11 December 2018 Cyber Risks and Cyber Security …...Cyber safety covers the risks from the loss of availability or integrity of safety critical data and OT. Cyber safety incidents

https://www.piclub.or.jp

To the Members

Cyber Risks and Cyber Security (No.4)

This is the update for the members on cyber risks and cyber security issues. The JAPAN P&I NEWS No.944 issued

on 20 February 2018 referred to BIMCO’s The Guidelines on Cyber Security Onboard Ships. BIMCO have just

updated their cyber security guidance as Version 3 with their explanatory notes as below.

///QUOTE///

The third edition of the industry cyber risk management guidelines, Guidelines on Cyber Security Onboard Ships,

addresses the requirement to incorporate cyber risks in the ship’s safety management system (SMS). It also reflects a

deeper experience with risk assessments of operational technology (OT) - such as navigational systems and engine

controls - and provides more guidance for dealing with the cyber risks to the ship arising from parties in the supply chain.

///UNQUOTE///

Yours faithfully,

The Japan Ship Owners' Mutual Protection & Indemnity Association

Attachment: BIMCO “The Guidelines on Cyber Security Onboard Ships Version 3”

BIMCO’s Press explanatory notes

No.1000

11 December 2018

https://www.piclub.or.jp/en/news/23350

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS

Produced and supported byBIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and WORLD SHIPPING COUNCIL

v3

The Guidelines on Cyber Security Onboard ShipsVersion 3

Terms of use

The advice and information given in the Guidelines on Cyber Security Onboard Ships (the guidelines) is intended purely as guidance to be used at the user’s own risk. No warranties or representations are given, nor is any duty of care or responsibility accepted by the Authors, their membership or employees of any person, firm, corporation or organisation (who or which has been in any way concerned with the furnishing of information or data, or the compilation or any translation, publishing, or supply of the guidelines) for the accuracy of any information or advice given in the guidelines; or any omission from the guidelines or for any consequence whatsoever resulting directly or indirectly from compliance with, adoption of or reliance on guidance contained in the guidelines, even if caused by a failure to exercise reasonable care on the part of any of the aforementioned parties.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 CONTeNTS

Introduction ..................................................................................................................................... 1

1 Cyber security and safety management .......................................................................................... 31.1 DifferencesbetweenITandOTsystems .......................................................................................... 51.2 Plans and procedures ...................................................................................................................... 61.3 Relationshipbetweenshipmanagerandshipowner ...................................................................... 71.4 Therelationshipbetweentheshipownerandtheagent ................................................................ 71.5 Relationshipwithvendors ............................................................................................................... 82 Identifythreats ................................................................................................................................ 93 Identifyvulnerabilities ................................................................................................................... 133.1 Shiptoshoreinterface .................................................................................................................. 144 Assess risk exposure ...................................................................................................................... 164.1 Riskassessmentmadebythecompany ........................................................................................ 214.2 Third-partyriskassessments ......................................................................................................... 214.3 Risk assessment process ................................................................................................................ 225 Developprotectionanddetectionmeasures ................................................................................ 245.1 Defenceindepthandinbreadth ................................................................................................... 245.2 Technicalprotectionmeasures ...................................................................................................... 255.3 Proceduralprotectionmeasures ................................................................................................... 296 Establishcontingencyplans ........................................................................................................... 347 Respondtoandrecoverfromcybersecurityincidents ................................................................. 367.1 Effectiveresponse ......................................................................................................................... 367.2 Recoveryplan ................................................................................................................................ 377.3 Investigatingcyberincidents ......................................................................................................... 387.4 Losses arising from a cyber incident .............................................................................................. 38

Annex1 Targetsystems,equipmentandtechnologies ....................................................................... 40Annex2 Cyberriskmanagementandthesafetymanagementsystem .............................................. 42Annex3 Onboardnetworks ................................................................................................................ 46Annex 4 Glossary ................................................................................................................................ 50Annex5 Contributorstoversion3oftheguidelines .......................................................................... 53

Contents

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 1INTrOduCTION

Shipsareincreasinglyusingsystemsthatrelyondigitisation,digitalisation,integration,andautomation,whichcallforcyberriskmanagementonboard.Astechnologycontinuestodevelop,informationtechnology(IT)andoperationaltechnology(OT)onboardshipsarebeingnetworkedtogether–andmorefrequentlyconnectedtotheinternet.

Thisbringsthegreaterriskofunauthorisedaccessormaliciousattackstoships’systemsandnetworks.Risksmayalsooccurfrompersonnelaccessingsystemsonboard,forexamplebyintroducingmalwareviaremovablemedia.

Tomitigatethepotentialsafety,environmentalandcommercialconsequencesofacyberincident,agroupofinternationalshippingorganisations,withsupportfromawiderangeofstakeholders(pleaserefertoannex5formoredetails),haveparticipatedinthedevelopmentoftheseguidelines,whicharedesignedtoassistcompaniesinformulatingtheirownapproachestocyberriskmanagementonboardships.

Approachestocyberriskmanagementwillbecompany-andship-specificbutshouldbeguidedbytherequirementsofrelevantnational,internationalandflagstateregulations.Theseguidelinesprovidearisk-basedapproachtoidentifyingandrespondingtocyberthreats.Animportantaspectisthebenefitthatrelevantpersonnelwouldobtainfromtraininginidentifyingthetypicalmodusoperandiofcyberattacks.

In2017,theInternationalMaritimeOrganization(IMO)adoptedresolutionMSC.428(98)onMaritimeCyberRiskManagementinSafetyManagementSystem(SMS).TheResolutionstatedthatanapprovedSMSshouldtakeintoaccountcyberriskmanagementinaccordancewiththeobjectivesandfunctionalrequirementsoftheISMCode.Itfurtherencouragesadministrationstoensurethatcyberrisksareappropriatelyaddressedinsafetymanagementsystemsnolaterthanthefirstannualverificationofthecompany’sDocumentofComplianceafter1January2021.Thesameyear,IMOdevelopedguidelines1thatprovidehigh-levelrecommendationsonmaritimecyberriskmanagementtosafeguardshippingfromcurrentandemergingcyberthreatsandvulnerabilities.AsalsohighlightedintheIMOguidelines,effectivecyberriskmanagementshouldstartattheseniormanagementlevel.Seniormanagementshouldembedacultureofcyberriskawarenessintoalllevelsanddepartmentsofanorganizationandensureaholisticandflexiblecyberriskmanagementregimethatisincontinuousoperationandconstantlyevaluatedthrougheffectivefeedbackmechanisms.

Thecommitmentofseniormanagementtocyberriskmanagementisacentralassumption,onwhichtheGuidelinesonCyberSecurityOnboardShipshavebeendeveloped.

TheGuidelinesonCyberSecurityOnboardShipsarealignedwithIMOresolutionMSC.428(98)andIMO’sguidelinesandprovidepracticalrecommendationsonmaritimecyberriskmanagementcoveringbothcybersecurityandcybersafety.(Seechapter1forthisdistinction).

Theaimofthisdocumentistoofferguidancetoshipownersandoperatorsonproceduresandactionstomaintainthesecurityofcybersystemsinthecompanyandonboardtheships.Theguidelinesarenotintendedtoprovideabasisfor,andshouldnotbeinterpretedas,callingforexternalauditingorvettingtheindividualcompany’sandship’sapproachtocyberriskmanagement.

LiketheIMOguidelines,theUSNationalInstituteofStandardsandTechnology(NIST)frameworkhasalsobeenaccountedforinthedevelopmentoftheseguidelines.TheNISTframeworkassistscompanieswiththeirriskassessmentsbyhelpingthemunderstand,manageandexpressthe1 MSC-FAL.1/Circ.3onGuidelinesonmaritimecyberriskmanagement

Introduction

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 2INTrOduCTION

potentialcyberriskthreatbothinternallyandexternally.Asaresultofthisassessment,a“profile”isdeveloped,whichcanhelptoidentifyandprioritiseactionsforreducingcyberrisks.Theprofilecanalsobeusedasatoolforaligningpolicy,businessandtechnologicalapproachestomanagetherisks.Sampleframeworkprofilesarepubliclyavailableformaritimebulkliquidtransfer,offshore,andpassengershipoperations2.TheseprofileswerecreatedbytheUnitedStatesCoastGuardandNIST’sNationalCybersecurityCenterofExcellencewithinputfromindustrystakeholders.Theprofilesareconsideredtobecomplimentarytotheseguidelinesandcanbeusedtogethertoassistindustryinassessing,prioritizing,andmitigatingtheircyberrisks.

2 TheNISTFrameworkProfilesformaritimebulkliquidtransfer,offshore,andpassengeroperationscanbeaccessedhere:http://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profiles.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 3Cyber SeCurITy ANd SAfeTy mANAGemeNT

Cyber security and safety management

Bothcybersecurityandcybersafetyareimportantbecauseoftheirpotentialeffectonpersonnel,theship,environment,companyandcargo.CybersecurityisconcernedwiththeprotectionofIT,OT,informationanddatafromunauthorisedaccess,manipulationanddisruption.CybersafetycoverstherisksfromthelossofavailabilityorintegrityofsafetycriticaldataandOT.

Cybersafetyincidentscanariseastheresultof:

� acybersecurityincident,whichaffectstheavailabilityandintegrityofOT,forexamplecorruptionofchartdataheldinanElectronicChartDisplayandInformationSystem(ECDIS)

� afailureoccurringduringsoftwaremaintenanceandpatching

� lossoformanipulationofexternalsensordata,criticalfortheoperationofaship–thisincludesbutisnotlimitedtoGlobalNavigationSatelliteSystems(GNSS).

Whilstthecausesofacybersafetyincidentmaybedifferentfromacybersecurityincident,theeffectiveresponsetobothisbasedupontrainingandawareness.

1

Incident: Unrecognised virus in an ECDIS delays sailing

Anew-builddrybulkshipwasdelayedfromsailingforseveraldaysbecauseitsECDISwasinfectedbyavirus.Theshipwasdesignedforpaperlessnavigationandwasnotcarryingpapercharts.ThefailureoftheECDISappearedtobeatechnicaldisruptionandwasnotrecognizedasacyberissuebytheship’smasterandofficers.Aproducertechnicianwasrequiredtovisittheshipand,afterspendingasignificanttimeintroubleshooting,discoveredthatbothECDISnetworkswereinfectedwithavirus.TheviruswasquarantinedandtheECDIScomputerswererestored.Thesourceandmeansofinfectioninthiscaseareunknown.Thedelayinsailingandcostsinrepairstotalledinthehundredsofthousandsofdollars(US).

Cyberriskmanagementshould:

� identifytherolesandresponsibilitiesofusers,keypersonnel,andmanagementbothashoreandon board

� identifythesystems,assets,dataandcapabilities,whichifdisrupted,couldposeriskstotheship’soperationsandsafety

� implementtechnicalandproceduralmeasurestoprotectagainstacyberincidentandensurecontinuityofoperations

� implementactivitiestoprepareforandrespondtocyberincidents.


Someaspectsofcyberriskmanagementmayincludecommerciallysensitiveorconfidentialinformation.Companiesshould,therefore,considerprotectingthisinformationappropriately,andasfaraspossible,notincludesensitiveinformationintheirSafetyManagementSystem(SMS).

Development,implementation,andmaintenanceofacybersecuritymanagementprograminaccordancewiththeapproachinfigure1isnosmallundertaking.Itis,therefore,importantthatseniormanagementstaysengagedthroughouttheprocesstoensurethattheprotection,contingencyandresponseplanningarebalancedinrelationtothethreats,vulnerabilities,riskexposureandconsequencesofapotentialcyberincident.

Respond to and recover from cyber security incidents

Respond to and recover from cyber security incidents using the

contingency plan.Assess the impact of the

effectiveness of the response plan and re-assess threats and

vulnerabilities.

Understand the external cyber security threats to the ship.

Understand the internal cyber security threat posed by inappropriate use and

lack of awareness.

Identify threats

Identifyvulnerabilities

Develop inventories of onboard systems with direct and indirect

communications links.Understand the consequences of a

cyber security threat on these systems.

Understand the capabilities and limitations of existing protection measures.

Assess risk exposure

Determine the likelihood of vulnerabilities being exploited

by external threats.Determine the likelihood of

vulnerabilities being exposed by inappropriate use.

Determine the security and safety impact of any individual or

combination of vulnerabilities being exploited.

Reduce the likelihood of vulnerabilities being exploited through protection

measures.Reduce the potential impact

of a vulnerability being exploited.

Develop protection and

detection measures

Develop a prioritised contingency plan to mitigate any potential

identified cyber risk.

Establish contingency

plans

CYBER RISK MANAGEMENT

APPROACH

figure 1: Cyber risk management approach as set out in the guidelines


1.1 Differences between IT and OT systems

OTsystemscontrolthephysicalworldandITsystemsmanagedata.OTsystemsdifferfromtraditionalITsystems.OTishardwareandsoftwarethatdirectlymonitors/controlsphysicaldevicesandprocesses.ITcoversthespectrumoftechnologiesforinformationprocessing,includingsoftware,hardwareandcommunicationtechnologies.TraditionallyOTandIThavebeenseparated,butwiththeinternet,OTandITarecomingcloserashistoricallystand-alonesystemsarebecomingintegrated.DisruptionoftheoperationofOTsystemsmayimposesignificantrisktothesafetyofonboardpersonnel,cargo,damagetothemarineenvironment,andimpedetheship’soperation.TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.

TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.

Category IT system OT systemPerformance requirements � non-real-time

� response must be consistent

� lesscriticalemergencyinteraction

� tightlyrestrictedaccesscontrolcanbeimplementedtothedegreenecessaryfor security

� real-time

� responseistime-critical

� responsetohumanandanyotheremergencyinteractioniscritical

� accesstoOTshouldbestrictlycontrolled,butshouldnothamperorinterferewithhuman-machineinteraction

Availability (reliability) requirements

� responsessuchasrebootingareacceptable

� availabilitydeficienciesmaybetolerated,dependingonthesystem’soperationalrequirements

� responsessuchasrebootingmaynotbeacceptablebecauseofoperationalrequirements

� availabilityrequirementsmaynecessitateback-upsystems

Risk management requirements

� manage data

� dataconfidentialityandintegrityisparamount

� fault tolerance may be less important.

� riskimpactsmaycausedelayof:ship’sclearance,commencementofloading/unloading,andcommercialandbusinessoperations

� controlphysicalworld

� safetyisparamount,followedbyprotectionoftheprocess

� faulttoleranceisessential,evenmomentarydowntimemaynotbeacceptable

� riskimpactsareregulatorynon-compliance,aswellasharmtothepersonnelonboard,theenvironment,equipmentand/orcargo

System operation � systemsaredesignedforusewithcommonlyknownoperatingsystems

� upgradesarestraightforwardwiththeavailabilityofautomateddeploymenttools

� differingandpossiblyproprietaryoperatingsystems,oftenwithoutbuiltinsecuritycapabilities

� softwarechangesmustbecarefullymade,usuallybysoftwarevendors,becauseofthespecializedcontrolalgorithmsandpossibleinvolvementofmodifiedhardwareandsoftware

Resource constraints � systemsarespecifiedwithenoughresourcestosupporttheadditionofthird-partyapplicationssuchassecuritysolutions

� systemsaredesignedtosupporttheintendedoperationalprocessandmaynothaveenoughmemoryandcomputingresourcestosupporttheadditionofsecuritycapabilities

Table 1: differences between OT and IT3

3 Basedontable2-1inNISTSpecialPublication800-82,Revision2.


TheremaybeimportantdifferencesbetweenwhohandlesthepurchaseandmanagementoftheOTsystemsversusITsystemsonaship.ITdepartmentsarenotusuallyinvolvedinthepurchaseofOTsystems.Thepurchaseofsuchsystemsshouldinvolveachiefengineer,whoknowsabouttheimpactontheonboardsystemsbutwillmostprobablyonlyhavelimitedknowledgeofsoftwareandcyberriskmanagement.Itis,therefore,importanttohaveadialoguewiththeITdepartmenttoensurethatcyberrisksareconsideredduringtheOTpurchasingprocess.OTsystemsshouldbeinventoriedwiththeITdepartment,soastoobtainanoverviewofpotentialchallengesandtohelpestablishthenecessarypolicyandproceduresforsoftwaremaintenance.

OtherindustrysectorshaveseenthebarrierremovedbetweenITandOT,withmanagementandprocurementstrategiesallhandledunderthesameregime.

1.2 Plans and procedures

IMOResolutionMSC.428(98)identifiescyberrisksasspecificthreats,whichcompaniesshouldtrytoaddressasfaraspossibleinthesamewayasanyotherriskthatmayaffectthesafeoperationofashipandprotectionoftheenvironment.Moreguidanceonhowtoincorporatecyberriskmanagementintothecompany’sSMScanbefoundinannex2oftheseguidelines.

Cyberriskmanagementshouldbeaninherentpartofthesafetyandsecuritycultureconducivetothesafeandefficientoperationoftheshipandbeconsideredatvariouslevelsofthecompany,includingseniormanagementashoreandonboardpersonnel.Inthecontextofaship’soperation,cyberincidentsareanticipatedtoresultinphysicaleffectsandpotentialsafetyand/orpollutionincidents.ThismeansthatthecompanyneedstoassessrisksarisingfromtheuseofITandOTonboardshipsandestablishappropriatesafeguardsagainstcyberincidents.CompanyplansandproceduresforcyberriskmanagementshouldbeincorporatedintoexistingsecurityandsafetyriskmanagementrequirementscontainedintheISMCodeandISPSCode.

