Cyber security in the maritime sector: the scenario, risks and future challenges
SAFE CORE
Reference Context
Innovations in the field of robotics and automation, artificial intelligence and communication technologies are causing a revolution in all industrial sectors, including in the maritime and port sector in which cyber security plays an increasingly primary role.
However, the ongoing innovation processes expose port facilities and the naval sector to greater cyber risks. The use of digital instruments requires adequate prevention of cyber attacks in order not to compromise the level of security of strategic and sensitive sectors such as logistics and navigation.
To mitigate the potential commercial consequences of cyber incidents, a group of international maritime associations representing shipowners, with the support of a wide range of stakeholders, has participated in the development of guidelines, designed to help companies formulate its approaches to managing cyber risk on board ships.
In the coming years, ports and operators in the sector (shipping companies, shipowners, logistics operators, terminals, shippers and supervisory authorities) will particularly base their reliability on their ability to resist cyber attacks.
Technological evolution at the basis of the growing trend of cyber attacks
Ships are increasingly adopting systems based on digitalisation, integration and automation, thus requiring effective cyber risk management on board. In addition, ships are increasingly connected to shore operations, using digital communication to stay in touch with headquarters.
Although cyber security is a consolidated topic in some sectors such as banking and finance, its implementation in the industrial sector is more complex, especially due to the coexistence of Information Technology (IT) and Operational Technologies (OT), which use devices and networks similar and are converging towards similar technical solutions.
The industry, including the maritime sector, is entrusting some of its processes to market information technologies, including the use of similar devices and the Internet of Things (IoT) model. This increases the risk of unauthorized access or attacks on naval systems and networks.
The European Parliament, with the NIS (Network and Information Security) Directive of 2016, implemented in Italy by Legislative Decree. n. 65/2018, highlighted the importance of this issue. This directive requires Member States to identify Essential Service Operators (OSEs), including port managers, shipping companies and maritime traffic support services. These individuals are required to report hacker attacks to the Computer Security Incident Response Team, under penalty of administrative sanctions.
Risks can occur both on on-board systems and externally. Satellite communications systems, and 4G and 5G networks near the coast, allow access to on-board networks and data. Even isolated systems, without connectivity, are vulnerable to threats typical of the cyber environment, such as malware introduced via removable media or other data storage devices.
It is clear that stand-alone systems are less exposed to external cyber attacks than those connected to unsecured networks or directly to the Internet.
The vulnerability of on-board systems
Like what is happening in other industrial sectors, too in the maritime sector the increased needs of real-time connectivity, aimed at providing information when needed to optimize maritime operations and customer experience and satisfaction, are increasing the cyber attack surface, making these attacks potentially more lethal.
Among the most delicate and vulnerable IT systems on board ships are cargo management systems, which control loading and unloading of goods and which interface with ports and terminals, navigation systems, including ECIDIS (Electronic Chart Display and Information System), GNSS (global navigation satellite system), VDR systems (voyage data recorder) and radars. Equally sensitive are the propulsion management systems, access control systems, on-board surveillance, the tablets used by the crew, and communication systems.
All of these systems critical to navigational safety and power and load management have become increasingly digitized and connected to the Internet, performing a wide range of essential functions, including monitoring engine performance, maintenance and spare parts management, loading and unloading operations, pump management, stowage planning and voyage performance monitoring. These critical on-board systems are all composed of potentially vulnerable devices and can provide a large amount of data, of great interest to cyber attackers. Modern technologies can therefore add multiple vulnerabilities to ships.
The vulnerability of these systems is often caused by the use of obsolete operating systems, by the absence of anti-virus software, by the inadequacy and inefficiency of the management of computer systems and of access control to them. For example, allowing access to on-board systems with non-company IT tools allows for considerable savings on equipment, but entails an increase in the risk of access control.
Even wearable devices, interacting with remotely connected systems, introduce numerous attack vectors and consequently new vulnerabilities and a greater number of risks associated with their use.
