We often hear about unwanted cyber interventions harming operations. You might think it’s not relevant to the maritime industry – you’d be wrong.

Not immune from cybersecurity incidents, a growing number of attackers are focusing their activity on the marine and offshore sector^[1][2][3]. That includes cargo ships and cruise liners. Both are attractive targets due to high-value assets and likely vulnerabilities.

Whilst the picture might seem alarming, specialist guidance and procedures exist to help you mitigate your risk, securing vessels from harmful attacks. Created by cybersecurity specialist Nettitude, and used by Lloyds Register, the LR Cybersecurity ShipRight [4] certification is one such example.

What is the cyber risk for marine vessels?

Like so many industries, increased connectivity drives efficiencies in large marine vessels. From core operational controls to high technology systems on cruise liners, when benefits exist, connection follows.

Yet, many marine vessels have low-security procedures and use legacy systems not equipped for this rapid development. ^{[1] [3]}

Being out at sea can feel like a safe deterrent. But all ships must return to port at some point, and this is when electronic charting and navigation systems are normally updated. Often insecure, the update processes could leave the door open for attackers to cause harm to such systems. Once in, they also have access to poorly protected operational systems. ^{[1] [3]}

Integrating IT with Operational Technology

IT and operational technology (OT) are increasingly connected.

“With engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery” ^[5]

Without robust security, you risk cyber-attackers reaching your OT via IT routes. An IT compromise is one thing but disrupting OT would be far more damaging, especially if that disruption was onboard a cruise ship.

At best, the problem might be a temporary operational issue. However, the reputational damage can be immense and with social media on every customer’s phone, bad news travels quickly.

Legacy IT systems onboard

It’s not unusual to find dated PCs with low-level security on a marine vessel. Some might have served the ship for years before cybersecurity was a significant risk. But you must update the software. It’s often carried out when in the port, using data sticks or downloads. But if not secure, both risk corruption. And yet, vessels rely on these systems to operate smoothly.

Over-reliance on email

Much maritime communication is via email, this has been the case for many years. It might be arrival notifications or requests for bunkering. Crew complete many Word or Excel documents before emailing them to relevant authorities.

The risk here is phishing, attachments containing malware which is increasingly common in the marine industry. Also, email supplies some software updates, perhaps a file updating maps or a patch emailed by a vendor. If security is not tight enough each one risks corruption.

IMO cybersecurity guidelines

The International Maritime Organisation has published helpful cybersecurity guidelines for vessel owners and operators ^[6]. A new development for the industry, it is set to grow in significance. While in 2020 IACS published their recommendations on maritime cybersecurity resilience ^[7]. In time, expect these recommendations to become the foundation of all classification societies' cybersecurity requirements.

There is no doubt that cyber risks will grow and vessel owners cannot ignore this. Whilst overwhelming for some, you can effectively mitigate your risk with the right help.

Mitigating cyber-risk with the LR ShipRight certification

Nettitude created the LR Cybersecurity ShipRight Framework to meet a rising concern around cyber vulnerability in the marine industry. It now forms part of the LR ShipRight Procedures.

Today, LR and Nettitude use the framework to pragmatically assess and recommend improved security capabilities for vessels, in addition to component manufacturers.

The outcome is a certified level of cybersecurity from Security Level 1 (the lowest) to Security Level 4 (the highest), with Security Level 4 demonstrating a more robust approach to cyber-resilience.

Who should use it?
Whilst manufacturers have been using the LR Cybersecurity ShipRight Framework to certify vessel components, marine vessel owners and operators can also benefit. Especially following the recent guidance from the IMO and IACS.

Retrospectively strengthening your existing IT and OT systems makes sense given the constantly growing risk of cyber activity.

A four-stage journey to greater cyber resilience

When you engage the LR Cybersecurity ShipRight Framework, Nettitude works closely with you over four stages. LR involvement confirms your eventual certification.

1. Risk assessment and document review

Nettitude first identifies current cyber-risks on the vessel. You will agree on the scope of this assessment at the outset. It’s likely to include bridge systems and safety control, cargo handling and management systems, propulsion and machinery management, and power control systems. These areas are recommended in the IMO guidelines. Your scope might also include an assessment of further systems, giving you the fullest picture possible. It may also be recommended that key personnel undertake interviews and there is an observation of key processes.

2. Gap analysis

Your current situation is clear and understanding what level of security you want to achieve, Nettitude prioritises your risks. You should remediate those with the greatest benefits first. A recommendation will be made on how to add cyber resilience to your existing IT structure, futureproofing your procedures for maximum security.

3. Remediation

Receiving a gap report from Nettitude, you will have plenty of advice. You must then remediate your risks and provide the required evidence to achieve your desired level of security capability. For a retrospectively assessed vessel, this can take several months.

4. Final assessment and certification

Following your remediation, and being shadowed by an LR surveyor, Nettitude assesses your cybersecurity. This is completed by looking for evidence of fixed risks and supporting documentation. When confident you have met the class requirements, a final assessment report is generated. This confirms your vessel is eligible for a Descriptive Note. With confirmation, LR issues your Cybersecurity ShipRight certification. Importantly, your vessel is demonstrably more cyber-resilient.

Let us help you

Nettitude provides a wide range of threat-led cybersecurity services for organisations around the globe. From Penetration Testing to Incident Response and Managed Security Services, we work closely with you to drive effective protection, detection, response, and recovery from cyber threats.

Globally trusted, our team of specialists hold the highest technical qualifications available. We are one of only a handful of companies worldwide holding all CREST accreditations and the first in the world for SOC services.
Should you want an informal chat with Nettitude about your vulnerability to cyber-attack and how the LR Cybersecurity ShipRight Framework can help, please get in touch.

References

[1] A Retrospective Analysis of Maritime Cyber Security Incidents, P.H. Meland , K. Bernsmed , E. Wille , Ø.J. Rødseth , D.A. Nesheim, DOI: 10.12716/1001.15.03.04 https://www.transnav.eu/Article_A_Retrospective_Analysis_of_Maritime_Cyber_Security_Incidents_Meland,59,1144.html

[2] Navigation Data Anomaly Analysis and Detection, A. Amro, A. Oruc, V. Gkioulos S. Katsikas Information 2022, 13(3), 104; https://doi.org/10.3390/info13030104 https://www.mdpi.com/2078-2489/13/3/104

[3] Cyber Security in the Maritime Industry: A Systematic Survey of Recent Advances and Future Trends, M. Amine Ben Farah, E. Ukwandu, H. Hindy, D. Brosset, M. Bures, I. Andonovic X. Bellekens Information 2022, 13(1), 22; https://doi.org/10.3390/info13010022 https://www.mdpi.com/2078-2489/13/1/22

[5] Cyber incident exposes potential vulnerabilities onboard commercial vessels, United States Coast Guard, U.S. Department of Homeland Security Marine Safety Alert, Safety Alert 06-19 https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf

[6]https://www.imo.org/en/OurWork/Security/Pages/Cyber-security.aspx

[7] https://iacs.org.uk/publications/recommendations/161-180/rec-166-new-corr1/