TheobjectiveoftheSMSistoprovideasafeworkingenvironmentbyestablishingappropriatepracticesandproceduresbasedonanassessmentofallidentifiedriskstotheship,onboardpersonnelandtheenvironment.TheSMSshouldincludeinstructionsandprocedurestoensurethesafeoperationoftheshipandprotectionoftheenvironmentincompliancewithrelevantinternationalandflagstaterequirements.TheseinstructionsandproceduresshouldconsiderrisksarisingfromtheuseofITandOTonboard,takingintoaccountapplicablecodes,guidelinesandrecommendedstandards.

Whenincorporatingcyberriskmanagementintothecompany’sSMS,considerationshouldbegivenastowhether,inadditiontoagenericriskassessmentoftheshipsitoperates,aparticularshipneedsaspecificriskassessment.Thecompanyshouldconsidertheneedforaspecificriskassessmentbasedonwhetheraparticularshipisuniquewithintheirfleet.ThefactorstobeconsideredincludebutarenotlimitedtotheextenttowhichITandOTareusedonboard,thecomplexityofsystemintegrationandthenatureofoperations.

Inaccordancewithchapter8oftheISPSCode,theshipisobligedtoconductasecurityassessment,whichincludesidentificationandevaluationofkeyshipboardoperationsandtheassociatedpotentialthreats.AsrecommendedbyPartB,paragraph8.3.5oftheISPSCode,theassessmentshouldaddressradioandtelecommunicationsystems,includingcomputersystemsandnetworks.Therefore,theship’ssecurityplanmayneedtoincludeappropriatemeasuresforprotectingboththeequipmentandtheconnection.DuetothefastadoptionofsophisticatedanddigitalisedonboardOTsystems,considerationshouldbegiventoincludingtheseproceduresbyreferencetotheSMSinordertohelpensuretheship’ssecurityproceduresareasup-to-dateaspossible.

SystemslikeTankerManagementandSelfAssessment(TMSA)alsorequireplansandprocedurestobe implemented.


1.3 Relationship between ship manager and shipowner

TheDocumentofComplianceholderisultimatelyresponsibleforensuringthemanagementofcyberrisksonboard.Iftheshipisunderthirdpartymanagement,thentheshipmanagerisadvisedtoreachanagreementwiththeshipowner.

Particularemphasisshouldbeplacedbybothpartiesonthesplitofresponsibilities,alignmentofpragmaticexpectations,agreementonspecificinstructionstothemanagerandpossibleparticipationinpurchasingdecisionsaswellasbudgetaryrequirements.

ApartfromISMrequirements,suchanagreementshouldtakeintoconsiderationadditionalapplicablelegislationliketheEUGeneralDataProtectionRegulation(GDPR)orspecificcyberregulationsinothercoastalstates.Managersandownersshouldconsiderusingtheseguidelinesasabaseforanopendiscussiononhowbesttoimplementanefficientcyberriskmanagementregime.

Agreementsoncyberriskmanagementshouldbeformalandwritten.

1.4 The relationship between the shipowner and the agent

Theimportanceofthisrelationshiphasplacedtheagent4asanamedstakeholder,interfacingcontinuouslyandsimultaneouslywithshipowners,operators,terminals,portservicesvendors,andportstatecontrolauthoritiesthroughtheexchangeofsensitive,financial,andportcoordinationinformation.Therelationshipgoesbeyondthatofavendor.Itcantakedifferentformsandespeciallyinthetramptrade,shipownersrequirealocalrepresentative(anindependentshipagent)toserveasanextensionofthecompany.

Coordinationoftheship’scallofportisahighlycomplextaskbeingsimultaneouslyglobalandlocal.Itcoversupdatesfromagents,coordinatinginformationwithallportvendors,portstatecontrol,handlingshipandcrewrequirements,andelectroniccommunicationbetweentheship,portandauthoritiesashore.Asoneexample,whichtouchescyberriskmanagement:OftenagentsarerequiredtobuildITsystems,whichuploadinformationreal-timeintoowner’smanagementinformationsystem.

Qualitystandardsforagentsareimportantbecauselikeallotherbusinesses,agentsarealsotargetedbycybercriminals.Cyber-enabledcrime,suchaselectronicwirefraudandfalseshipappointments,andcyberthreatssuchasransomwareandhacking,callformutualcyberstrategiesandcyber-enhancedrelationshipsbetweenownersandagentstomitigatesuchcyberrisks.

4 Thepartyrepresentingtheship’sownerand/orcharterer(thePrincipal)inport.Ifsoinstructed,theagentisresponsibletotheprincipalforarranging,togetherwiththeport,aberth,allrelevantportandhusbandryservices,tendingtotherequirementsofthemasterandcrew,clearingtheshipwiththeportandotherauthorities(includingpreparationandsubmissionofappropriatedocumentation)alongwithreleasingorreceivingcargoonbehalfoftheprincipal(source:ConventiononFacilitationofInternationalMaritimeTraffic(FALConvention).

5 Nothingintheseguidelinesshouldbetakenasrecommendingthepaymentofransom.

Incident: Ship agent and shipowner ransomware incident

Ashipownerreportedthatthecompany’sbusinessnetworkswereinfectedwithransomware,apparentlyfromanemailattachment.Thesourceoftheransomwarewasfromtwounwittingshipagents,inseparateports,andonseparateoccasions.Shipswerealsoaffectedbutthedamagewaslimitedtothebusinessnetworks,whilenavigationandshipoperationswereunaffected.Inonecase,theownerpaidtheransom5.

Theimportanceofthisincidentisthatharmonizedcybersecurityacrossrelationshipswithtrustedbusinesspartnersandproducersiscriticaltoallinthesupplychain.Individualeffortstofortifyone’sownbusinesscanbevaliantandwell-intendedbutcouldalsobeinsufficient.Principalsinthesupplychainshouldworktogethertomitigatecyberrisk.


1.5 Relationship with vendors

Companiesshouldevaluateandincludethephysicalsecurityandcyberriskmanagementprocessesofserviceprovidersinsupplieragreementsandcontracts.Processesevaluatedduringsuppliervettingandincludedincontractrequirementsmayinclude:

� securitymanagementincludingmanagementofsub-suppliers

� manufacturing/operationalsecurity

� softwareengineeringandarchitecture

� asset and cyber incident management

� personnel security

� dataandinformationprotection.

Evaluationofserviceprovidersbeyondthefirsttiermaybechallengingespeciallyforcompanieswithalargenumberoftieronesuppliers.Thirdpartyprovidersthatarecollectingandmanagingsupplierriskmanagementdatamaybeanoptiontoconsider.

Lackofphysicaland/orcybersecurityatasupplierwithintheirproductsorinfrastructuremayresultinabreachofcorporateITsystemsorcorruptionofshipOT/ITsystems.

Companiesshouldevaluatethecyberriskmanagementprocessesforbothnewandexistingcontracts.Itisgoodpracticeforthecompanytodefinetheirownminimumsetofrequirementstomanagesupplychainor3rdpartyrisks.Asetofcyberriskrequirementsthatreflectthecompany’sexpectationsshouldbeclearandunambiguoustovendors.Thismayalsohelpprocurementpracticeswhendealingwithmultiplevendors.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 9IdeNTIfy ThreATS

Identify threats

Thecyberrisk6isspecifictothecompany,ship,operationand/ortrade.Whenassessingtherisk,companiesshouldconsideranyspecificaspectsoftheiroperationsthatmightincreasetheirvulnerabilitytocyberincidents.

Unlikeotherareasofsafetyandsecurity,wherehistoricevidenceisavailable,cyberriskmanagementismademorechallengingbytheabsenceofanydefinitiveinformationaboutincidentsandtheirimpact.Untilthisevidenceisobtained,thescaleandfrequencyofattackswillcontinuetobeunknown.

Experiencesintheshippingindustryandfromotherbusinesssectorssuchasfinancialinstitutions,publicadministrationandairtransporthaveshownthatsuccessfulcyberattacksmightresultinasignificantlossofservices.Assetscanalsocompromisesafety.

Therearemotivesfororganisationsandindividualstoexploitcybervulnerabilities.Thefollowingexamplesgivesomeindicationofthethreatsposedandthepotentialconsequencesforcompaniesandtheshipstheyoperate:

Group Motivation ObjectiveActivists (including disgruntled employees)

� reputationaldamage

� disruptionofoperations

� destructionofdata

� publicationofsensitivedata

� mediaattention

� denialofaccesstotheserviceorsystemtargeted

Criminals � financialgain

� commercial espionage

� industrial espionage

� selling stolen data

� ransoming stolen data

� ransoming system operability

� arrangingfraudulenttransportationofcargo

� gatheringintelligenceformoresophisticatedcrime,exactcargolocation,shiptransportationandhandlingplansetc

Opportunists � thechallenge � gettingthroughcybersecuritydefences

� financialgain

States

State sponsored organisations

Terrorists

� politicalgain

� espionage

� gainingknowledge

� disruptiontoeconomiesandcriticalnationalinfrastructure

Table 2: motivation and objectives

Theabovegroupsareactiveandhavetheskillsandresourcestothreatenthesafetyandsecurityofshipsandacompany’sabilitytoconductitsbusiness.

2

6 ThetextinthischapterhasbeensummarisedfromCESG,CommonCyberAttacks:ReducingtheImpact.


Inaddition,thereisthepossibilitythatcompanypersonnel,onboardandashore,couldcompromisecybersystemsanddata.Ingeneral,thecompanyshouldrealisethatthismaybeunintentionalandcausedbyhumanerrorwhenoperatingandmanagingITandOTsystemsorfailuretorespecttechnicalandproceduralprotectionmeasures.Thereis,however,thepossibilitythatactionsmaybemaliciousandareadeliberateattemptbyadisgruntledemployeetodamagethecompanyandtheship.

Types of cyber attack

Ingeneral,therearetwocategoriesofcyberattacks,whichmayaffectcompaniesandships:

� untargetedattacks,whereacompanyoraship’ssystemsanddataareoneofmanypotentialtargets

� targetedattacks,whereacompanyoraship’ssystemsanddataaretheintendedtarget.

Untargetedattacksarelikelytousetoolsandtechniquesavailableontheinternet,whichcanbeusedtolocate,discoverandexploitwidespreadvulnerabilitiesthatmayalsoexistinacompanyandonboardaship.Examplesofsometoolsandtechniquesthatmaybeusedinthesecircumstancesinclude:

� Malware–Malicioussoftwarewhichisdesignedtoaccessordamageacomputerwithouttheknowledgeoftheowner.Therearevarioustypesofmalwareincludingtrojans,ransomware,spyware,viruses,andworms.Ransomwareencryptsdataonsystemsuntilaransomhasbeenpaid.Malwaremayalsoexploitknowndeficienciesandproblemsinoutdated/unpatchedbusinesssoftware.Theterm“exploit”usuallyreferstotheuseofasoftwareorcode,whichisdesignedtotakeadvantageofandmanipulateaprobleminanothercomputersoftwareorhardware.Thisproblemcan,forexample,beacodebug,systemvulnerability,improperdesign,hardwaremalfunctionand/orerrorinprotocolimplementation.Thesevulnerabilitiesmaybeexploitedremotelyortriggeredlocally.Locally,apieceofmaliciouscodemayoftenbeexecutedbytheuser,sometimesvialinksdistributedinemailattachmentsorthroughmaliciouswebsites.

� Phishing–Sendingemailstoalargenumberofpotentialtargetsaskingforparticularpiecesofsensitiveorconfidentialinformation.Suchanemailmayalsorequestthatapersonvisitsafakewebsiteusingahyperlinkincludedintheemail.

� Water holing–Establishingafakewebsiteorcompromisingagenuinewebsitetoexploitvisitors.

� Scanning–Attackinglargeportionsoftheinternetatrandom.

Targetedattacksmaybemoresophisticatedandusetoolsandtechniquesspecificallycreatedfortargetingacompanyorship.Examplesoftoolsandtechniques,whichmaybeusedinthesecircumstances,include:

� Social engineering–Anon-technicaltechniqueusedbypotentialcyberattackerstomanipulateinsiderindividualsintobreakingsecurityprocedures,normally,butnotexclusively,throughinteractionviasocialmedia.

� Brute force–Anattacktryingmanypasswordswiththehopeofeventuallyguessingcorrectly.Theattackersystematicallychecksallpossiblepasswordsuntilthecorrectoneisfound.

� Denial of service (DoS)–Preventslegitimateandauthorisedusersfromaccessinginformation,usuallybyfloodinganetworkwithdata.Adistributeddenialofservice(DDoS)attacktakescontrolofmultiplecomputersand/orserverstoimplementaDoSattack.


� Spear-phishing–Likephishingbuttheindividualsaretargetedwithpersonalemails,oftencontainingmalicioussoftwareorlinksthatautomaticallydownloadmalicioussoftware.

� Subverting the supply chain–Attackingacompanyorshipbycompromisingequipment,softwareorsupportingservicesbeingdeliveredtothecompanyorship.

Theaboveexamplesarenotexhaustive.Othermethodsareevolvingsuchasimpersonatingalegitimateshore-basedemployeeinashippingcompanytoobtainvaluableinformation,whichcanbeusedforafurtherattack.Thepotentialnumberandsophisticationoftoolsandtechniquesusedincyberattackscontinuetoevolveandarelimitedonlybytheingenuityofthoseorganisationsandindividualsdevelopingthem.

Stages of a cyber attack

In2018,ittookonaverage140daysbetweentimeofinfectionofavictim’snetworkanddiscoveryofacyberattack.However,intrusioncangoundetectedforyears.Thisfigureisdownfrom205daysin2015andcontinuestodropbecausedetectionisgettingbetter7.Cyberattacksareconductedinstages.Thelengthoftimetoprepareacyberattackcanbedeterminedbythemotivationsandobjectivesoftheattacker,andtheresilienceoftechnicalandproceduralcyberriskcontrolsimplementedbythecompany,includingthoseonboarditsships.Whenconsideringtargetedcyberattacks,thegenerally-observedstagesofanattackare:

� Survey/reconnaissance–Open/publicsourcesareusedtogaininformationaboutacompany,shiporseafarerinpreparationforacyberattack.Socialmedia,technicalforumsandhiddenpropertiesinwebsites,documentsandpublicationsmaybeusedtoidentifytechnical,proceduralandphysicalvulnerabilities.Theuseofopen/publicsourcesmaybecomplementedbymonitoring(analysing–sniffing)theactualdataflowingintoandfromacompanyoraship.

� Delivery–Attackersmayattempttoaccessthecompany’sandship’ssystemsanddata.Thismaybedonefromeitherwithinthecompanyorshiporremotelythroughconnectivitywiththeinternet.Examplesofmethodsusedtoobtainaccessinclude:

• companyonlineservices,includingcargoorcontainertrackingsystems

• sendingemailscontainingmaliciousfilesorlinkstomaliciouswebsitestopersonnel

• providinginfectedremovablemedia,forexampleaspartofasoftwareupdatetoanonboardsystem

• creatingfalseormisleadingwebsites,whichencouragethedisclosureofuseraccountinformationbypersonnel.

� Breach–Theextenttowhichanattackercanbreachacompany’sorship’ssystemwilldependonthesignificanceofthevulnerabilityfoundbyanattackerandthemethodchosentodeliveranattack.Itshouldbenotedthatabreachmightnotresultinanyobviouschangestothestatusoftheequipment.Dependingonthesignificanceofthebreach,anattackermaybeableto:

• makechangesthataffectthesystem’soperation,forexampleinterruptormanipulateinformationusedbynavigationequipment,oralteroperationallyimportantinformationsuchasloading lists

• gainaccesstocommerciallysensitivedatasuchascargomanifestsand/orcrewandpassenger/visitorlists

7 TheMicrosoftCybercrimeCenter.


• achievefullcontrolofasystem,forexampleamachinerymanagementsystem.

� Pivot–Pivotingisthetechniqueofusinganinstancealreadyexploitedtobeableto“move”andperformotheractivities.Duringthisphaseofanattack,anattackerusesthefirstcompromisedsystemtoattackotherwiseinaccessiblesystems.Anattackerwillusuallytargetthemostvulnerablepartofthevictim’ssystemwiththelowestlevelofsecurity.Onceaccessisgainedthentheattackerwilltrytoexploittherestofthesystem.Usually,inthePivotphase,theattackermaytryto:

• uploadtools,exploitsandscriptsinthesystemtosupporttheattackerinthenewattackphase

• executeadiscoveryofneighboursystemswithscanningornetworkmappingtools

• installpermanenttoolsorakeyloggertokeepandmaintainaccesstothesystem

• executenewattacksonthesystem.

Themotivationandobjectivesoftheattackerwilldeterminewhateffecttheyhaveonthecompanyorshipsystemanddata.Anattackermayexploresystems,expandaccessand/orensurethattheyareabletoreturntothesysteminorderto:

� accesscommerciallysensitiveorconfidentialdataaboutcargo,crew,visitorsandpassengers

� manipulatecreworpassenger/visitorslists,cargomanifestsorloadinglists.Thismaysubsequentlybeusedtoallowthefraudulenttransportofillegalcargo,orfacilitatethefts

� causecompletedenialofserviceonbusinesssystems

� enableotherformsofcrimeforexamplepiracy,theftandfraud

� disruptnormaloperationofthecompanyandshipsystems,forexamplebydeletingcriticalpre-arrivalordischargeinformationoroverloadingcompanysystems.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 13IdeNTIfy vulNerAbIlITIeS

Identify vulnerabilities3

Itisrecommendedthatashippingcompanyinitiallyperformsanassessmentofthepotentialthreatsthatmayrealisticallybefaced.Thisshouldbefollowedbyanassessmentofthesystemsandonboardprocedurestomaptheirrobustnesstohandlethecurrentlevelofthreat.Itmaybefacilitatedbyinternalexpertsorsupportedbyexternalexpertswithknowledgeofthemaritimeindustryanditskeyprocesses.Theresultshouldbeastrategycentredaroundthekeyrisks.

