Maritime regulation. All Hands-on Deck! 

TL;DR

The regulation from the IMO has changed, you need to do more about cyber security. Key things to focus on: 

• Start asking questions of your supply chain, of your own IT and OT teams 
• Assess the security configuration per vessel – each are different 
• Use Critical National Infrastructure controls as a guide 
• Ensure strong due diligence when purchasing systems 
• Attacks will happen – adequately prepare by testing and validating systems, processes and separation 
• Don’t forget training!
  

Regulatory changes

Since January 1st 2021 the International Maritime Organization (IMO) has been enforcing Resolution MSC. 428(98) of the International Safety Management (ISM) Code.  

This resolution encourages Vessel Owners to ensure that cyber risks are appropriately addressed in existing safety management systems (SMS) by no later than the first annual verification of the company’s Document of Compliance (DOC) after January 1, 2021. 

Vessel Owners need to provide evidence to confirm that cyber risks relevant to SMS have been addressed otherwise a PSC deficiency could be issued, this could be Rectify Prior to Departure (Action Code 17) or the Vessel could be detained (Action Code 30) 

However, to quote the IMO Website:

Recognizing that no two shipping companies or shipowners are the same, and that ships operate under a wide range of different conditions, the Code is based on general principles and objectives, which include assessment of all identified risks to one Company’s ships, personnel and the environment and establishment of appropriate safeguards. 

The Code is expressed in broad terms so that it can have a widespread application. Clearly, different levels of management, whether shore-based or at sea, will require varying levels of knowledge and awareness of the items outlined. 

You can see there is ambiguity! 

This has and can cause misunderstanding and misinterpretation of what is required to be secure. It has also resulted in varying levels of assurance and security being deemed as acceptable. 

What does this mean for me?

Fortunately, the Maritime Industry can learn from the mistakes of other industries that have gone through regulation – don’t approach cyber security as a tick box exercise! 

Use the guidance, frameworks and recommendations as a baseline to create a robust assessment framework that is custom to the unique vessel needs and any businesses that interacts with her.  

It starts with a question

So where can you start… by asking some simple questions: 

• Do you know what assets you have?  
• Do you understand who is responsible for those assets (think installation, maintenance, monitoring and security)? 
• Do you know where those assets are?  
• Where they are accessible from and who by?  
• Do you know when those assets need to be updated/replaced/tested?
  

This is not a simple exercise… 

Learning from others

The industry faces the same challenges as those seen in Critical National Infrastructure. In fact, at a technology level, there is likely to be broadly the same Operational Technology (OT) on the vessel as in a water treatment plant.  

The challenges faced in the OT world are the same as yours: 

• Legacy infrastructure and software 
• Complex supply chain 
• Undocumented backdoors, unknown-unknowns (that’s a hard risk to quantify)
• Difficult to change or update. 
• Increasing internet connectivity. 
• Limited skilled workforce  
• Up to 5 generations in a workplace, all engaging with this technology differently
  

Other OT industries have fixed these challenges by using the concept of ‘Secure by Design’ and by using threat modelling and testing to reduce risk. 

They now ask tough questions of vendors, they are using skilled technicians when purchasing solutions to see through the marketing hype. They are even conducting Proof of Concept (PoC) testing ahead of purchasing. 

Not being afraid to walk away

Depending on the outcome of the PoC, organisations need to understand that they can walk away. 

This is not to say everything is terrible and broken, there are some amazing products and vendors out there. But as with any industry there are vendors who need to improve and take responsibility for the new demands on our technology stacks.  

When carrying out these kinds of assessments, we have identified undocumented back door accounts, rogue code that could be manipulated and, in some cases, just open access – no authentication at all, just a reliance on physical controls.  

This is just not acceptable in a cyber resilient organisation. 

When, not if…

As the world becomes more increasingly connected, and with larger and more scalable attacks, organisations are beginning to acknowledge it is not a matter of if, but when, they will come under attack.   

This is no less true for technology solutions onboard vessels as it is for connected environments back on dry land – it is important to have assurances that the vessel is appropriately secured from attack, both remotely and in the event a machine onboard is compromised. This is not an easy task! 

When carrying out your assessment, the following specific areas should be covered: 

• Validate segregation between onboard networks, ensuring crew/third party/corporate networks are separated from safety critical networks (bridge, OT etc)
• Connections back to shore, particularly around content filtering, Internet access and privileged access to other systems such as the head office, home or other 3rd parties
• Security configuration and segregation of wireless networks on board
• Conduct reviews of bridge and navigation systems, particularly around software versions, update process (online/USB), wider USB use and other potential interfaces.
• Other systems of interest include, integrated bridge equipment, IAMCS, ECDIS, GPS, AIS, synthetic radar, BNWAS, VDR, and any other systems that may be connected to a network or updated routinely
• Review security of OT control systems, OT can respond adversely to testing exercises, hence review process will involve investigating configuration and use
  
• Review other connected systems for versions and patch levels that may not be known to the organisation
  

What else can I do?

In the same way you provide safety training, it’s so important to provide cyber security training to crew members, this can be in person or remote and focus on the key risk’s mariners face at sea and in port. It’s important to teach individuals how to defend themselves personally, and how to spot and defend the vessel from scams and other attacks.  

For appropriate engineers, Pen Test Partners provide training of how attackers connect to the networks, tools utilised, prevention technologies, along with technical indicators to look for. 

Managing your supply chain and ensuing adequate due diligence is applied so make sure a similar set of principles are used. 

The evolution of technology is rapid and cyber resiliency must keep up, with some simple suggestions for improvement the industry could make significant improvements in a short space of time.