Cybersecurity standards at sea
The maritime sector is of crucial importance in modern society, since it is essential, in both economic and social development, and in the creation of employment opportunities and professional development. For many years, it has been the most widely used means of transport, as well as an essential communication link between coastal cities, countries and continents, being, together with rail transport, the most efficient in economic and environmental terms for transporting goods and passengers.
Currently, the global maritime sector increasingly relies on digitalization, the integration of operations and process automation. While technology continues to advance, the IT and OT networks in the vessels are beginning to be connected to each other and, in many cases, to the Internet too. This brings with it a new and urgent goal: to maintain the operational safety of these critical systems.
State of the art of cybersecurity in the maritime sector
In order to mitigate the potential safety, environmental and commercial consequences that a cybersecurity incident may have, a group of maritime organisations, together with the support of a large number of companies involved, have come together to address this problem.
IMO
This initiative is led mainly by the IMO (International Maritime Organization), a special agency, which belongs to the United Nations, that produces global standards and that has created a framework of reference for the naval industry, ensuring the safety and maintenance of the environment in shipping, so that it is adopted and implemented universally.
At present, neither the IMO, nor any national agency, has produced a specific cybersecurity regulation for the maritime sector. However, in recent years, a lot of effort has been made by several organizations, such as the IMO itself, which published a cybersecurity guide for ships, providing high-level recommendations to protect the maritime sector, as well as helping to reduce the number of vulnerabilities related to these threats. These recommendations were prepared and passed by several leading international associations in the maritime industry. The most recent version of the document includes important aspects related to the new risks and threats facing the industry, such as:
- The incorporation of new cyber risks to SMSs (Safety Management Systems) of each vessel.
- Improvements in the recommendations on risk assessment in the OT environment, including navigation systems and engine control.
- Additional recommendations about the management of risks associated with third-party suppliers and sellers.
For such efforts to be effective, they must be applied in all aspects of operations and other activities carried out in a maritime company. Therefore, as was done at the time with the inclusion of the safety culture, the IMO decided to include cybersecurity requirements in the ISM Code (International Safety Management Code), which are mandatory for all ship owners, operators and companies involved in the sector. The purpose of this code is to provide an international standard for the safe management and operation of ships and the prevention of pollution at sea. Some of these requirements are:
- Risk assessment of all IT and OT devices, both on board and on land.
- Security policies related to the use of external storage devices.
- Policies and procedures on the use of networks and communications by the crew.
- Policies and procedures on the monitoring and updating of navigation and communication systems.
- Policies on the authorization criteria for the use of remote connections.
- Inventory of all OT systems.
- Internet access policies, setting out restrictions when operations are being carried out on board.
- Preparation of contingency plans for emergency responses.
These new requirements cover the operations of the following vessels in international operations:
- Passenger vessels, including high speed ones.
- Crude oil, chemical, gas ships, cargo ships and high-speed freighters with a gross register tonnage of 500 tons or more.
- Other cargo ships and mobile offshore drilling units with a gross register tonnage of 500 tons or more.
OCIMF
Another organization that has reacted to these changes and quickly updated its guidelines to take into account the new circumstances is the OCIMF (Oil Companies International Marine Forum), a voluntary association of companies related to the maritime transport of crude oil, oil and gas, whose mission is to be the main authority in the safe and responsible operation with the environment in oil tankers, terminals and support vessels on the high seas. In January 2018, it updated its TMSA (Tanker Management and Self Assessment) program, which provides these companies with means to improve and measure their SMS, including in it cybersecurity aspects and requirements applicable to these sectors, among which are:
- Procedures for the management of patches and software.
- Processes and guidelines for identifying and mitigating cyberthreats.
- Procedures for managing passwords.
- Development of a cybersecurity awareness-raising and training plan for all staff involved.
IMCA
The IMCA (International Maritime Contractors Association), which represents the majority of contractors and production chains associated with the offshore maritime construction industry, and whose main goal is to assist organizations to prioritize the defence against the most common and most damaging current attacks on OT and IT infrastructures, has also recently updated its recommendations regarding cyber threats, which are included in its guide Security Measures and Emergency Response Guidance (IMCA SEL 037/M 226), consisting mainly of 20 controls and sub-controls focused on various measures and technical activities. The following are included:
- Active management of the inventory of devices and authorized and unauthorized software.
- Bastioning of final and network devices.
- Evaluation and continuous solution of vulnerabilities.
- defence against malware.
- Wireless network access control.
- Data recovery capacity.
- Evaluation of team’s cybersecurity skills and training program.
- Control of access to network ports.
- Control of the use of administrative privileges.
- Perimeter defence.
- Maintenance, monitoring and analysis of logs.
- Access control based on the principle of Need to know, where the user only gets access to the resources that are strictly necessary for their work.
- Monitoring and control of user accounts.
- Information protection.
- Response and management of cybersecurity incidents.
- Secure network engineering.
- Conducting penetration tests to assess the strength of an organization’s defences.
- Summary of the contribution of each organization -
Conclusion
The maritime sector is very complex, composed of no end of organizations, collective associations and companies in the sector, which must comply with strict standards and regulations. All this is due to its criticality in terms of its impact both economically and environmentally. Cybersecurity could not be left out and that is why these groups are making great efforts to include it within their security culture.
Although it is not yet regulated, there is little time left for companies who are bound to include it within their systems and policies, since, as of 1 January 2021, including cybersecurity in their SMS will be mandatory. Until then, thanks to the support of organizations such as the IMO, IMCA or OCIMF, companies now have detailed guidelines with best practices that can be adopted as from now to protect their maritime infrastructures and thus comply with the regulations that will soon become effective.