Stand-alonesystemswillbelessvulnerabletoexternalcyberattackscomparedtothoseattachedtouncontrollednetworksordirectlytotheinternet.Networkdesignandnetworksegregationwillbeexplainedinmoredetailinannex3.Careshouldbetakentounderstandhowcriticalshipboardsystemsmightbeconnectedtouncontrollednetworks.Whendoingso,thehumanelementshouldbetakenintoconsideration,asmanyincidentsareinitiatedbypersonnel’sactions.Onboardsystemscouldinclude:

� Cargo management systems–Digitalsystemsusedfortheloading,managementandcontrolofcargo,includinghazardouscargo,mayinterfacewithavarietyofsystemsashore,includingports,marineterminals.Suchsystemsmayincludeshipment-trackingtoolsavailabletoshippersviatheinternet.However,thetrackingisusuallydoneviathecompany’ssystemsconnectedtotheshipandnotdirectlybetweentheshipperandtheship.Interfacesofthiskindmakecargomanagementsystemsanddataincargomanifestsandloadinglistsvulnerabletocyberattacks.

� Bridge systems–Theincreasinguseofdigital,networknavigationsystems,withinterfacestoshoresidenetworksforupdateandprovisionofservices,makesuchsystemsvulnerabletocyberattacks.Bridgesystemsthatarenotconnectedtoothernetworksmaybeequallyvulnerable,asremovablemediaareoftenusedtoupdatesuchsystemsfromothercontrolledoruncontrollednetworks.Acyberincidentcanextendtoservicedenialormanipulationand,therefore,mayaffectallsystemsassociatedwithnavigation,includingECDIS,GNSS,AIS,VDRandRadar/ARPA.

� Propulsion and machinery management and power control systems–Theuseofdigitalsystemstomonitorandcontrolonboardmachinery,propulsionandsteeringmakessuchsystemsvulnerabletocyberattacks.Thevulnerabilityofthesesystemscanincreasewhenusedinconjunctionwithremotecondition-basedmonitoringand/orareintegratedwithnavigationandcommunicationsequipmentonshipsusingintegratedbridgesystems.

� Access control systems–Digitalsystemsusedtosupportaccesscontroltoensurephysicalsecurity

Incident: Crash of integrated navigation bridge at sea

Ashipwithanintegratednavigationbridgesufferedafailureofnearlyallnavigationsystemsatsea,inahightrafficareaandreducedvisibility.Theshiphadtonavigatebyoneradarandbackuppaperchartsfortwodaysbeforearrivinginportforrepairs.ThecauseofthefailureofallECDIScomputerswasdeterminedtobeattributedtotheoutdatedoperatingsystems.Duringthepreviousportcall,aproducertechnicalrepresentativeperformedanavigationsoftwareupdateontheship’snavigationcomputers.However,theoutdatedoperatingsystemswereincapableofrunningthesoftwareandcrashed.TheshipwasrequiredtoremaininportuntilnewECDIScomputerscouldbeinstalled,classificationsurveyorscouldattend,andanear-missnotificationhadbeenissuedasrequiredbythecompany.Thecostsofthedelayswereextensiveandincurredbytheshipowner.

Thisincidentemphasizesthatnotallcomputerfailuresarearesultofadeliberateattackandthatoutdatedsoftwareispronetofailure.Moreproactivesoftwaremaintenancetotheshipmayhavepreventedthisincidentfrom occurring.


andsafetyofashipanditscargo,includingsurveillance,shipboardsecurityalarm,andelectronic“personnel-on-board”systemsarevulnerabletocyberattacks.

� Passenger servicing and management systems–Digitalsystemsusedforpropertymanagement,boardingandaccesscontrolmayholdvaluablepassengerrelateddata.Intelligentdevices(tablets,handheldscannersetc.)arethemselvesanattackvectorasultimatelythecollecteddataispassedontoothersystems.

� Passenger facing public networks–Fixedorwirelessnetworksconnectedtotheinternet,installedonboardforthebenefitofpassengers,forexampleguestentertainmentsystems,shouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.

� Administrative and crew welfare systems–Onboardcomputernetworksusedforadministrationoftheshiporthewelfareofthecrewareparticularlyvulnerablewhenprovidinginternetaccessandemail.Thiscanbeexploitedbycyberattackerstogainaccesstoonboardsystemsanddata.Thesesystemsshouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.Softwareprovidedbyshipmanagementcompaniesorownersisalsoincludedinthiscategory.

� Communication systems–Availabilityofinternetconnectivityviasatelliteand/orotherwirelesscommunicationcanincreasethevulnerabilityofships.Thecyberdefencemechanismsimplementedbytheserviceprovidershouldbecarefullyconsideredbutshouldnotbesolelyreliedupontosecureeveryshipboardsystemanddata.Includedinthesesystemsarecommunicationlinkstopublicauthoritiesfortransmissionofrequiredshipreportinginformation.Applicableauthenticationandaccesscontrolmanagementrequirementsbytheseauthoritiesshouldbestrictlycompliedwith.

Theabove-mentionedonboardsystemsconsistofpotentiallyvulnerableequipment,whichshouldbereviewedduringtheassessment.Moredetailcanbefoundinannex1oftheseguidelines.

3.1 Ship to shore interface

Shipsarebecomingmoreandmoreintegratedwithshoresideoperationsbecausedigitalcommunicationisbeingusedtoconductbusiness,manageoperations,andretaincontactwithheadoffice.Furthermore,criticalshipsystemsessentialtothesafetyofnavigation,powerandcargomanagementhavebecomeincreasinglydigitalisedandconnectedtotheinternettoperformawidevarietyoflegitimatefunctionssuchas:

� engine performance monitoring

� maintenance and spare parts management

� cargo,loadingandunloading,crane,pumpmanagementandstowplanning

� voyageperformancemonitoring.

Theabovelistprovidesexamplesofthisinterfaceandisnotexhaustive.Theabovesystemsprovidedata,whichmaybeofinteresttocybercriminalstoexploit.

Moderntechnologiescanaddvulnerabilitiestotheshipsespeciallyifthereareinsecuredesignsofnetworksanduncontrolledaccesstotheinternet.Additionally,shoresideandonboardpersonnelmaybeunawarehowsomeequipmentproducersmaintainremoteaccesstoshipboardequipmentanditsnetworksystem.Unknown,anduncoordinatedremoteaccesstoanoperatingshipshouldbetakenintoconsiderationasanimportantpartoftheriskassessment.


Itisrecommendedthatcompaniesshouldfullyunderstandtheship’sOTandITsystemsandhowthesesystemsconnectandintegratewiththeshoreside,includingpublicauthorities,marineterminalsandstevedores.Thisrequiresanunderstandingofallcomputerbasedonboardsystemsandhowsafety,operations,andbusinesscanbecompromisedbyacyberincident.

Thefollowingshouldbeconsideredregardingproducersandthirdpartiesincludingcontractorsandserviceproviders:

1. Theproducer’sandserviceprovider’scyberriskmanagementawarenessandprocedures:Suchcompaniesmaylackcyberawarenesstrainingandgovernanceintheirownorganisationsandthismayrepresentmoresourcesofvulnerability,whichcouldresultincyberincidents.Thesecompaniesshouldhaveanupdatedcyberriskmanagementcompanypolicy,whichincludestrainingandgovernanceproceduresforaccessibleITandOTonboardsystems.

2. Thematurityofathird-party’scyberriskmanagementprocedures:Theshipownershouldquerytheinternalgovernanceofcybernetworksecurity,andseektoobtainacyberriskmanagementassurancewhenconsideringfuturecontractsandservices.Thisisparticularlyimportantwhencoveringnetworksecurityiftheshipistobeinterfacedwiththethird-partysuchasamarineterminalorstevedoringcompany.

Common vulnerabilities

Thefollowingarecommoncybervulnerabilities,whichmaybefoundonboardexistingships,andonsomenewbuildships:

� obsoleteandunsupportedoperatingsystems

� outdatedormissingantivirussoftwareandprotectionfrommalware

� inadequatesecurityconfigurationsandbestpractices,includingineffectivenetworkmanagementandtheuseofdefaultadministratoraccountsandpasswords,

� shipboardcomputernetworks,whichlackboundaryprotectionmeasuresandsegmentationofnetworks

� safetycriticalequipmentorsystemsalwaysconnectedwiththeshoreside

� inadequateaccesscontrolsforthirdpartiesincludingcontractorsandserviceproviders.

Incident: Navigation computer crash during pilotage

AshipwasundertheconductofapilotwhentheECDISandvoyageperformancecomputerscrashed.Apilotwasonthebridge.Thecomputerfailuresbrieflycreatedadistractiontothewatchofficers;however,thepilotandthemasterworkedtogethertofocusthebridgeteamonsafenavigationbyvisualmeansandradar.Whenthecomputerswererebooted,itwasapparentthattheoperatingsystemswereoutdatedandunsupported.Themasterreportedthatthesecomputerproblemswerefrequent(referredtotheissuesas“gremlins”)andthatrepeatedrequestsforservicingfromtheshipownerhadbeenignored.

Itisaclearcaseofhowsimpleservicingandattentiontotheshipbymanagementcanpreventmishaps.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 16ASSeSS rISk expOSure

Assess risk exposure4

Cyberriskassessmentshouldstartatseniormanagementlevelofacompany,insteadofbeingimmediatelydelegatedtotheshipsecurityofficerortheheadoftheITdepartment.Thereareseveralreasonsforthis.

1. Initiativestoheightencybersecurityandsafetymayatthesametimeaffectstandardbusinessproceduresandoperations,renderingthemmoretimeconsumingand/orcostly.Itis,therefore,aseniormanagementleveldecisiontoevaluateanddecideonriskmitigation.

2. Anumberofinitiatives,whichwouldimprovecyberriskmanagement,arerelatedtobusinessprocesses,training,thesafetyoftheshipandtheenvironmentandnottoITsystems,andthereforeneedtobeanchoredorganisationallyoutsidetheITdepartment.

3. Initiativeswhichheightencyberawarenessmaychangehowthecompanyinteractswithcustomers,suppliersandauthorities,andimposenewrequirementsontheco-operationbetweentheparties.Itisaseniormanagementleveldecisionwhetherandhowtodrivethesechangesinrelationships.

Thefollowingquestionsmaybeusedasabasisforariskassessmentwhenaddressingcyberrisksonboardships:

� Whatassetsareatrisk?

� Whatisthepotentialimpactofacyberincident?

� Whohasthefinalresponsibilityforthecyberriskmanagement?

� AretheOTsystemsandtheirworkingenvironmentprotectedfromtheinternet?

� IsthereremoteaccesstotheOTsystems,andifsohowisitmonitoredandprotected?

� AretheITsystemsprotectedandisremoteaccessbeingmonitoredandmanaged?

� Whatcyberriskmanagementbestpracticesarebeingused?

� WhatisthetraininglevelofthepersonneloperatingtheITandOTsystems?

Basedontheanswers,thecompanyshoulddelegateauthorityandallocatethebudgetneededtocarryoutafullriskassessmentanddevelopsolutionsthatarebestsuitedforthecompanyandtheoperationoftheirships.Thefollowingshouldbeaddressed:

� identifysystemsthatareimportanttooperation,safetyandenvironmentalprotection

� assignthepersonsresponsibleforsettingcyberpolicies,proceduresandenforcemonitoring

� determinewheresecureremoteaccessshouldusemultipledefencelayersandwhereprotectionofnetworksshouldbedisconnectedfromtheinternet

� identificationofneedsfortrainingofpersonnel.


Thelevelofcyberriskwillreflectthecircumstancesofthecompany,ship(itsoperationandtrade),theITandOTsystemsused,andtheinformationand/ordatastored.Themaritimeindustrypossessesarangeofcharacteristics,whichaffectitsvulnerabilitytocyberincidents:

� thecybercontrolsalreadyimplementedbythecompanyonboarditsships

� multiplestakeholdersareofteninvolvedintheoperationandcharteringofashippotentiallyresultinginlackofaccountabilityfortheITinfrastructure

� theshipbeingonlineandhowitinterfaceswithotherpartsoftheglobalsupplychain

� shipequipmentbeingremotelymonitored,egbytheproducers

� business-critical,datasensitiveandcommerciallysensitiveinformationsharedwithshore-basedserviceproviders,includingmarineterminalsandstevedoresandalso,whereapplicable,publicauthorities

� theavailabilityanduseofcomputer-controlledcriticalsystemsfortheship’ssafetyandforenvironmentalprotection.

Theseelementsshouldbeconsidered,andrelevantpartsincorporatedintothecompanycybersecuritypolicies,safetymanagementsystems,andshipsecurityplans.Usersoftheseguidelinesshouldrefertospecificnational,internationalandflagstateregulationsaswellasrelevantinternationalandindustrystandardsandbestpracticeswhendevelopingandimplementingcyberriskmanagement procedures.

ITandOTsystems,softwareandmaintenancecanbeoutsourcedtothird-partyserviceprovidersandthecompany,itself,maynotpossessawayofverifyingthelevelofsecuritysuppliedbytheseproviders.Somecompaniesusedifferentprovidersresponsibleforsoftwareandcybersecuritychecks.

Thegrowinguseofbigdata,smartshipsandthe“internetofthings”8willincreasetheamountofinformationavailabletocyberattackersandthepotentialattacksurfacetocybercriminals.Thismakestheneedforrobustapproachestocyberriskmanagementimportantbothnowandinthefuture.

Incident: Worm attack on maritime IT and OT

Ashipwasequippedwithapowermanagementsystemthatcouldbeconnectedtotheinternetforsoftwareupdatesandpatching,remotediagnostics,datacollection,andremoteoperation.Theshipwasbuiltrecently,butthissystemwasnotconnectedtotheinternetbydesign.

Thecompany’sITdepartmentmadethedecisiontovisittheshipandperformedvulnerabilityscanstodetermineifthesystemhadevidenceofinfectionandtodetermineifitwassafetoconnect.Theteamdiscoveredadormantwormthatcouldhaveactivateditselfoncethesystemwasconnectedtotheinternetandthiswouldhavehadsevereconsequences.Theincidentemphasizesthatevenairgappedsystemscanbecompromisedandunderlinesthevalueofproactivecyberriskmanagement.

Theshipowneradvisedtheproduceraboutthediscoveryandrequestedproceduresonhowtoerasetheworm.Theshipownerstatedthatbeforethediscovery,aservicetechnicianhadbeenaboardtheship.Itwasbelievedthattheinfectioncouldpotentiallyhavebeencausedbythetechnician.

ThewormspreadviaUSBdevicesintoarunningprocess,whichexecutesaprogramintothememory.Thisprogramwasdesignedtocommunicatewithitscommandandcontrolservertoreceiveitsnextsetofinstructions.Itcould

8 Lloyd’sRegister,QinetiqandUniversityofSouthampton,GlobalMarineTechnologyTrends2030.


evencreatefilesandfolders.

Thecompanyaskedcybersecurityprofessionalstoconductforensicanalysisandremediation.Itwasdeterminedthatallserversassociatedwiththeequipmentwereinfectedandthatthevirushadbeeninthesystemundiscoveredfor875days.Scanningtoolsremovedthevirus.Ananalysisprovedthattheserviceproviderwasindeedthesourceandthatthewormhadintroducedthemalwareintotheship’ssystemviaaUSBflashdriveduringasoftwareinstallation.

Analysisalsoprovedthatthiswormoperatedinthesystemmemoryandactivelycalledouttotheinternetfromtheserver.Sincethewormwasloadedintomemory,itcouldaffecttheperformanceoftheserverandsystemsconnectedtotheinternet.

Third-party access

Visitstoshipsbythirdpartiesrequiringaconnectiontooneormorecomputersonboardcanalsoresultinconnectingtheshiptoshore.Itiscommonfortechnicians,vendors,portofficials,marineterminalrepresentatives,agents,pilots,andothertechnicianstoboardtheshipandplugindevices,suchaslaptopsandtablets.Sometechniciansmayrequiretheuseofremovablemediatoupdatecomputers,downloaddataand/orperformothertasks.Ithasalsobeenknownforcustomsofficialsandportstatecontrolofficerstoboardashipandrequesttheuseofacomputerto“printofficialdocuments”afterhavinginsertedanunknownremovablemedia.

Sometimesthereisnocontrolastowhohasaccesstotheonboardsystems,egduringdrydocking,layupsorwhentakingoveraneworexistingship.Insuchcases,itisdifficulttoknowifmalicioussoftwarehasbeenleftintheonboardsystems.Itisrecommendedthatsensitivedataisremovedfromtheshipandreinstalledonreturningtotheship.Wherepossible,systemsshouldbescannedformalwarepriortouse.OTsystemsshouldbetestedtocheckthattheyarefunctioningcorrectly.

SomeITandOTsystemsareremotelyaccessibleandmayoperatewithacontinuousinternetconnectionforremotemonitoring,datacollection,maintenancefunctions,safetyandsecurity.Thesesystemscanbe“third-partysystems”,wherebythecontractormonitorsandmaintainsthesystemsfromaremoteaccess.Thesesystemscouldincludebothtwo-waydataflowandupload-only.Systemsandworkstationswithremotecontrol,accessorconfigurationfunctionscould,forexample,be:

� bridgeandengineroomcomputersandworkstationsontheship’sadministrativenetwork

� cargosuchascontainerswithreefertemperaturecontrolsystemsorspecialisedcargothataretracked remotely

� stability decision support systems

� hullstressmonitoringsystems

� navigationalsystemsincludingElectronicNavigationChart(ENC)VoyageDataRecorder(VDR),dynamicpositioning(DP)

� cargohandlingandstowage,engine,andcargomanagementandloadplanningsystems

� safetyandsecuritynetworks,suchasCCTV(closedcircuittelevision)

� specialisedsystemssuchasdrillingoperations,blowoutpreventers,subseainstallationsystems,EmergencyShutDown(ESD)forgastankers,submarinecableinstallationandrepair.

