyber security postures for their vessels.
To begin with, ship owners need to understand that cyber security in the maritime industry is never a matter of buying a protection or monitoring product. It is so important to always remember that the first step is always to find out what they are protecting and what their vulnerabilities are, to begin with.
I would therefore suggest the following direction and actionable insights for ship owners to establish a baseline on which various compliances could build. In other words, a friendly lighthouse to assist ship owners to start their journey with identifiable, tangible low-hanging fruits.
Low hanging fruits #1: Knowing my IT/OT assets, knowing my vulnerability
We observed that many ship owners do not have the most up-to-date or complete list of their onboard information technology (IT) and operational technology (OT) assets. We need to be clear about what we own to know what to protect. Alongside that, it is also important to have visibility of the current assets and setup.
Today, there are automated tools which are fully software-based, which are able to be done fully remotely via online access from onshore into the ships to minimize the logistics of onboard devices or hardware installation and maintenance.
Such kinds of tools, coupled with qualified service providers, could assist with swift re-discovery and re-construction of asset list and network topology, reducing effort, which in the past took months, to just a couple of days. The same tools could then be utilized for onboard cyber security monitoring too.
Low-hanging fruits #2: Knowing what to do when an incident happens
Professional “red teaming” services could be engaged to trial maritime cyber attacks from the outside. With that, a deeper understanding of how vulnerabilities are exploited for attacks, and therefore what to do and how to react when such matter happens.
These are critical processes which ship owners need to understand well in order to perform incident response accurately during “wartime”, which is vastly different from protection operations during business-as-usual “peacetime”.
Such services are already readily available nowadays. Unfortunately, they are mostly focusing on IT systems for onshore enterprises and industries. It is, therefore, important to sieve out experienced service providers with credentials in maritime IT and OT.
Low hanging fruits #3: Countering attack vectors via disruptive innovations
It is well-known that the three common attack vectors are: email, USB external devices and browsers.
While the landscape is not short of commonly heard fundamentals such as “Zero Trust”, “Defense in Depth”, and “Security by Design”, such concepts, in my opinion, have been overstated with superficial teaching.
Deeper considerations, such as whether they are implemented with detection-based or detection-less, are key. Realizing such concepts completely on a detection-centric approach is almost like an oxymoron. This is for the simple reason that detection-centric technologies would never be able to protect us from the undetectable, regardless of whether which of the three concepts are deployed.
Maritime industry has the advantage to start from a clean slate as the relatively slower mover to cyber protection. It is timely hence for maritime to start from a clean slate, adopt and adapt to well-tested technologies, avoiding the mistakes and pitfalls encountered by the onshore enterprises and industries thus far.
Specifically, ships and vessels could deploy well-proven detection-less sanitizers to cleanse files coming in via email, USB devices and browsers. Such kinds of sanitizers (also technically named Content Disarm Re-construction, i.e., CDR), when coupled with Remote Browser Isolation (RBI) technologies, would help to form a formidable protection again advanced malware and attacks than traditional protection paradigm.
Low hanging fruits #4: Addressing the weakest point in people, processes, technology
The three dimensions of the cyber security of people, processes, and technology are well known. “People” as the weakest point has been well said too. How could we effectively address it in the maritime sector?
It is impractical to conduct class-based awareness training for seafarers when the nature of their job requires them to be “away and apart” most of the time.
Self-paced computer-based training is, therefore, a directly effective option. I foresee such an option will gradually transform from offline to online possibilities going forward as cost-effective offshore accessible bandwidth improves. It would be useful to design such training with qualifying tests that forms part of the career advancement framework for seafarers.
This, coupled with regular phishing campaigns, would help aplenty in identifying the weakest in the weakest point so that education and re-learning could be focused on the highly-focused group.
Low hanging fruits #5: Re-thinking of IT and OT connections onboard ships and vessels
While onshore, Industrial Control Systems (ICS) are critical, and maritime cyber security expertise and resources are readily available when needed. Unfortunately, ICS onboard ship does not come with such privileges when such skills and resources typically do not exist. The effect of an incident could be catastrophic if it happens in the open sea, where the ship has only its own to call for.
It is not uncommon now to observe weak IT and OT separation onboard ships and vessels. Some may just depend on access control means or simple firewalls. The proven practices in onshore OT, such as uni-directional conduits, are therefore highly encouraged. The use of such measures as data diode and protocol breakers may seem remote at the moment.
This is unfortunate, but it is also fortunate that low-cost, well-certified data diodes are starting to emerge lately. I encourage such transition and adoption soonest for the ultimate well-being of ships, before a major incident happens to the most critical infrastructure of the ship as technology and bandwidth improve.
Low hanging fruits #6: Harnessing technologies for a quantum leap in incident response time
The average time to perform conclusive digital forensics and effective incident response (DFIR) is about two to three weeks. This is, unfortunately, way too late before further complications could happen in common scenarios.
Fortunately, the advancement of DFIR technologies has resulted in a new concept platform that shrinks DFIR effort from weeks to minutes.
While Security Operation Centers (SOC) grows, it is also important for the monitoring platform to adopt and incorporate such new generation DFIR platform, on top of common End Point Detection and Response (EDR) or Extended Detection and Response (XDR) systems to achieve high-speed recovery should incident happens which may impact not just operations, but the lives and well-being of seafarers onboard vessels.
In conclusion, the maritime industry should take advantage of the advancement in protection technologies, which are well-practiced in the onshore platform, and transit them for offshore purposes.
There is no better time than now since awareness of maritime cyber security has risen rapidly over the last couple of years.
Do remember that cyber protection is not about going out to source for a protection product. It is about full visibility of our own assets and our security weaknesses, to begin with.
While the industry is not short of cyber security expertise, it is important to engage one with credentials in the maritime sector – a sector with needs and etos vastly different from the onshore counterparts.
About Maritime Fairtrade
Stay up-to-date with the most recent developments, gain profound insights, and access invaluable resources on maritime cyber security at Maritime Fairtrade today. As an independent news hub, we explore a diverse range of topics pertinent to the sector, encompassing regulatory advancements, market dynamics, technological innovations, and ecological considerations. Keep yourself well-informed about the maritime trade in Asia with our comprehensive maritime guide in Singapore today.
Photo credit: iStock/ ipopba