It is therefore clear that the adoption of measures aimed at guaranteeing the safety of operators and of the information managed by them by means of on-board systems is a pre-eminent issue also in the maritime sector.
In particular, the most critical onboard systems include:
- Load management systems represent the set of digital solutions used for loading, monitoring and controlling goods, including dangerous products. These systems are capable of integrating with a diverse range of onshore infrastructure, such as ports and marine terminals. These interfaces expand the potential of load management systems, but at the same time expose them to risks related to cyber attacks.
- Propulsion and machine supervision and control systems: The fragility of these systems may increase when monitoring occurs remotely or when they are integrated with ships' navigation and communications equipment using integrated systems on board.
- Access control systems include surveillance, on-board safety alarms and electronic identification systems for personnel on board.
- Passenger assistance and management systems: Digital systems used for the boarding process and access control can contain valuable passenger data.
- Crew welfare and administrative systems: Onboard computer networks, used for administrative purposes and crew welfare, become particularly susceptible when they offer Internet access and email services.
This situation could be exploited by malicious individuals in the IT field in order to gain access to on-board systems and sensitive data. Networks, both fixed and wireless, that are connected to the Internet and installed on board for the comfort of passengers, such as guest entertainment systems, should never be interconnected with systems critical to the safety of the ship. This principle also applies to software provided by ship management companies.
Cyber security in the maritime sector: guidelines
In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428 (98) on Cyber Risk Management Services in the Safety Management System (SMS). This resolution highlights the importance that an SMS system must attribute to the management of IT risks, in accordance with the objectives and functional requirements of the ISM (International Safety Management) code.
In parallel to the IMO initiatives mentioned above, the Baltic and International Maritime Council (BIMCO), the largest international maritime association representing shipowners, contributed to the topic in the summer of 2019. BIMCO updated and published the document “Guidelines on Cyber Security on Board Ships,” providing valuable guidance to assist ship owners and operators on board ships in addressing cybersecurity risks.
BIMCO's guidance expands and further details the IMO Resolution on cybersecurity, identifying key cyber risks, vulnerabilities and threats on board ships and offering a risk-based approach to addressing these challenges.
In the process of developing these guidelines, the US National Institute of Standards and Technology (NIST) was taken into account. The NIST framework is known for assisting companies in assessing cyber risks, helping them understand, manage and mitigate potential cyber threats, both internal and external to the company. An essential part of this process is the creation of a “profile” that helps prioritize cyber risk mitigation actions.
BIMCO guidelines define IT security on board ships as the protection of both IT (Information Technology) systems, i.e. those used for the calculation and management of data, and OT (Operation Technology) systems, i.e. those used for monitor physical events and processes. OT control systems interact directly with the physical world, such as cargo and personnel management systems on board, which makes cyber risks in the maritime sector also relevant to OT.
Therefore, it is essential to strengthen cybersecurity in both of these types of systems, especially when it comes to protecting the data exchanged between them. Risks can arise from the integration between IT and OT, as well as from the lack of updates in cyber protection measures.
The IMO guidelines focus on risk management, which must be the subject of specific operational plans and procedures to be included in the SMS system (Safety Management System provided for by the ISM Code) to allow on-board and shore personnel to adequately deal with any cyber incidents.
Potential authors of cyber attacks are also identified, each driven by an expectation of gain, or by various motivations such as industrial espionage and dissemination of sensitive company data for political purposes. Finally, IMO identified the various phases of the attack, ranging from the study of the victim, to the sending/delivery of the tool used, to the actual attack, up to the so-called pivoting, the principle by which the cyber attack is conducted against the most vulnerable systems, but once these have been accessed, all other systems also become potentially vulnerable from the inside.