Theextentandnatureofconnectivityofequipmentshouldbeknownbytheshipowneroroperatorandconsideredasanimportantpartoftheriskassessment.


Impact assessment

Theconfidentiality,integrityandavailability(CIA)model9providesaframeworkforassessingtheimpactof:

� unauthorisedaccesstoanddisclosureofinformationordataabouttheship,crew,cargoandpassengers

� lossofintegrity,whichwouldmodifyordestroyinformationanddatarelatingtothesafeandefficientoperationandadministrationoftheship

� lossofavailabilityduetothedestructionoftheinformationanddataand/orthedisruptiontoservices/operationofshipsystems.

Therelativeimportanceofconfidentiality,integrityandavailabilitydependsontheuseoftheinformationordata.Forexample,assessingthevulnerabilityofITsystemsrelatedtocommercialoperationsmayfocusonconfidentialityandintegrityratherthanavailability.Conversely,assessingthevulnerabilityofOTsystemsonboardships,particularlysafetycriticalsystems,mayfocusonavailabilityand/orintegrityinsteadofconfidentiality.

Potentialimpactscouldbesafety-related,operational,environmental-related,financial,reputationalandcompliance-related.Severalassessmentmethodologiesoffercriteriaandtechniquesthatcanhelpdefinethemagnitudeoftheimpactfromacyberattack10.

Potential impact Definition In practiceLow Thelossofconfidentiality,integrity,oravailability

couldbeexpectedtohavealimitedadverseeffectoncompanyandship,organisationalassets,orindividuals

Alimitedadverseeffectmeansthatasecuritybreachmight:(i)causeadegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsisnoticeablyreduced;(ii)resultinminordamagetoorganisationalassets;(iii)resultinminorfinancialloss;or(iv)resultinminorharmtoindividuals.

Moderate Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasubstantialadverseeffectoncompanyandship,assetsorindividuals

Asubstantialadverseeffectmeansthatasecuritybreachmight:(i)causeasignificantdegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsissignificantlyreduced;(ii)resultinsignificantdamagetoorganisationalassets;(iii)resultinsignificantfinancialloss;or(iv)resultinsignificantharmtoindividualsthatdoesnotinvolvelossoflifeorseriouslifethreateninginjuries.

High Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasevereorcatastrophicadverseeffectoncompanyandshipoperations,assets,environmentorindividuals.

Asevereorcatastrophicadverseeffectmeansthatasecuritybreachmight:(i)causeaseveredegradationinorlossofshipoperationtoanextentanddurationthattheorganisationisnotabletoperformoneormoreofitsprimaryfunctions;(ii)resultinmajordamagetoenvironmentand/ororganisationalassets;(iii)resultinmajorfinancialloss;or(iv)resultinsevereorcatastrophicharmtoindividualsinvolvinglossoflifeorseriouslife-threateninginjuries.

Table 3: potential impact levels when using the CIA model

WhenitcomestoOTsystems,anextradimensionmustbeaddedtotheCIAmodel.

9 FederalInformationProcessingStandards,Publication199,ComputerSecurityDivisionInformationTechnologyLaboratory,NationalInstituteofStandardsandTechnology,Gaithersburg,MD20899-8900.

10Methodologiesinclude,andarenotlimitedto,ISO/IEC27005:2018Informationtechnology–Securitytechniques–Informationsecurityriskmanagement,COSOEnterpriseRiskManagementFramework,andISO31000:2018Riskmanagement–Guidelines.


AriskassessmentofOTsystemsneedstobebasedonaninventoryoverviewofequipmentand/orcomputer-basedsystemsandamapofthenetworks’connections.Further,accesspointsandcommunicationdevicesshouldbepartofthisoverview.AstheimpactofanonboardOTsystem’scyberincidentmayincludephysicaleffects,riskassessmentsshouldinclude:

� impactsonthesafetyofonboardpersonnel,theshipandcargo

� physicalimpactonanOTsystem,includingtheenvironmentsurroundingitonboard;theeffectontheprocessthatisbeingcontrolledandthephysicaleffectontheOTsystemitself

� theconsequencesforriskassessmentsofnon-digitalcontrolcomponentswithinanOTsystem.

TheimplementationofprotectionmeasuresbasedonriskassessmentsiswellestablishedonallshipsviatheISMcodeandtheship’sSMS.Safetyassessmentsareconcernedprimarilywiththephysicalworldbearinginmindthatthephysicalandthedigitalworldsarenowintertwined.Assessingthepotentialphysicaldamagefromacyberincidentshouldinclude:

1. howanincidentcouldmanipulatetheoperationofsensorsandactuatorstoimpactthephysicalenvironment

2. whatredundantcontrolsandmanualoverridingpossibilitiesexistintheOTsystemtopreventan incident

3. howaphysicalincidentcouldemerge.

4. howtoevaluatepotentialeffectstothephysicalprocessperformedbytheOTsystem.

Example

Ashipisequippedwithacomplexpowermanagementsystem.Itconsistsofswitchboardsandgeneratorscontrollingsystemsforautoloadsharing,powercontrolandautosynchronizing.Ontopofthepowermanagementsystem,asupervisorycontrolanddataacquisition(SCADA)systemprovidesoutputandmakesitpossibleforthecrewtocontrolthedistributionofonboardelectricpower.

Powermanagementisimportanttothesafetyofthecrew,ship,andcargo.Italsohasaclearenvironmentalandfinancialimpactaspowerisgeneratedbyuseoffueleitherbytheship’smainengine(shaftgenerator)and/orauxiliaryengines.Therefore,acyberincidentthatdisablesorcausesthepowermanagementsystemtomalfunctioncanplacetheoperationandsafetyoftheshipatrisk.Tolowertherisk,thecompanyshouldaddprotectionmeasuresthatminimizethepossibilityofsuchacyberincidenttakingplace.

TheSCADAsystemcontainsreal-timesensordata,whichisusedonboardforpowermanagement.Italsogeneratesdataaboutthepowerconsumption,whichisusedbytheshippingcompanyforadministrativepurposes.Todetermineifthepotentialimpactofdataandinformationisbeingbreached,theCIAmodelshouldbeused.Whendoingso,theshippingcompanyshoulddeterminethepotentialimpactofthemostsensitiveinformationstored,processedortransmittedbytheSCADAsystem.

UsingtheCIAmodel,theshippingcompanycanconcludethat:

� losingconfidentialityofthesensordataacquiredbytheSCADAsystemwillhavealowimpactasthesensorsarepubliclydisplayedonboard.However,fromasafetypointofview,itisimportantthattheinformationtransmittedbythesensorscanbereliedupon.Therefore,thereisapotentialhighimpactfromalossofintegrity.Itwillalsobeasafetyissueiftheinformationcannotberead.So,thereisapotentialhighimpactfromalossofavailability.

� alossofconfidentialityregardingthepowerconsumptioninformationbeingsenttotheshippingcompanyforstatisticalpurposesisassessedasapotentiallowimpact.Therewillalsobeapotentiallowimpactfromalossofintegrityandavailabilityasthedataisonlyusedforin-houseconsiderations.


Thefollowingtableshowstheresultoftheassessment.

SCADA system Confidentiality Integrity Availability Overall impact

Sensor data Low High High High

Statistical data Low Low Low Low

Table 4: result of CIA assessment of SCAdA system

Bring your own device (BYOD)

Itisrecognisedthatpersonnelmaybeallowedtobringtheirowndevices(BYOD)onboardtoaccesstheship’ssystemornetwork.Althoughthismaybebothbeneficialandeconomicalforships,itsignificantlyincreasesthelevelofvulnerabilitybecausethesedevicesmaybeunmanaged.PoliciesandproceduresshouldaddressthecontrolanduseofBYODs,aswellashowtoprotectvulnerabledata,byusingnetworksegregationforexample.

4.1 Risk assessment made by the company

Asmentionedabove,theriskassessmentprocessstartsbyassessingthesystemsonboard,inordertomaptheirrobustnesstohandlethecurrentlevelofcyberthreats.TheassessmentshouldassesstheITandOTsystemsonboard.Whenconductingtheassessment,thecompanyshouldconsidertheoutcomesoftheshipsecurityassessmentaswellasthefollowing:

1. identificationofexistingtechnicalandproceduralcontrolstoprotecttheonboardITandOTsystems

2. identificationofITandOTsystemsthatarevulnerableincludingthehumanfactor,andthepoliciesandproceduresgoverningtheuseofthesesystems.Theidentificationshouldincludesearchesforknownvulnerabilitiesrelevanttotheequipmentaswellasthecurrentlevelofpatchingandfirmwareupdates

3. identificationandevaluationofkeyshipboardoperationsthatarevulnerabletocyberattacks

4. identificationofpossiblecyberincidentsandtheirimpactonkeyshipboardoperations,andthelikelihoodoftheiroccurrencetoestablishandprioritiseprotectionmeasures.

Companiesmayconsultwiththeproducersandserviceprovidersofonboardequipmentandsystemstounderstandthetechnicalandproceduralcontrolsthatmayalreadybeinplacetoaddresscyberriskmanagement.Furthermore,anyidentifiedcybervulnerabilityinthefactorystandardconfigurationofacriticalsystemorcomponentshouldbedisclosedtofacilitatebetterprotectionoftheequipmentinthefuture.

4.2 Third-party risk assessments

Self-assessmentscanserveasagoodstartbutmaybecomplementedbythird-partyriskassessmentstodrilldeeperandidentifytherisksandthegapsthatmaynotbefoundduringtheself-assessment.PenetrationtestsofcriticalITandOTinfrastructurecanalsobeperformedtoidentifywhethertheactualdefencelevelmatchesthedesiredlevelsetforthinthecybersecuritystrategyforthecompany.SuchtestscanbeperformedbyexternalexpertssimulatingattacksusingbothIT-systems,social


engineeringand,ifdesired,evenphysicalpenetrationofafacility’ssecurityperimeter.Thesetestsarereferredtoasactivetestsbecausetheyinvolveaccessingandinsertingsoftwareintoasystem.ThismayonlybeappropriateforITsystems.WhererisktoOTsystemsduringpenetrationtestingisunacceptable,passivetestingapproachesshouldbeconsidered.Passivemethodsrelyonscanningdatatransmittedbyasystemtoidentifyvulnerabilities.Ingeneral,noattemptismadetoactivelyaccessorinsertsoftwareintothesystem.

4.3 Risk assessment process

Phase 1: Pre-assessment activities

Priortostartingacyberriskassessmentonboard11,thefollowingactivitiesshouldbeperformed:

� maptheship’skeyfunctionsandsystemsandtheirpotentialimpactlevels,forexampleusingtheCIAmodel,takingintoconsiderationtheoperationofOTsystems

� identifymainproducersofcriticalshipboardITandOTequipment

� reviewdetaileddocumentationofcriticalOTandITsystemsincludingtheirnetworkarchitecture,interfacesandinterconnections

� identifycybersecuritypoints-of-contactwitheachoftheproducersandestablishaworkingrelationshipwiththem

� reviewdetaileddocumentationontheship’smaintenanceandsupportoftheITandOTsystems

� establishcontractualrequirementsandobligationsthattheshipowner/shipoperatormayhaveformaintenanceandsupportofshipboardnetworksandequipment

� support,ifnecessary,theriskassessmentwithanexternalexperttodevelopdetailedplansandincludeproducersandserviceproviders.

Phase 2: Ship assessment

Thegoaloftheassessmentofaship’snetworkanditssystemsanddevicesistoidentifyanyvulnerabilitiesthatcouldcompromiseorresultineitherlossofconfidentiality,lossofintegrityorresultinalossofoperationoftheequipment,system,network,oreventheship.Thesevulnerabilitiesandweaknessescouldfallintooneofthefollowingcategories:

� technicalsuchassoftwaredefectsoroutdatedorunpatchedsystems

� designsuchasaccessmanagement,unmanagednetworkinterconnections

� implementationerrorsforexamplemisconfiguredfirewalls

� proceduralorotherusererrors.

Theactivitiesperformedduringanassessmentcouldincludereviewingtheconfigurationofallcomputers,servers,routers,andcybersecuritytechnologiesincludingfirewalls.ItcouldalsoincludereviewsofallavailablecybersecuritydocumentationandproceduresforconnectedITandOTsystemsanddevices.

11Basedonathird-partyriskassessmentmethoddescribedbyNCCGroup.


Anaspectofon-shipassessmentisinvolvementofcrewofalllevels;particularlythemaster,chiefengineerandfirstmate.ThisprocessassiststounderstandtheimplementationoftheITandOTsystemsonboard,andhowtheymayvaryfromstateddesigndocumentation,andalsotounderstandthelevelofcybertrainingdeliveredtotheship’screw.

Phase 3: Debrief and vulnerability review/reporting

Followingtheassessment,eachidentifiedvulnerabilityshouldbeevaluatedforitspotentialimpactandtheprobabilityofitsexploitation.Recommendedtechnicaland/orproceduralcorrectiveactionsshouldbeidentifiedforeachvulnerability.

Ideally,thecyberriskassessmentshouldinclude:

� executivesummary–ahigh-levelsummaryofresults,recommendationsandtheoverallsecurityprofileoftheassessedship

� technicalfindings–breakdownofdiscoveredvulnerabilities,theirprobabilityofexploitation,theresultingimpact,andappropriatetechnicalfixandmitigationadvice

� prioritisedlistofactions–theprioritiesallocatedshouldreflecttheeffectivenessofthemeasure,thecost,theapplicability,etc.Itisimportantthatthislistshouldbeacompletelistofoptionsavailableandnotrepresentalistofservicesandproductsthethird-partyriskassessor,ifapplicable,wouldliketosell.

� supplementarydata–asupplementcontainingthetechnicaldetailsofallkeyfindingsandcomprehensiveanalysisofcriticalflaws.Thissectionshouldalsoincludesampledatarecoveredduringthepenetrationtesting,ifany,ofcriticalorhigh-riskvulnerabilities

� appendices–recordsofactivitiesconductedbythecyberriskassessmentteamandthetoolsusedduringtheengagement.

Considerationshouldbegivenastowhetherpartsofthecyberriskassessmentshouldbetreatedasconfidential.

Whilstcyberriskmanagementpoliciesandproceduresshouldbeincludedinthecompanysafetymanagementsystem,theseshouldnotcontaininformation,whichifmadeavailableoutsidethecompanycouldbecomeavulnerability.

Phase 4: Producer debrief

Oncetheshipownerhashadanopportunitytoreview,discussandassessthefindings,asubsetofthefindingsmayneedtobesenttotheproducersoftheaffectedsystems.Anyfindings,whichareapprovedbytheshipownerfordisclosuretotheproducers,couldbefurtheranalysedwithsupportfromexternalexperts,whoshouldworkwiththeproducer’scybersecuritypointofcontacttoensurethatafullriskandtechnicalunderstandingoftheproblemisachieved.Thissupportingactivityisintendedtoensurethatanyremediationplandevelopedbytheproduceriscomprehensiveinnatureandidentifiesthecorrectsolutiontoeliminatethevulnerabilities.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 24develOp prOTeCTION ANd deTeCTION meASureS

Develop protection and detection measures5

Theoutcomeofthecompany’sriskassessmentandsubsequentcybersecuritystrategyshouldbeareductioninrisktobeaslowasreasonablypracticable.Atatechnicallevel,thiswouldincludethenecessaryactionstobeimplementedtoestablishandmaintainanagreedlevelofcybersecurity.

Itisimportanttoidentifyhowtomanagecybersecurityonboardandtodelegateresponsibilitiestothemaster,responsibleofficersandwhenappropriatethecompanysecurityofficer.

5.1 Defence in depth and in breadth

Itisimportanttoprotectcriticalsystemsanddatawithmultiplelayersofprotectionmeasures,whichtakeintoaccounttheroleofpersonnel,proceduresandtechnologyto:

� increasetheprobabilitythatacyberincidentisdetected

� increasetheeffortandresourcesrequiredtoprotectinformation,dataortheavailabilityofITandOTsystems.

ConnectedOTsystemsonboardshouldrequiremorethanonetechnicaland/orproceduralprotectionmeasure.Perimeterdefencessuchasfirewallsareimportantforpreventingunwelcomedentryintothesystems,butthismaynotbesufficienttocopewithinsiderthreats.

Thisdefenceindepthapproachencouragesacombinationof:

� physicalsecurityoftheshipinaccordancewiththeshipsecurityplan(SSP)

� protectionofnetworks,includingeffectivesegmentation

� intrusiondetection

� periodicvulnerabilityscanningandtesting

� softwarewhitelisting

� access and user controls

� appropriateproceduresregardingtheuseofremovablemediaandpasswordpolicies

� personnel’sawarenessoftheriskandfamiliaritywithappropriateprocedures.

Companypoliciesandproceduresshouldhelpensurethatcybersecurityisconsideredwithintheoverallapproachtosafetyandsecurityriskmanagement.Thecomplexityandpotentialpersistenceofcyberthreatsmeansthata“defenceindepth”approachshouldbeconsidered.Equipmentanddataprotectedbylayersofprotectionmeasuresaremoreresilienttocyberattacks.

Whendevelopingintegrationbetweensystems,atrustboundarymodelshouldbeconsidered,wherebysystemsaregroupedintothosebetweenwhichtrustisimplicit(forexampleuserworkstations),andthosebetweenwhichtrustshouldbeexplicit(betweenbridgecomputersandcorporatenetworks).Forlargeorcomplexnetworks,threatmodellingshouldbeconsideredasan


activitytounderstandwheretechnicalcontrolsshouldbeimplementedbetweensystemsinordertosupportadefenceinbreadthapproach.

However,onboardshipswherelevelsofintegrationbetweenITandOTsystemsmaybehigh,defenceindepthonlyworksiftechnicalandproceduralprotectionmeasuresareappliedinlayersacrossallvulnerableandintegratedsystems.Thisis“defenceinbreadth”anditisusedtopreventanyvulnerabilitiesinonesystembeingusedtocircumventprotectionmeasuresofanothersystem.

Cyberriskprotectionmeasuresmaybeeithertechnicalorproceduralinnature,withtechnicalcontrolsimplementedtoenforceproceduralcontrols;acombinationapproachusingappropriatemeasuresprovidesthemosteffectivelevelofprotection.

Defenceindepthanddefenceinbreadtharecomplementaryapproaches,which,whenimplementedtogether,providethefoundationofaholisticresponsetothemanagementofcyberrisks.

Cyberriskprotectionmeasuresmaybetechnicalandfocusedonensuringthatonboardsystemsaredesignedandconfiguredtoberesilienttocyberattacks.Protectionmeasuresmayalsobeproceduralandshouldbecoveredbycompanypolicies,safetymanagementprocedures,securityproceduresandaccess controls.

Considerationneedstobegiventoimplementingtechnicalcontrolsthatarepracticalandcosteffective,particularlyonexistingships.

Implementationofcybersecuritycontrolsshouldbeprioritised,focusingfirstonthosemeasures,orcombinationsofmeasures,whichofferthegreatestbenefit.

5.2 Technical protection measures

TheCentreforInternetSecurity(CIS)providesguidanceonmeasures12thatcanbeusedtoaddresscybersecurityvulnerabilities.TheprotectionmeasuresarealistofCriticalSecurityControls(CSC)thatareprioritisedandvettedtohelpensurethattheyprovideaneffectiveapproachforcompaniestoassessandimprovetheirdefences.TheCSCsincludebothtechnicalandproceduralaspects.

ThebelowmentionedexamplesofCSCshavebeenselectedasparticularlyrelevanttoequipmentanddataonboardships13. Limitation to and control of network ports, protocols and services

Accessliststonetworksystemscanbeusedtoimplementthecompany’ssecuritypolicy.Thishelpsensurethatonlyappropriatetrafficwillbeallowedviaacontrollednetworkorsubnet,basedonthecontrolpolicyofthatnetworkorsubnet.

Itisrecommendedthatroutersaresecuredagainstattacksandunusedportsshouldbeclosedtopreventunauthorisedaccesstosystemsordata.

Configuration of network devices such as firewalls, routers and switches

Itshouldbedeterminedwhichsystemsshouldbeattachedtocontrolledoruncontrolled14networks.Controllednetworksaredesignedtopreventanysecurityrisksfromconnecteddevicesbyuseof

12 CIS,CriticalSecurityControlsforEffectiveCyberSecurity,availableatwww.cisecurity.org/critical-controls.cfm.13 StephensonHarwood(2015),CyberRisk.14 InaccordancewithEC61162-460:2015:Maritimenavigationandradiocommunicationequipmentandsystems-Digitalinterfaces-Part460:Multipletalkersandmultiplelisteners-Ethernetinterconnection-Safetyandsecurity.


firewalls,securitygateways,routersandswitches.Uncontrollednetworksmayposerisksduetolackofdatatrafficcontrolandshouldbeisolatedfromcontrollednetworks,asdirectinternetconnectionmakesthemhighlypronetoinfiltrationbymalware.Forexample:

� networksthatarecriticaltotheoperationofashipitself,shouldbecontrolled.Itisimportantthatthesesystemshaveahighlevelofsecurity

� networksthatprovidesupplierswithremoteaccesstonavigationandotherOTsystems’softwareonboard,shouldalsobecontrolled.Thesenetworksmaybenecessarytoallowsupplierstouploadsystemupgradesorperformremoteservicing.Shoresideexternalaccesspointsofsuchconnectionsshouldbesecuredtopreventunauthorisedaccess

� cargostowage,loadplanningandmanagementsystemsshouldbecontrolled.So,shouldthosesystemsthatperformmandatoryshipreportingtopublicauthorities

� othernetworks,suchasguestaccessnetworks,maybeuncontrolled,forinstancethoserelatedtopassengerrecreationalactivitiesorprivateinternetaccessforcrew.Normally,anywirelessnetworkshouldbeconsidereduncontrolled.

Effectivesegregationofsystems,basedonnecessaryaccessandtrustlevels,isoneofthemostsuccessfulstrategiesforthepreventionofcyberincidents.Effectivelysegregatednetworkscansignificantlyimpedeanattacker’saccesstoaship’ssystemsandisoneofthemosteffectivetechniquesforpreventingthespreadofmalware.Onboardnetworksshouldbepartitionedbyfirewallstocreatesafezones.Thefewercommunicationslinksanddevicesinazone,themoresecurethesystemsanddataareinthatzone.Confidentialandsafetycriticalsystemsshouldbeinthemostprotectedzone.Seeannex3oftheseguidelinesformoreinformationonshipboardnetworksandalsorefertoISO/IEC62443. Physical security

Physicalsecurity15isacentralaspectofcyberriskmanagementandaneffectivedefenceindepthstrategyreliesonensuringthattechnicalcontrolscannotbecircumventedthroughtrivialtechnicalmeans.AreascontainingsensitiveOTorITcontrolcomponentsshouldbesecurelylocked,securityandsafetycriticalequipmentandcablerunsshouldbeprotectedfromunauthorisedaccess,andphysicalaccesstosensitiveuserequipment(suchasexposedUSBportsonbridgesystems)shouldbesecured.

Detection, blocking and alerts

Identifyingintrusionsandinfectionsisacentralpartofthecontrolprocedures.Abaselineofnetworkoperationsandexpecteddataflowsforusersandsystemsshouldbeestablishedandmanaged,sothatcyberincidentalertthresholdscanbeestablished.Keytothiswillbethedefinitionofrolesandresponsibilitiesfordetectiontohelpensureaccountability.Additionally,acompanymaychoosetoincorporateanIntrusionDetectionSystem(IDS)oranIntrusionPreventionSystem(IPS)intothenetworkoraspartofthefirewall.Someoftheirmainfunctionsincludeidentifyingthreats/maliciousactivityandcode,andthenlogging,reportingandattemptingtoblocktheactivity.FurtherdetailsconcerningIDSandIPScanbefoundinannex3oftheseguidelines.Ithelpstoensurethatdedicatedonboardpersonnelcanunderstandthealertsandtheirimplications.Incidentsdetectedshouldbedirectedtoanindividualorserviceprovider,whoisresponsibleforactingonthistypeofalert.

15 SeealsotheISPSCode.


Satellite and radio communication

Cybersecurityoftheradioandsatelliteconnectionshouldbeconsideredincollaborationwiththeserviceprovider.Inthisconnection,thespecificationofthesatellitelinkshouldbeconsideredwhenestablishingtherequirementsforonboardnetworkprotection.

Whenestablishinganuplinkconnectionforaship’snavigationandcontrolsystemstoshore-basedserviceproviders,considerationshouldbegivenonhowtopreventillegitimateconnectionsgainingaccesstotheonboardsystems.

Theaccessinterconnectisthedistributionpartner’sresponsibility.Thefinalroutingofusertrafficfromtheinternetaccesspointtoitsultimatedestinationonboard(“lastmile”)istheresponsibilityoftheshipowner.Usertrafficisroutedthroughthecommunicationequipmentforonwardtransmissiononboard.Attheaccesspointforthistraffic,itisnecessarytoprovidedatasecurity,firewallingandadedicated“last-mile”connection.

WhenusingaVirtualPrivateNetwork(VPN),thedatatrafficshouldbeencryptedtoanacceptableinternationalstandard.Furthermore,afirewallinfrontoftheserversandcomputersconnectedtothenetworks(ashoreoronboard)shouldbedeployed.Thedistributionpartnershouldadviseontheroutingandtypeofconnectionmostsuitedforspecifictraffic.Onshorefiltering(inspection/blocking)oftrafficisalsoamatterbetweenashipownerandthedistributionpartner.Bothonshorefilteringoftrafficandfirewalls/securityinspection/blockinggatewaysontheshipareneededandsupplementeachothertoachieveasufficientlevelofprotection.

Producersofsatellitecommunicationterminalsandothercommunicationequipmentmayprovidemanagementinterfaceswithsecuritycontrolsoftwarethatareaccessibleoverthenetwork.Thisisprimarilyprovidedintheformofweb-baseduserinterfaces.Protectionofsuchinterfacesshouldbeconsideredwhenassessingthesecurityofaship’sinstallation.

Wireless access control

Wirelessaccesstonetworksontheshipshouldbelimitedtoappropriateauthoriseddevicesandsecuredusingastrongencryptionkey,whichischangedregularly.Thefollowingcanbeconsideredforcontrollingwirelessaccess:

� theuseofenterpriseauthenticationsystemsusingasymmetricencryptionandisolatingnetworkswithappropriatewirelessdedicatedaccesspoints(e.g.guestnetworksisolatedfromadministrativenetworks)

� theadoptionofsystems,suchaswirelessIPS,thatcaninterceptnon-authorizedwirelessaccesspointsorroguedevices

� theprotectionofthephysicalinterconnectionbetweenwirelessaccessdevicesandthenetwork,suchasnetworkplugs,networkracks,etc.)toavoidunauthorizedaccessbyroguedevices.

Malware detection

Scanningsoftwarethatcanautomaticallydetectandaddressthepresenceofmalwareinsystemsonboardshouldberegularlyupdated.

Asageneralguideline,onboardcomputersshouldbeprotectedtothesamelevelasofficecomputersashore.Anti-virusandanti-malwaresoftwareshouldbeinstalled,maintainedandupdatedonall


personalwork-relatedcomputersonboard.Thiswillreducetheriskofthesecomputersactingasattackvectorstowardsserversandothercomputersontheship’snetwork.Howregularlythescanningsoftwarewillbeupdatedmustbetakenintoconsiderationwhendecidingwhethertorelyonthesedefencemethods.

Secure configuration for hardware and software

Onlyseniorofficersshouldbegivenadministratorprofiles,sothattheycancontrolthesetupanddisablingofnormaluserprofiles.Userprofilesshouldberestrictedtoonlyallowthecomputers,workstationsorserverstobeusedforthepurposes,forwhichtheyarerequired.Userprofilesshouldnotallowtheusertoalterthesystemsorinstallandexecutenewprograms. Email and web browser protection

Emailcommunicationbetweenshipandshoreisavitalpartofaship’soperation.Appropriateemailandwebbrowserprotectionservesto:

� protectshoresideandonboardpersonnelfrompotentialsocialengineering

� preventemailbeingusedasamethodofobtainingsensitiveinformation

� ensurethattheexchangeofsensitiveinformationviaemailorbyvoiceisappropriatelyprotectedtoensureconfidentialityandintegrityofdata,egencryptionprotection

� preventwebbrowsersandemailclientsfromexecutingmaliciousscripts.

Somebestpracticesforsafeemailtransferare:emailasziporencryptedfilewhennecessary,disablehyperlinksonemailsystem,avoidusinggenericemailaddressesandensurethesystemhasconfigureduseraccounts.

Data recovery capability

Datarecoverycapabilityistheabilitytorestoreasystemand/ordatafromasecurecopyorimage,therebyallowingtherestorationofacleansystem.Essentialinformationandsoftware-adequatebackupfacilitiesshouldbeavailabletohelpensurerecoveryfollowingacyberincident.

Retentionperiodsandrestorescenariosshouldbeestablishedtoprioritisewhichcriticalsystemsneedquickrestorecapabilitiestoreducetheimpact.Systemsthathavehighdataavailabilityrequirementsshouldbemaderesilient.OTsystems,whicharevitaltothesafenavigationandoperationoftheship,shouldhavebackupsystemstoenabletheshiptoquicklyandsafelyregainnavigationalandoperationalcapabilitiesafteracyberincident.Moredetailsonrecoverycanbefoundinchapter7oftheseguidelines.

Application software security (patch management)

Safetyandsecurityupdatesshouldbeprovidedtoonboardsystems.Ordinarysecuritypatchesshouldbeincludedintheperiodicmaintenancecycle.CriticalpatchesshouldbeevaluatedintermsofoperationalimpactontheOTsystems.Theseupdatesorpatchesshouldbeappliedcorrectlyandinatimelymannertoensurethatanyflawsinasystemareaddressedbeforetheyareexploitedbyacyberattack.Ifacriticalpatchcannotbeinstalled,alternativemeasuresshouldbeevaluatedtohelpimplementvirtualpatchingtechniques.


5.3 Procedural protection measures

Proceduralcontrolsarefocusedonhowpersonnelusetheonboardsystems.Plansandproceduresthatcontainsensitiveinformationshouldbekeptconfidentialandhandledaccordingtocompanypolicies.Examplesforproceduralactionscanbe: Training and awareness

Trainingandawarenessarethekeysupportingelementstoaneffectiveapproachtocyberriskmanagementasdescribedintheseguidelinesandsummarisedinfigure1.

Theinternalcyberthreatshouldbetakenintoaccount.PersonnelhaveakeyroleinprotectingITandOTsystemsbutcanalsobecareless,forexamplebyusingremovablemediatotransferdatabetweensystemswithouttakingprecautionsagainstthetransferofmalware.Trainingandawarenessshouldbetailoredtotheappropriatelevelsfor:

� onboardpersonnelincludingthemaster,officersandcrew

� shoresidepersonnel,whosupportthemanagement,loadingandoperationoftheship.

Theseguidelinesassumethatothermajorstakeholdersinthesupplychain,suchascharterers,classificationsocietiesandserviceproviders,willcarryouttheirownbest-practicecybersecurityprotectionandtraining.Itisadvisableforownersandoperatorstoascertainthestatusofcybersecuritypreparednessoftheirthird-partyproviders,includingmarineterminalsandstevedores,aspartoftheirsourcingproceduresforsuchservices.

Anawarenessprogrammeshouldbeinplaceforallonboardpersonnel,coveringatleastthefollowing:

� risksrelatedtoemailsandhowtobehaveinasafemanner.Examplesarephishingattackswheretheuserclicksonalinktoamalicioussite

� risksrelatedtointernetusage,includingsocialmedia,chatforumsandcloud-basedfilestoragewheredatamovementislesscontrolledandmonitored

� risksrelatedtotheuseofowndevices.Thesedevicesmaybemissingsecuritypatchesandcontrols,suchasanti-virus,andmaytransfertherisktotheenvironment,towhichtheyareconnected

� risksrelatedtoinstallingandmaintainingsoftwareoncompanyhardwareusinginfectedhardware(removablemedia)orsoftware(infectedpackage)

� risksrelatedtopoorsoftwareanddatasecuritypractices,wherenoanti-viruschecksorauthenticityverificationsareperformed

� safeguardinguserinformation,passwordsanddigitalcertificates

� cyberrisksinrelationtothephysicalpresenceofnon-companypersonnel,eg,wherethird-partytechniciansarelefttoworkonequipmentwithoutsupervision

� detectingsuspiciousactivityordevicesandhowtoreportapossiblecyberincident.Examplesofthisarestrangeconnectionsthatarenotnormallyseenorsomeoneplugginginanunknowndeviceontheshipnetwork


� awarenessoftheconsequencesorimpactofcyberincidentstothesafetyandoperationsoftheship

� understandinghowtoimplementpreventativemaintenanceroutinessuchasanti-virusandanti-malware,patching,backups,andincident-responseplanningandtesting

� proceduresforprotectionagainstrisksfromserviceproviders’removablemediabeforeconnectingtotheship’ssystems.

Inaddition,personnelneedtobemadeawarethatthepresenceofanti-malwaresoftwaredoesnotremovetherequirementforrobustsecurityprocedures,forexamplecontrollingtheuseofallremovablemedia.

Further,applicablepersonnelshouldknowthesignswhenacomputerhasbeencompromised.Thismayincludethefollowing:

� anunresponsiveorslowtorespondsystem

� unexpectedpasswordchangesorauthorisedusersbeinglockedoutofasystem

� unexpectederrorsinprograms,includingfailuretoruncorrectlyorprogramsrunningunexpectedly

� unexpectedorsuddenchangesinavailablediskspaceormemory

� emails being returned unexpectedly

� unexpectednetworkconnectivitydifficulties

� frequentsystemcrashes

� abnormalharddriveorprocessoractivity

� unexpectedchangestobrowser,softwareorusersettings,includingpermissions.

And,nominatedpersonnelshouldbeabletounderstandreportsfromIDSsystems,ifused.Thislistisnotcomprehensiveandisintendedtoraiseawarenessofpotentialsigns,whichshouldbetreatedaspossible cyber incidents.

Access for visitors

Visitorssuchasauthorities,technicians,agents,portandterminalofficials,andownerrepresentativesshouldberestrictedwithregardtocomputeraccesswhilstonboard.UnauthorisedaccesstosensitiveOTnetworkcomputersshouldbeprohibited.Ifaccesstoanetworkbyavisitorisrequiredandallowed,thenitshouldberestrictedintermsofuserprivileges.Accesstocertainnetworksformaintenancereasonsshouldbeapprovedandco-ordinatedfollowingappropriateproceduresasoutlinedbythecompany/shipoperator. Ifavisitorrequirescomputerandprinteraccess,anindependentcomputer,whichisair-gappedfromallcontrollednetworks,shouldbeused.Toavoidunauthorisedaccess,removablemediablockersshouldbeusedonallotherphysicallyaccessiblecomputersandnetworkports.