BIMCO guidelines they take up the contribution of IMO and provide a very useful attack evaluation and management system, which includes risk classification (low/medium/high potential impact), as well as its management and evaluation. Training on cyber risk is also encouraged, both for on-board personnel (including captains and officers) and for those on the ground, and which should include information on the risk in using the internet, e-mails, on-board devices, updating of software, password protection, attack management procedures. This also requires an understanding of all computer-based onboard systems and how safety can be compromised by a cyber incident. Another aspect related to the prevention of security incidents considered by BIMCO concerns external suppliers.
The services provided by companies are in fact increasingly integrated within production processes, which are increasingly complex and geographically distributed, in which relationships and the exchange of information with third parties become essential for achieving the expected results and creating value. . The security of a company therefore depends on the security of the entire value chain. Furthermore, less structured suppliers increasingly constitute the entry point for attackers, from which they can start and then attack even more mature companies.
Cyber risk management must take into account interactions with third parties, such as renters, suggesting the adoption of specific clauses for cyber risk management in contracts. Furthermore, it is crucial to consider the relationship between shipowner and agent, since the agent is often the main point of contact with shipowners, logistics operators, terminals, shippers and regulatory authorities, exchanging sensitive technical and financial information. Illegitimate access to this information, often via ransomware, has already caused the operational paralysis of entire fleets for hours or days in the past, highlighting the need to standardize cyber security principles and procedures among all players in the supply chain.
It is critical to carefully manage relationships with manufacturers and third parties, including contractors and service providers, through specific cyber risk management procedures. These companies may not be adequately trained in cyber risk governance, creating additional vulnerabilities that could result in cyber incidents. It is essential that these companies have an up-to-date corporate policy for managing cyber risk, with training and governance procedures easily accessible to IT workers.
Shipowners should obtain cyber risk management assurances when evaluating future contracts and services, especially if the vessel must interact with third parties, such as terminals or marine stevedoring companies. The BIMCO Guidelines highlight the main cyber vulnerabilities on board ships, including obsolete operating systems, outdated antivirus, inadequate security configurations, onboard networks lacking adequate protection, and insufficient controls over third party access.
A crucial aspect is ship-to-shore communications, a common target for hacker attacks. It is therefore essential to monitor the connection of on-board systems to unsecured networks. In this analysis, the human element plays a significant role, as many incidents result from personnel actions.
The BIMCO Guidelines recommend including cyber risks in the Security Management System (SMS), designing specific measures for each ship. Given the predominantly remote management of recovery operations in the event of cyber incidents, we recommend the creation of a team of experts, both on board and on land, to accelerate the recovery of systems and the return to normal operations.
Cyber security in the maritime sector: the challenges
Cyber security in the maritime sector is a complex challenge that requires transversal skills. In Italy, the automation industry stands out for its excellence in the supply of products for this sector, especially in the construction of cruise ships and yachts, where the know-how is recognized globally. This sector benefits from the Italian industrial sector, known for its constant search for new technologies and for the adaptation of those coming from other industrial fields. Technologies such as monitoring, control and safety systems are key elements for the future of the shipbuilding industry.
Evolution in areas such as big data analytics, telecommunications, human-machine interaction, artificial intelligence and machine learning, as well as the use of sustainable energy, represent the main drivers of change. These elements are crucial to reduce costs, optimize processes, improve safety in navigation and management of maritime operations, and to reduce emissions in a context of environmental sustainability.
However, the adoption of these new technologies introduces new risks, underlining the importance of carrying out constant risk assessments. Among these, cyber risk has emerged as an unexpected challenge for operators and regulatory and certifying bodies in the maritime sector. Navigation systems, propulsion control, cargo and passenger management, as well as those related to the safety of offshore operations, must be integrated into a cyber risk management program that considers all crucial components: technologies, processes and human factors.
The technology supplier has the task of guaranteeing the necessary technological protections for products and networks, also taking care of aspects related to processes and user training and awareness. The regularity and continuity of the activities of a cyber security plan are therefore essential for the industry and represent, at the same time, an opportunity for growth and commercial development also in the maritime sector.