Upgrades and software maintenance

Hardwareorsoftwarethatisnolongersupportedbyitsproducerorsoftwaredeveloperwillnotreceiveupdatestoaddresspotentialvulnerabilities.Forthisreason,theuseofhardwareandsoftware,whichisnolongersupported,shouldbecarefullyevaluatedbythecompanyaspartofthecyber risk assessment.

Relevanthardwareandsoftwareinstallationsonboardshouldbeupdatedtohelpmaintainasufficientlevelofsecurity.Proceduresfortimelyupdatingofsoftwaremayneedtobeputinplacetakingintoaccounttheshiptype,speedofinternetconnectivity,seatime,etc.Softwareincludescomputeroperatingsystems,whichshouldalsobekeptuptodate.

Additionally,anumberofrouters,switchesandfirewalls,andvariousOTdeviceswillberunningtheirownfirmware,whichmayrequireregularupdatesandsoshouldbeaddressedintheproceduralrequirements.

Effectivemaintenanceofsoftwaredependsontheidentification,planningandexecutionofmeasuresnecessarytosupportmaintenanceactivitiesthroughoutthefullsoftwarelifecycle.Anindustrystandard16tohelpensuresafeandsecuresoftwaremaintenancehasbeendeveloped.Itspecifiesrequirementsforallstakeholdersinvolvedinsoftwaremaintenanceofshipboardequipmentandassociatedintegratedsystems.Thestandardcoversonboard,onshoreandremotesoftwaremaintenance.

Anti-virus and anti-malware tool updates

Inorderforscanningsoftwaretoolstodetectanddealwithmalware,theyneedtobeupdated.Proceduralrequirementsshouldbeestablishedtoensureupdatesaredistributedtoshipsonatimelybasisandthatallrelevantcomputersonboardareupdated. Remote access

PolicyandproceduresshouldbeestablishedforcontroloverremoteaccesstoonboardITandOTsystems.Clearguidelinesshouldestablishwhohaspermissiontoaccess,whentheycanaccess,andwhattheycanaccess.Anyproceduresforremoteaccessshouldincludecloseco-ordinationwiththeship’smasterandotherkeyseniorshippersonnel.

AllremoteaccessoccurrencesshouldberecordedforreviewincaseofadisruptiontoanITorOTsystem.Systems,whichrequireremoteaccess,shouldbeclearlydefined,monitoredandreviewedperiodically.

16 See:IndustrystandardonsoftwaremaintenanceofshipboardequipmentbyBIMCOandCIRM(ComitéInternationalRadio-Maritime).

Incident: Bunker surveyor’s access to a ship’s administrative network

Adrybulkshipinporthadjustcompletedbunkeringoperations.Thebunkersurveyorboardedtheshipandrequestedpermissiontoaccessacomputerintheenginecontrolroomtoprintdocumentsforsignature.ThesurveyorinsertedaUSBdriveintothecomputerandunwittinglyintroducedmalwareontotheship’sadministrativenetwork.Themalwarewentundetecteduntilacyberassessmentwasconductedontheshiplater,andafterthecrewhadreporteda“computerissue”affectingthebusinessnetworks.

ThisemphasisestheneedforprocedurestopreventorrestricttheuseofUSBdevicesonboard,includingthosebelongingtovisitors.


Use of administrator privileges

Accesstoinformationshouldonlybeallowedtorelevantauthorisedpersonnel.

Administratorprivilegesallowfullaccesstosystemconfigurationsettingsandalldata.Usersloggingontosystemswithadministratorprivilegesmayenableexistingvulnerabilitiestobemoreeasilyexploited.Administratorprivilegesshouldonlybegiventoappropriatelytrainedpersonnel,whoaspartoftheirroleinthecompanyoronboard,needtologontosystemsusingtheseprivileges.Inanycase,useofadministratorprivilegesshouldalwaysbelimitedtofunctionsrequiringsuchaccess.

Userprivilegesshouldberemovedwhenthepeopleconcernedarenolongeronboard.Useraccountsshouldnotbepassedonfromoneusertothenextusinggenericusernames.Similarrulesshouldbeappliedtoanyonshorepersonnel,whohaveremoteaccesstosystemsonships,whentheychangerole and no longer need access.

Inabusinessenvironment,suchasshipping,accesstoonboardsystemsisgrantedtovariousstakeholders.Suppliersandcontractorsareariskbecausetheyoftenhavebothintimateknowledgeofaship’soperationsandfullaccesstosystems.

Toprotectaccesstoconfidentialdataandsafetycriticalsystems,arobustpasswordpolicyshouldbedeveloped17.Passwordsshouldbestrongandchangedperiodically.Thecompanypolicyshouldaddressthefactthatover-complicatedpasswords,whichmustbechangedtoofrequently,areatriskofbeingwrittenonapieceofpaperandkeptnearthecomputer.

Physical and removable media controls

Whentransferringdatafromuncontrolledsystemstocontrolledsystems,thereisariskofintroducingmalware.Removablemediacanbeusedtobypasslayersofdefencesandattacksystemsthatareotherwisenotconnectedtotheinternet.Aclearpolicyfortheuseofsuchmediadevicesisimportant;itmusthelpensurethatmediadevicesarenotnormallyusedtotransferinformationbetweenun-controlled and controlled systems.

Thereare,however,situationswhereitisunavoidabletousethesemediadevices,forexampleduringsoftwaremaintenance.Insuchcases,thereshouldbeaprocedureinplacetocheckremovablemediaformalwareand/orvalidatelegitimatesoftwarebydigitalsignaturesandwatermarks.

Policiesandproceduresrelatingtotheuseofremovablemediashouldincludearequirementtoscananyremovablemediadeviceinacomputerthatisnotconnectedtotheship’scontrollednetworks.Ifitisnotpossibletoscantheremovablemediaonboard,egthelaptopofamaintenancetechnician,

Incident: Main application server infected by ransomware

AransomwareinfectiononthemainapplicationserveroftheshipcausedcompletedisruptionoftheITinfrastructure.Theransomwareencryptedeverycriticalfileontheserverandasaresult,sensitivedatawerelost,andapplicationsneededforship’sadministrativeoperationswereunusable.Theincidentwasreoccurringevenaftercompleterestorationoftheapplicationserver.

Therootcauseoftheinfectionwaspoorpasswordpolicythatallowedattackerstobruteforceremotemanagementservicessuccessfully.Thecompany’sITdepartmentdeactivatedtheundocumenteduserandenforcedastrongpasswordpolicyontheship’ssystemstoremediatetheincident.

16 MoreinformationcanbefoundinNISTpublicationSP800-63-3DigitalIdentityGuidelines.


thenthescancouldbedonepriortoboarding.Companiesshouldconsidernotifyingportsandterminalsabouttherequirementtoscanremovablemediapriortopermittingtheuploadingoffilesontoaship’ssystem.Thisscanningshouldbecarriedoutwhentransferringthefollowingfiletypes:

� cargofilesandloadingplansegcontainershipBAPLIEfiles

� national,customs,andportauthorityforms

� bunkeringandlubricationoilforms

� ship’sstoresandprovisionslists

� engineeringmaintenancefiles.

Thislistrepresentsexamplesandshouldnotbeseenasexhaustive.Whereverpossible,thefilesandformsshouldbetransferredelectronicallyorbedownloadeddirectlyfromatrustedsourcewithoutusingremovablemedia.

Equipment disposal, including data destruction

Obsoleteequipmentcancontaindatawhichiscommerciallysensitiveorconfidential.Priortodisposaloftheequipment,thecompanyshouldhaveaprocedureinplacetoensurethatthedataheldinobsoleteequipmentisproperlydestroyedandcannotberetrieved. Obtaining support from ashore and contingency plans

Shipsshouldhaveaccesstotechnicalsupportintheeventofacyberattack.Detailsofthissupportandassociatedproceduresshouldbeavailableonboard.Pleaserefertochapter6oftheseguidelinesformoreinformationoncontingencyplanning.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 34eSTAblISh CONTINGeNCy plANS

Establish contingency plans6

Whendevelopingcontingencyplansforimplementationonboardships,itisimportanttounderstandthesignificanceofanycyberincidentandprioritiseresponseactionsaccordingly.

Anycyberincidentshouldbeassessedinaccordancewithchapter4toestimatetheimpactonoperations,assetsetc.Inmostcases,andwiththeexceptionofloadplanningandmanagementsystems,alossofITsystemsonboard,includingadatabreachofconfidentialinformation,willbeabusinesscontinuityissueandshouldnothaveanyimpactonthesafeoperationoftheship.IntheeventofacyberincidentaffectingITsystemsonly,theprioritymaybetheimmediateimplementationofaninvestigationandrecoveryplan.

ThelossofOTsystemsmayhaveasignificantandimmediateimpactonthesafeoperationoftheship.ShouldacyberincidentresultinthelossormalfunctioningofOTsystems,itwillbeessentialthateffectiveactionsaretakentohelpensuretheimmediatesafetyofthecrew,ship,cargoandprotectionofthemarineenvironment.Ingeneral,appropriatecontingencyplansforcyberincidents,includingthelossofcriticalsystemsandtheneedtousealternativemodesofoperation,shouldbeaddressedbytherelevantoperationalandemergencyproceduresincludedinthesafetymanagementsystem.

Someoftheexistingproceduresintheship’ssafetymanagementsystemwillalreadycoversuchcyberincidents.However,cyberincidentsmayresultinmultiplefailurescausingmoresystemstoshutdownatthesametime.Thecontingencyplanningshouldtakesuchincidentsintoconsideration.

Disconnecting OT from shore network connection

ConnectionsbetweenshoreandOTsystemscanberelevantinawiderangeofapplicationslikeperformancemonitoring,predictivemaintenance,andremotesupportjusttomentionafew.Commonforthesesystemsarethattheyarenotstrictlynecessaryforoperatingtheshipsafely.However,theyrepresentapotentialattackvectortothesystemsthatareneededfortheship’ssafeoperation.Therefore,itisrelevanttoassesswhentheseconnectionsareallowedandunderwhatcircumstances.PlansshouldbeestablishedspecifyingwhensuchOTsystemsshouldbetemporarilyseparatedfromtheshorenetworkconnectiontoprotecttheship’ssafeoperation.Disconnectingwillhelppreventtheattackerfrombeingabletomanipulatesafetycriticalsystemsortakedirectcontrolofthesystem.Disconnectingcouldalsotakeplacetoavoidmalwarespreadingbetweennetworksegments.

Toeffectivelyshutdownshoreconnections,itisimportanttohavethenetworkandconnectivityservicesdesignedinsuchawaythatthenetworkscanbephysicallysegregatedquicklybyremovingasinglenetworkcable(egmarkedinanoddcolor)orpoweringoffthefirewall.

Safety management system

Thesafetymanagementsystemwillalreadyincludeproceduresforreportingaccidentsorhazardoussituationsanddefinelevelsofcommunicationandauthorityfordecisionmaking.Whereappropriate,suchproceduresshouldbeamendedtoreflectcommunicationandauthorityintheeventofacyberincident.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 35eSTAblISh CONTINGeNCy plANS

Thefollowingisanon-exhaustivelistofcyberincidents,whichshouldbeaddressedincontingencyplansonboard:

� lossofavailabilityofelectronicnavigationalequipmentorlossofintegrityofnavigationrelateddata

� lossofavailabilityorintegrityofexternaldatasources,includingbutnotlimitedtoGNSS

� lossofessentialconnectivitywiththeshore,includingbutnotlimitedtotheavailabilityofGlobalMaritimeDistressandSafetySystem(GMDSS)communications

� lossofavailabilityofindustrialcontrolsystems,includingpropulsion,auxiliarysystemsandothercriticalsystems,aswellaslossofintegrityofdatamanagementandcontrol

� theeventofaransomwareordenialorserviceincident.

Furthermore,itisimportanttohelpensurethatalossofequipmentorreliableinformationduetoacyberincidentdoesnotmakeexistingemergencyplansandproceduresineffective.Contingencyplansandrelatedinformationshouldbeavailableinanon-electronicformassometypesofcyberincidentscanincludethedeletionofdataandshutdownofcommunicationlinks.

Theremaybeoccasionswhenrespondingtoacyberincidentmaybebeyondthecompetenciesonboardoratheadofficeduetothecomplexityorseverityofsuchincidents.Inthesecases,externalexpertassistancemayberequired(forexample,posteventforensicanalysisandclean-up).

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 36reSpONd TO ANd reCOver frOm Cyber SeCurITy INCIdeNTS

Respond to and recover from cyber security incidents7

Itisimportanttounderstandthatcyberincidentsmaynotdisappearbythemselves.Ifforexample,theECDIShasbeeninfectedwithmalware,startinguptheback-upECDISmaycauseanothercyberincident.Itis,therefore,recommendedtoplanhowtocarryoutthecleaningandrestoringofinfectedsystems.

Knowledgeaboutpreviousidentifiedcyberincidentsshouldbeusedtoimprovetheresponseplansofallshipsinthecompany’sfleetandaninformationstrategyforsuchincidentsmaybeconsidered.

7.1 Effective response

Ateam,whichmayincludeacombinationofonboardandshore-basedpersonneland/orexternalexperts,shouldbeestablishedtotaketheappropriateactiontorestoretheITand/orOTsystemssothattheshipcanresumenormaloperations.Theteamshouldbecapableofperformingallaspectsoftheresponse.

Aneffectiveresponseshouldatleastconsistofthefollowingsteps:

1. Initialassessment.Tohelpensureanappropriateresponse,theresponseteamshouldfindout:

• howtheincidentoccurred

• whichITand/orOTsystemswereaffectedandhow

• theextenttowhichthecommercialand/oroperationaldataisaffected

• towhatextentanythreattoITandOTremains.

2. Recoversystemsanddata.Followinganinitialassessmentofthecyberincident,ITandOTsystemsanddatashouldbecleaned,recoveredandrestored,sofarasispossible,toanoperationalconditionbyremovingthreatsfromthesystemandrestoringsoftware.Thecontentofarecoveryplaniscoveredinsection7.2.

3. Investigatetheincident.Tounderstandthecausesandconsequencesofacyberincident,aninvestigationshouldbeundertakenbythecompany,withsupportfromanexternalexpert,ifappropriate.Theinformationfromaninvestigationwillplayasignificantroleinpreventingapotentialrecurrence.Investigationsintocyberincidentsarecoveredinsection7.3.

4. Preventare-occurrence.Consideringtheoutcomeoftheinvestigationmentionedabove,actionstoaddressanyinadequaciesintechnicaland/orproceduralprotectionmeasuresshouldbeconsidered,inaccordancewiththecompanyproceduresforimplementationofcorrectiveaction.


Whenacyberincidentiscomplex,forexampleifITand/orOTsystemscannotbereturnedtonormaloperation,itmaybenecessarytoinitiatetherecoveryplanalongsideonboardcontingencyplans.Whenthisisthecase,theresponseteamshouldbeabletoprovideadvicetotheshipon:

� whetherITorOTsystemsshouldbeshutdownorkeptrunningtoprotectdata

� whethercertainshipcommunicationlinkswiththeshoreshouldbeshutdown

� theappropriateuseofanyadvancedtoolsprovidedinpre-installedsecuritysoftware

� theextenttowhichtheincidenthascompromisedITorOTsystemsbeyondthecapabilitiesofexistingrecoveryplans.

Itisimportantforrelevantpersonneltoexecuteregularcybersecurityexercisesinordertohelpkeeptheresponsecapabilityeffective.Cybersecurityexercisescould,whereappropriate,beinspiredbyreal-lifeeventsandcanbesimulationsoflarge-scaleincidentsthatescalatetobecomecybercrises.Thisoffersanopportunitytoanalyseadvancedtechnicalcybersecurityincidents,butalsotohelpaddressbusinesscontinuityandcrisismanagement.

7.2 Recovery plan

Recoveryplansshouldbeavailableinhardcopyonboardandashore.ThepurposeoftheplanistosupporttherecoveryofsystemsanddatanecessarytorestoreITandOTtoanoperationalstate.Tohelpensurethesafetyofonboardpersonnel,theoperationandnavigationoftheshipshouldbeprioritisedintheplan.Therecoveryplanshouldbeunderstoodbypersonnelresponsibleforcybersecurity.ThedetailandcomplexityofarecoveryplanwilldependonthetypeofshipandtheIT,OTandothersystemsinstalledonboard.

Theincidentresponseteamshouldconsidercarefullytheimplicationsofrecoveryactions(suchaswipingofdrives),whichmayresultinthedestructionofevidencethatcouldprovidevaluableinformationastothecausesofanincident.Wherepossible,professionalcyberincidentresponsesupportshouldbeobtainedinordertoassistinpreservationofevidencewhilstrestoringoperationalcapability.

Asexplainedinsection5.1,adatarecoverycapabilityisavaluabletechnicalprotectionmeasure.DatarecoverycapabilitiesarenormallyintheformofsoftwarebackupforITdata.Theavailabilityofasoftwarebackup,eitheronboardorashore,shouldenablerecoveryofITtoanoperationalconditionfollowingacyberincident.

RecoveryofOTmaybemorecomplexespeciallyiftherearenobackupsystemsavailableandmayrequireassistancefromashore.Detailsofwherethisassistanceisavailableandbywhom,shouldbepartoftherecoveryplan,forexamplebyproceedingtoaporttoobtainassistancefromaserviceengineer.

Ifqualifiedpersonnelareavailableonboard,moreextensivediagnosticandrecoveryactionsmaybeperformed.Otherwise,therecoveryplanwillbelimitedtoobtainingquickaccesstotechnicalsupport.


7.3 Investigating cyber incidents

Investigatingacyberincidentcanprovidevaluableinformationaboutthewayinwhichavulnerabilitywasexploited.Companiesshould,whereverpossible,investigatecyberincidentsaffectingITandOTonboardinaccordancewithcompanyprocedures.Adetailedinvestigationmayrequireexternalexpert support.

Theinformationfromaninvestigationcanbeusedtoimprovethetechnicalandproceduralprotectionmeasuresonboardandashore.Itmayalsohelpthewidermaritimeindustrywithabetterunderstandingofmaritimecyberrisks.Anyinvestigationshouldresultin18:

� abetterunderstandingofthepotentialcyberrisksfacingthemaritimeindustrybothonboardandashore

� identificationoflessonslearned,includingimprovementsintrainingtoincreaseawareness

� updatestotechnicalandproceduralprotectionmeasurestopreventarecurrence.

7.4 Losses arising from a cyber incident

Forinsurers,theterm“cyber”includesmanydifferentaspectsanditisimportanttodistinguishbetweenthemandtheireffectsoninsurancecover.Someinsurersbelievethatthereisnosystemicrisktoshipsarisingfromacyberincidentandtheimpactofanincidentwillmostlikelybeconfinedtoasingleship.

Companieswillbeawarethatspecificnon-marineinsurancecovermaybeavailabletocoverdatalossandanyresultingfinesandpenalties.

Companiesshouldbeabletodemonstratethattheyareactingwithreasonablecareintheirapproachtomanagingcyberriskandtoprotectingtheshipfromanydamagethatmayarisefromacyberincident.

Cover for property damage

Generally,inmanymarketsofferingmarinepropertyinsurance,thepolicymaycoverlossordamagetotheshipanditsequipmentcausedbyashippingincidentsuchasgrounding,collision,fireorflood,evenwhentheunderlyingcauseoftheincidentisacyberincident.Itmaybenotedthatcurrentlyinsomemarkets,exclusionclausesforcyberattacksexist.Ifthemarinepolicycontainsanexclusionclauseforcyberattacks,thelossordamagemaynotbecovered.

Companiesarerecommendedtocheckwiththeirinsurers/brokersinadvancewhethertheirpolicycoversclaimscausedbycyberincidentsand/orbycyberattacks.

Guidelinesforthemarkethavebeenpublished,inwhichmarineinsurersarerecommendedtoaskquestionsaboutacompany’scyberriskawarenessandnon-technicalprocedures.Companiesshould,therefore,expectarequestfornon-technicalinformationregardingtheirapproachtocyberriskmanagement from insurers.

Thelimiteddataonthefrequency,severityoflossorprobabilityofphysicaldamageresultingfromcyberincidents,representsachallengeandmeansthatstandardpricingisnotavailable.

18 BasedonCREST,CyberSecurityIncidentResponseGuide,Version1.


Cover for liability

ItisrecommendedtocontacttheP&IClubfordetailedinformationaboutcoverprovidedtoshipownersandcharterersinrespectofliabilitytothirdparties(andrelatedexpenses)arisingfromtheoperationofships.

Anincidentcaused,forexamplebymalfunctionofaship’snavigationormechanicalsystemsbecauseofacriminalactoraccidentalcyberattack,doesnotinitselfgiverisetoanyexclusionofnormalP&Icover.Intheeventofaclaiminvolvingacyberincident,claimantsmaywellseektoarguethattheclaimaroseasaresultofaninadequatelevelofcyberpreparedness.This,therefore,furtherstressestheimportanceofcompaniesbeingabletodemonstratethattheyareactingwithreasonablecareintheirapproachtomanagingcyberriskandtoprotectingtheship.

Itshouldbenotedthatmanylosses,whichcouldarisefromacyberincident,arenotinthenatureofthird-partyliabilitiesarisingfromtheoperationoftheshipandarethereforenotcoveredbyP&Iinsurance.Forexample,financiallosscausedbyransomware,orcostsofrebuildingscrambleddatawouldnotbeidentifiedinthecoverage.

Itshould,however,benotedthatnormalP&Icoverinrespectofliabilitiesissubjecttoawarriskexclusionandcyberincidentsinthecontextofawarorterrorriskwillnotnormallybecovered.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 40TArGeT SySTemS, equIpmeNT ANd TeChNOlOGIeS

Target systems, equipment and technologiesANNEX 1

Thisannexprovidesasummaryofpotentiallyvulnerablesystemsanddataonboardshipstoassistcompanieswithassessingtheircyberriskexposure.Vulnerablesystems,equipmentandtechnologiesmayinclude:

Communication systems � integratedcommunicationsystems � satellitecommunicationequipment � VoiceOverInternetProtocols(VOIP)equipment � wirelessnetworks(WLANs) � public address and general alarm systems � systemsusedforreportingmandatoryinformationtopublicauthorities.

Bridge systems � integratednavigationsystem � positioningsystems(GPS,etc.) � ElectronicChartDisplayInformationSystem(ECDIS) � DynamicPositioning(DP)systems � systemsthatinterfacewithelectronicnavigationsystemsandpropulsion/manoeuvringsystems � AutomaticIdentificationSystem(AIS) � GlobalMaritimeDistressandSafetySystem(GMDSS) � radarequipment � VoyageDataRecorders(VDRs) � othermonitoringanddatacollectionsystems.

Propulsion and machinery management and power control systems � enginegovernor � powermanagement � integrated control system � alarm system � emergency response system.

Access control systems � surveillancesystemssuchasCCTVnetwork � BridgeNavigationalWatchAlarmSystem(BNWAS) � ShipboardSecurityAlarmSystems(SSAS) � electronic“personnel-on-board”systems.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 41TArGeT SySTemS, equIpmeNT ANd TeChNOlOGIeS

Cargo management systems � CargoControlRoom(CCR)anditsequipment � onboardloadingcomputersandcomputersusedforexchangeofloadinginformationandloadplanupdateswiththemarineterminalandstevedoringcompany

� remote cargo and container sensing systems � levelindicationsystem � valveremotecontrolsystem � ballastwatersystems � wateringressalarmsystem.

Passenger or visitor servicing and management systems � PropertyManagementSystem(PMS) � electronichealthrecords � financialrelatedsystems � shippassenger/visitor/seafarerboardingaccesssystems � infrastructuresupportsystemslikedomainnamingsystem(DNS)anduserauthentication/authorisationsystems.

Passenger-facing networks � passengerWi-FiorLocalAreaNetwork(LAN)internetaccess,forexamplewhereonboardpersonnelcanconnecttheirowndevices19

� guest entertainment systems.

Core infrastructure systems � securitygateways � routers � switches � firewalls � VirtualPrivateNetwork(s)(VPN) � VirtualLAN(s)(VLAN) � intrusionpreventionsystems � securityeventloggingsystems.

Administrative and crew welfare systems � administrativesystems � crewWi-FiorLANinternetaccess,forexamplewhereonboardpersonnelcanconnecttheirowndevices.

19 ThisisnotconsideredasBringYourOwnDevice(BYOD).Devicesarenotusedtoaccessprotectedinformation.Theycanonlybeusedforanindividual’spersonal,non-company,use.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 42Cyber rISk mANAGemeNT ANd The SAfeTy mANAGemeNT SySTem

Cyber risk management and the safety management systemANNEX 2

IMOResolutionMSC.428(98)makesclearthatanapprovedSMSshouldtakeintoaccountcyberriskmanagementwhenmeetingtheobjectivesandfunctionalrequirementsoftheISMCode.TheguidanceprovidedintheGuidelinesonmaritimecyberriskmanagement(MSC-FAL.1/Circ.3)provideshighlevelrecommendationsregardingtheelementsofanappropriateapproachtoimplementingcyberriskmanagement.TheguidanceinthisannexisdesignedtoprovidetheminimummeasuresthatallcompaniesshouldconsiderimplementingsoastoaddresscyberriskmanagementinanapprovedSMS.

IDENTIFY20

Roles and responsibilities21

Action RemarksISMCode:3.2IndustryGuidelines:1.1Updatethesafetyandenvironmentprotectionpolicytoincludereferencetotheriskposedbyunmitigatedcyberrisks.

Anupdatedsafetyandenvironmentprotectionpolicyshoulddemonstrate: � acommitmenttomanagecyberrisksaspartoftheoverallapproachtosafetymanagement(includingsafetyculture)andprotectionoftheenvironment

� anunderstandingthatCRMhasbothsafetyandsecurityaspects,buttheemphasisisonmanagingthesafetyrisksintroducedbyOT,ITandnetworks

� anunderstandingthatwithoutappropriatetechnicalandproceduralriskprotectionandcontrolmeasures,OTisvulnerabletodisruptionaffectingthesafeoperationofashipandprotectionoftheenvironment.

NothingintheupdatedpolicyshouldsuggestthatCRMisgivenanymoreorlessattentionthananyotherrisksidentifiedbythecompany.

ISMCode:3.3IndustryGuidelines:1.1UpdatetheresponsibilityandauthorityinformationprovidedintheSMStoincludeappropriateallocationofresponsibilityandauthorityforcyberriskmanagement(CRM).

Ingeneral,ITpersonnelshouldunderstandpotentialvulnerabilitiesincomputer-basedsystemsandknowtheappropriatetechnicalandproceduralprotectionmeasurestohelpensuretheavailabilityandintegrityofsystemsanddata.Operationalandtechnicalpersonnelshouldgenerallyunderstandthesafetyandenvironmentalimpactsofdisruptiontocriticalsystems22onboardshipsandareresponsiblefortheSMS.AllocationofresponsibilityandauthoritymayneedtobeupdatedtoenableCRM.Thisshouldinclude:

� allocationofresponsibilitiesandauthoritieswhichencouragecooperationbetweenITpersonnel(whichmaybeprovidedbyathirdparty)andthecompany’soperationalandtechnicalpersonnel

� incorporatingcompliancewithcyberriskmanagementpoliciesandproceduresintotheexistingresponsibilityandauthorityoftheMaster.

ISMCode:6.5IndustryGuidelines:5.2Usingexistingcompanyprocedures,identifyanytrainingwhichmayberequiredtosupporttheincorporationofcyberriskmanagementintotheSMS.

Cyberawarenesstrainingisnotamandatoryrequirement.Notwithstandingthis,trainingisaprotectionandcontrolmeasurethatformsthebasisofCRM.Ithelpstoensurethatpersonnelunderstandhowtheiractionswillinfluencetheeffectivenessofthecompany’sapproachtoCRM.Existingcompanyproceduresforidentifyingtrainingrequirementsshouldbeusedtoassessthebenefitsandneedfor:

� allcompanypersonneltoreceivebasiccyberawarenesstraininginsupportofthecompany’sCRMpoliciesandprocedures

� companypersonnel,whohavebeenassignedCRMduties,toreceiveatypeandlevelofcybertrainingappropriatetotheirresponsibilityandauthority.

Identify systems, assets, data and capabilities that, when disrupted, pose risks to ship operationsAction RemarksISMCode:10.3IndustryGuidelines:3&4Usingexistingcompanyprocedures,identifyequipmentandtechnicalsystems(OTandIT)thesuddenoperationalfailureofwhichmayresultinhazardoussituations.

AnapprovedSMSwillalreadyidentifytheequipmentandtechnicalsystems(includingOTandIT),andcapabilities,whichmaycausehazardoussituationsiftheybecomeunavailableorunreliable.TheimpactsshouldalreadyhavebeendocumentedinanapprovedSMS.However,anapprovedSMS,whichincorporatesCRMwillalsoneedtoaddressdatainthecontextofsuddenoperationalfailure.Lossofavailabilityorintegrityofdatausedbycriticalsystemscanhavethesameimpactonsafetyandprotectionoftheenvironmentasthesystembecomingunavailableorunreliableforsomeotherreason.Consequently,itisrecommendedthatthelistofequipmentandtechnicalsystems,shouldbesupplementedbyalistofthedatausedbythosesystemsanditssource(s).

20 Identify,Protect,Detect,RespondandRecoverasdescribedintheGuidelinesonMaritimeCyberRiskManagement(MSC-FAL.1/Circ.3).21 FunctionalelementfromtheGuidelinesonMaritimeCyberRiskManagement(MSC-FAL.1/Circ.3).22 Forthepurposeofthisannex,“criticalsystems”meanstheOT,IT,softwareanddatathesuddenoperationalfailureorunavailabilityofwhichisidentifiedbythecompanyashavingthepotentialtoresultinhazardoussituations.


PROTECTImplement risk control measuresAction RemarksISMCode:1.2.2.2IndustryGuidelines:5andAnnex1Assessallidentifiedriskstoships,personnelandtheenvironmentandestablishappropriatesafeguards.

Thefullscopeofriskcontrolmeasuresimplementedbythecompanyshouldbedeterminedbyariskassessment,takingintoaccounttheinformationprovidedintheseguidelines.Asabaseline,thefollowingmeasuresshouldbeconsideredbeforeariskassessmentisundertaken.Thebaselineconsistsofthetechnicalandproceduralmeasures,whichshouldbeimplementedinallcompaniestotheextentappropriate.Thesemeasuresare:

� Hardwareinventory–Developandmaintainaregisterofallcriticalsystemhardwareonboard,includingauthorizedandunauthorizeddevicesoncompanycontrollednetworks.TheSMSshouldincludeproceduresformaintainingthisinventorythroughouttheoperationallifeoftheship.

� Softwareinventory–Developandmaintainaregisterofallauthorizedandunauthorizedsoftwarerunningoncompany-controlledhardwareonboard,includingversionandupdatestatus.TheSMSshouldbeupdatedtoincludeproceduresfor:• maintainingthisinventorywhenhardwarecontrolledbythecompanyisreplaced• maintainingthisinventorywhensoftwarecontrolledbythecompanyisupdatedor

changed• authorizingtheinstallationofneworupgradedsoftwareonhardwarecontrolledby

thecompany• preventionofinstallationofunauthorizedsoftware,anddeletionofsuchsoftwareif

identified• softwaremaintenance.

� Mapdataflows–Mapdataflowsbetweencriticalsystemsandotherequipment/technicalsystemsonboardandashore,includingthoseprovidedbythirdparties.Vulnerabilitiesidentifiedduringthisprocessshouldberecordedandsecurelyretainedbythecompany.TheSMSshouldbeupdatedtoincludeproceduresfor:• maintainingthemapofdataflowstoreflectchangesinhardware,softwareand/or

connectivity• identifyingandrespondingtovulnerabilitiesintroducedwhennewdataflowsare

createdfollowingtheinstallationofnewhardware• reviewingtheneedforconnectivitybetweencriticalsystemsandotherOTandIT

systems.Suchareviewshouldbebasedontheprinciplethatsystemsshouldonlybeconnectedwherethereisaneedforthesafeandefficientoperationoftheship,ortoenable planned maintenance

• controllingtheuseofremovablemedia,accesspointsandthecreationofad-hocoruncontrolleddataflows.ThismaybeachievedbyrestrictionsontheuseofremovablemediaanddisablingUSBandsimilarportsoncriticalsystems.

� Implementsecureconfigurationsforallhardwarecontrolledbythecompany–Thisshouldincludedocumentingandmaintainingcommonlyacceptedsecurityconfigurationstandardsforallauthorizedhardwareandsoftware.TheSMSshouldincludepoliciesontheallocationanduseofadministrativeprivilegesbyshipandshore-basedpersonnel,andthirdparties.However,itisnotrecommendedthatthedetailsofsecureconfigurationsareincludedintheSMS.Thisinformationshouldberetainedseparatelyandsecurelybythecompany.

� Auditlogs–Securitylogsshouldbemaintainedandperiodicallyreviewed.Securityloggingshouldbeenabledonallcriticalsystemswiththiscapability.TheSMSshouldbeupdatedtoincludeproceduresfor:• policiesandproceduresforthemaintenanceofsecuritylogsandperiodicreviewby

competentpersonnelaspartoftheoperationalmaintenanceroutine• proceduresforthecollationandretentionofsecuritylogsbythecompany,if

appropriate. � Awarenessandtraining–Seeline3above. � Physicalsecurity–Thephysicalsecurityoftheshipisenhancedbycompliancewiththesecuritymeasuresaddressedintheshipsecurityplan(SSP)requiredbytheISPSCode.Measuresshouldbetakentorestrictaccessandpreventunauthorizedaccesstocriticalsystemnetworkinfrastructureonboard.


Develop contingency plansAction RemarksISMCode:7IndustryGuidelines:6Updateprocedures,plansandinstructionsforkeyshipboardoperationsconcerningthesafetyofthepersonnel,shipandprotectionoftheenvironmentwhichrelyonOT.

AnapprovedSMSshouldalreadyaddressprocedures,plansandinstructionsforkeyshipboardoperationsconcerningthesafetyofthepersonnel,shipandprotectionoftheenvironment.Ingeneral,theseplansshouldbeunaffectedbytheincorporationofCRMintotheSMS.ThisisbecausetheeffectofthelossofavailabilityofOT,orlossofintegrityofthedatausedorprovidedbysuchsystems,isthesameasiftheOTwasunavailableorunreliableforsomeotherreason.Notwithstandingthis,considerationshouldbegiventodevelopinginstructionsontheactionstobetakenifdisruptiontocriticalsystemsissuspected.Thiscouldincludeproceduresforrevertingtoback-uporalternativearrangementsasaprecautionwhilstanysuspecteddisruptionisinvestigated.ProceduresforperiodicallycheckingtheintegrityofinformationprovidedbyOTtooperatorsshouldbeconsideredforinclusioninoperationalmaintenanceroutines.

ISMCode:8.1IndustryGuidelines:6Updateemergencyplanstoincluderesponses to cyber incidents.

AnapprovedSMSshouldalreadyaddressemergencyplansforthedisruptionofcriticalsystemsrequiredforthesafeoperationofshipsandprotectionoftheenvironment.Ingeneral,theseplansshouldbeunaffectedbytheincorporationofcyberriskmanagementintosafetymanagementsystems.Thisisbecausetheeffectofcommonshipboardemergenciesshouldbeindependentoftherootcause.Forexample,afiremaybecausedbyequipmentmalfunctioningbecauseofasoftwarefailureorinappropriatemaintenanceoroperationoftheequipment.Notwithstandingtheabove,considerationshouldbegiventothedevelopmentofacyberincidentmoduleintheintegratedsystemofshipboardemergencyplansforsignificantdisruptiontotheavailabilityofOTorthedatausedbythem.ThepurposeofthemodulecouldbetoprovideinformationontheactionstobetakenintheeventofasimultaneousdisruptiontomultipleOTsystemsrequiredforthesafeoperationoftheshipandprotectionoftheenvironment.Inthismorecomplexsituation,additionalinformationonappropriateimmediateactionstobetakeninresponsemaybenecessary.

DETECTDevelop and implement activities necessary to detect a cyber-event in a timely mannerAction RemarksISMCode:9.1IndustryGuidelines:5.1Updateproceduresforreportingnon-conformities,accidentsandhazardoussituationstoincludereportsrelatingtocyberincidents.

AnapprovedSMSshouldalreadyaddressproceduresrelatingtonon-conformities.WhenincorporatingCRMintotheSMS,companyreportingrequirementsfornon-conformitiesmayneedtobeupdatedtoincludecyberrelatednon-conformities.Examplesofsuchnon-conformitiesandcyberincidents:

� unauthorisedaccesstonetworkinfrastructure � unauthorizedorinappropriateuseofadministratorprivileges � suspiciousnetworkactivity � unauthorisedaccesstocriticalsystems � unauthoriseduseofremovablemedia � unauthorisedconnectionofpersonaldevices � failuretocomplywithsoftwaremaintenanceprocedures � failuretoapplymalwareandnetworkprotectionupdates � lossordisruptiontotheavailabilityofcriticalsystems � lossordisruptiontotheavailabilityofdatarequiredbycriticalsystems.


RESPONDDevelop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations and/or services impaired due to a cyber-eventAction RemarksISMCode:3.3IndustryGuidelines:7.1Ensurethatadequateresourcesandshore-basedsupportareavailabletosupporttheDPAinrespondingtothelossofcriticalsystems.

AnapprovedSMSshouldalreadybesupportedbyadequateresourcestosupporttheDPA.However,theincorporationofCRMintotheSMSshouldrequirethatthisresourcingincludesappropriateITexpertise.Thisresourcecouldcomefromwithinthecompanybutmayalsobeprovidedbyathirdparty.Inprovidingtheadequateresources,thefollowingshouldbeconsidered:

� companyorthirdpartytechnicalsupportshouldbefamiliarwithonboardITandOTinfrastructure and systems

� anyinternalresponseteamorexternalcyberemergencyresponseteam(CERT)shouldbeavailabletoprovidetimelysupporttotheDPA

� provisionofanalternativemeansofcommunicationbetweentheshipandtheDPA,whichshouldbeabletofunctionindependentlyofallothershipboardsystems,ifandwhentheneed arises

� internalauditsshouldconfirmthatadequateresources,includingthirdpartieswhenappropriate,areavailabletoprovidesupportinatimelymannertosupporttheDPA.

ISMCode:9.2IndustryGuidelines:7.1Updateproceduresforimplementingcorrectiveactionsto include cyber incidents and measurestopreventrecurrence.

AnapprovedSMSshouldalreadyincludeproceduresforrespondingtonon-conformities.Ingeneral,theseshouldnotbeaffectedbytheincorporationofCRMinSMS.However,theproceduresshouldhelpensurethatconsiderationofnon-conformitiesandcorrectiveactionsinvolvesthepersonnelwithresponsibilityandauthorityforCRM.Thisshouldhelpensurethatcorrectiveactions,includingmeasurestopreventrecurrence,areappropriateandeffective.

ISMCode:10.3IndustryGuidelines:7.1UpdatethespecificmeasuresaimedatpromotingthereliabilityofOT.

AnapprovedSMSshouldalreadyincludeproceduresforoperationalmaintenanceroutinestopromotethereliabilityofequipmentonboard.ASMS,whichincorporatesCRM,shouldoutlineproceduresfor:

� Softwaremaintenanceasapartofoperationalmaintenanceroutines–Suchproceduresshouldensurethatapplicationofsoftwareupdates,includingsecuritypatches,areappliedandtestedinatimelymanner,byacompetentperson.

� Authorizingremoteaccess,ifnecessaryandappropriate,tocriticalsystemsforsoftwareorothermaintenancetasks–Thisshouldincludeauthorizingaccessingeneral(includingverificationthatserviceprovidershavetakenappropriateprotectivemeasuresthemselves)andforeachspecificremoteaccesssession.

� Preventingtheapplicationofsoftwareupdatesbyserviceprovidersusinguncontrolledorinfectedremovablemedia.

� Periodicinspectionoftheinformationprovidedbycriticalsystemstooperatorsandconfirmationoftheaccuracyofthisinformationwhencriticalsystemsareinaknownstate.

� Controlleduseofadministratorprivilegestolimitsoftwaremaintenancetaskstocompetent personnel.

RECOVERYIdentify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber incidentAction RemarksISMCode:10.4IndustryGuidelines:5.1and7.2Includecreationandmaintenanceofback-upsintotheship’soperationalmaintenanceroutine.

AnapprovedSMSshouldalreadyincludeproceduresformaintainingandtestingback-uparrangementsforshipboardequipment.Notwithstandingthis,itmaynotaddressproceduresformaintainingandstoringofflineback-upsfordataandsystemsrequiredforthesafeoperationoftheshipandprotectionoftheenvironment.ASMS,whichincorporatesCRM,shouldincludeproceduresfor:

� checkingback-uparrangementsforcriticalsystems,ifnotcoveredbyexistingprocedures � checkingalternativemodesofoperationforcriticalsystems,ifnotcoveredbyexisting

procedures � creatingorobtainingback-ups,includingcleanimagesforOTtoenablerecoveryfroma

cyber incident � maintainingback-upsofdatarequiredforcriticalsystemstooperatesafely � offlinestorageofback-upsandcleanimages,ifappropriate � periodictestingofback-upsandback-upprocedures.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 46ONbOArd NeTwOrkS

Onboard networksANNEX 3

AsecurenetworkdependsontheIT/OTsetuponboardtheship,andtheeffectivenessofthecompanypolicybasedontheoutcomeoftheriskassessment.Controlofentrypointsandphysicalnetworkcontrolonanexistingshipmaybelimitedbecausecyberriskmanagementhadnotbeenconsideredduringtheship’sconstruction.Itisrecommendedthatnetworklayoutandnetworkcontrolshouldbeplannedforallnewbuildings.

Directcommunicationbetweenanuncontrolledandacontrollednetworkshouldbeprevented.Furthermore,severalprotectionmeasuresshouldbeadded:

� implementnetworkseparationand/ortrafficmanagement

� manageencryptionprotocolstoensurecorrectlevelofprivacyandcommercialcommunication

� manageuseofcertificatestoverifyoriginofdigitallysigneddocuments,softwareorservices.

Ingeneral,onlyequipmentorsystemsthatneedtocommunicatewitheachotheroverthenetworkshouldbeabletodoso.Theoverridingprincipleshouldbethatthenetworkingofequipmentorsystemsisdeterminedbyoperationalneed.

Physical layout

Thephysicallayoutofthenetworkshouldbecarefullyconsidered.Itisimportanttoconsiderthephysicallocationofessentialnetworkdevices,includingservers,switches,firewallsandcabling.Thiswillhelprestrictaccessandmaintainthephysicalsecurityofthenetworkinstallationandcontrolofentrypointstothenetwork.

Network management

Anynetworkdesignwillneedtoincludeaninfrastructureforadministeringandmanagingthenetwork.Thismayincludeinstallingnetworkmanagementsoftwareondedicatedworkstationsandserversprovidingfilesharing,emailandotherservicestothenetwork.

Network segmentation

Onboardnetworksshouldnormallyaccommodatethefollowing:

1. necessarycommunicationbetweenOTequipment

2. configurationandmonitoringofOTequipment

3. onboardadministrativeandbusinesstasksincludingemailandsharingbusinessrelatedfilesorfolders(ITnetworks)

4. recreationalinternetaccessforcrewand/orpassengers/visitors.

Effectivenetworksegmentationisakeyaspectof“defenceindepth”.OT,ITandpublicnetworksshouldbeseparatedorsegmentedbyappropriateprotectionmeasures.Theprotectionmeasuresusedmayinclude,butarenotlimitedtoanappropriatecombinationofthefollowing:

� aperimeterfirewallbetweentheonboardnetworkandtheinternet


� networkswitchesbetweeneachnetworksegment

� internalfirewallsbetweeneachnetworksegment

� VirtualLocalAreaNetworks(VLAN)tohostseparatesegments.

Inaddition,eachsegmentshouldhaveitsownrangeofInternetProtocol(IP)addresses.Networksegmentationdoesnotremovetheneedforsystemswithineachsegmenttobeconfiguredwithappropriatenetworkaccesscontrolsandsoftwarefirewallsandmalwaredetection.

figure 2: example of an onboard network

Internet

Business administra�on network

OT network

VPN connec�onNetwork connec�on

Guest networkFleet broadband4G router

Wi-fi

Firewall

Intheexampleshownabove,thenetworkhasbeensegmentedusingaperimeterfirewall,whichsupportsthreeVLANs:

1. theOTNetworkcontainingequipmentandsystems,thatperformssafetycriticalfunctions

2. theITnetworkcontainingequipmentandsystems,thatperformsadministrativeorbusinessfunctions

3. acrewandguestnetwork,providinguncontrolledinternetaccess.


Considerationsshouldbemadeonhowtomaximisethesecurityoftheswitchesthemselves.Toachievethehighestlevelofsecurity,eachnetworkshoulduseadifferenthardwareswitch.Thiswillminimisethechanceofanattackerjumpingbetweennetworksduetomisconfigurationorbyacquiringaccesstotheconfigurationofaswitch.

Acorrectlyconfiguredandappropriatefirewallisanimportantelementofthepropersegmentationofanetworkinstallation.Theonboardinstallationshouldbeprotectedbyatleastaperimeterfirewalltocontroltrafficbetweentheinternetandtheonboardnetwork.Topreventanyunintendedcommunicationtakingplace,thefirewallshouldbeconfiguredbydefaulttodenyallcommunication.Basedonthisconfiguration,rulesshouldbeimplemented.Therulesshouldbedesignedtoallowthepassageofdatatrafficthatisessentialfortheintendedoperationofthatnetwork.

Forexample,ifaspecificendpointreceivesupdatesfromtheinternet,theruleshouldallowthespecificendpointtoconnectspecificallytotheserverhandlingthespecificupdateservice.Enablinggeneralinternetaccesstoaspecifiedendpointforupdatesisnotrecommended.

Uncontrollednetworkslikeacreworpassengernetworkshouldnotbeallowedanycommunicationwiththecontrollednetworks.Theuncontrollednetworkshouldbeconsideredasunsafeastheinternet,sincethedevicesconnectingtoitareunmanaged,theirsecuritystatus(antivirus,updates,etc.)isunknownandtheiruserscouldbeactingmaliciously,intentionallyorunintentionally.

Monitoring data activity

Itisimportanttomonitorandmanagesystemstobeawareofthenetworks’statusandtodetectanyunauthoriseddatatraffic.Loggingshouldbeimplementedinthefirewallandideallyinallnetwork-attacheddevicessothatincaseofabreach,theresponsiblepersoncantracebackthesourceandmethodologyoftheattack.Thiswillhelptosecurethenetworkfromanysimilarattacksinthefuture.

AnetworkIntrusionDetectionSystem(IDS)orIntrusionProtectionSystem(IPS)canalertthesystemadministratorinreal-timeofanyattackstothenetworksystems.TheIDSandIPSinspectdatatraffic,entrypointsorbothtoidentifyknownthreatsortorejecttraffic,whichdoesnotcomplywiththesecuritypolicy.AnIPSshouldcomplywiththelatestindustrybestpracticesandguidelines.

Itisrecommendedtoplaceasensorontheinternet-facingsegment,becausethepublicserversareavisibletargettoattackers.Anothersensorshouldbeplacedbehindthefirewall,tomonitortrafficbetweentheinternetandtheinternalnetwork.AnlDS/IPSsensorcouldalsobeplacedbyaremote-accesssegment,forinstanceaVirtualPrivateNetwork(VPN).

Protection measures

Protectionmeasuresshouldbeimplementedinawaythatmaintainsthesystem’sintegrityduringnormaloperationsaswellasduringacyberincident.EveryOTnetworkonboardhasseveralendpointssuchasworkstations,servers,routers,inputandoutputmodules,transducersetc.Theendpointsareveryimportantastheycontroltheoperationandthesecurityofthesystem.

Asinglesecurityproduct,technologyorsolutioncannotadequatelyprotectanOTsystembyitself.Amultiplelayerstrategyinvolvingtwo(ormore)differentoverlappingsecuritymechanismsisdesired,sothattheimpactofafailureinanyonemechanismisminimized(seechapter5.1defence-in-depth).Inaddition,aneffectivedefence-in-depthstrategyrequiresathoroughunderstandingofpossibleattackvectorsonanOTsystem.Thesemayinclude:

� backdoorsandholesinnetworkperimeterandinstruments

� vulnerabilitiesincommonlyusedprotocols


� vulnerableendpointsandsensors

� unprotected databases.

Asecurerunningenvironmentcanbeestablishedbyusingasandbox,whichprovidesadditionalprotectionagainstcyberthreatsbyisolatingexecutablesoftwarefromtheunderlyingoperatingsystem.Thispreventsunauthorisedaccesstotheoperatingsystems,onwhichthesoftwareisrunning.Thesandboxenablessoftwaretoberununderaspecificsetofrulesandthisaddscontroloverprocessesandcomputerresources.Therefore,thesandboxhelpspreventmalicious,malfunctioningoruntrustedsoftwarefromaffectingtherestofthesystem.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 50GlOSSAry

GlossaryANNEX 4

Access controlisselectivelimitingoftheabilityandmeanstocommunicatewithorotherwiseinteractwithasystem,tousesystemresourcestohandleinformation,togainknowledgeoftheinformationthesystemcontainsortocontrolsystemcomponentsandfunctions.

Back door isasecretmethodofbypassingnormalauthenticationandverificationwhenaccessingasystem.Abackdoorissometimescreatedinhiddenpartsofthesystemitselforestablishedbyseparatesoftware.

Bring your own device (BYOD) allowsemployeestobringpersonallyowneddevices(laptops,tablets,andsmartphones)totheshipandtousethosedevicestoaccessprivilegedinformationandapplicationsforbusinessuse.

Cyber attack isanytypeofoffensivemanoeuvrethattargetsITandOTsystems,computernetworks,and/orpersonalcomputerdevicesandattemptstocompromise,destroyoraccesscompanyandshipsystems and data.

Cyber incident isanoccurrence,whichactuallyorpotentiallyresultsinadverseconsequencestoanonboardsystem,networkandcomputerortotheinformationthattheyprocess,storeortransmit,andwhichmayrequirearesponseactiontomitigatetheconsequences.

Cyber risk management meanstheprocessofidentifying,analysing,assessing,andcommunicatingacyber-relatedriskandaccepting,avoiding,transferring,ormitigatingittoanacceptablelevelbytakingintoconsiderationthecostsandbenefitsofactionstakenbystakeholders.

Cyber system isanycombinationoffacilities,equipment,personnel,proceduresandcommunicationsintegratedtoprovidecyberservices;examplesincludebusinesssystems,controlsystemsandaccesscontrol systems.

Defence in breadth isaplanned,systematicsetofactivitiesthatseektoidentify,manage,andreduceexploitablevulnerabilitiesinITandOTsystems,networksandequipmentateverystageofthesystem,network,orsub-componentlifecycle.Onboardships,thisapproachwillgenerallyfocusonnetworkdesign,systemintegration,operationsandmaintenance.

Defence in depth isanapproachwhichuseslayersofindependenttechnicalandproceduralmeasurestoprotectITandOTonboard.

Executable software includesinstructionsforacomputertoperformspecifiedtasksaccordingtoencodedinstructions.

Firewall isalogicalorphysicalbreakdesignedtopreventunauthorisedaccesstoITinfrastructureandinformation.

Firmware issoftwareimbeddedinelectronicdevicesthatprovidescontrol,monitoringanddatamanipulationofengineeredproductsandsystems.Thesearenormallyself-containedandnotaccessibletousermanipulation.

Flaw isunintendedfunctionalityinsoftware.

Intrusion Detection System (IDS) isadeviceorsoftwareapplicationthatmonitorsnetworkorsystemactivitiesformaliciousactivitiesorpolicyviolationsandproducesreportstoamanagementstation.


Intrusion Prevention System (IPS),alsoknownasIntrusionDetectionandPreventionSystems(IDPSs),arenetworksecurityappliancesthatmonitornetworkand/orsystemactivitiesformaliciousactivity.

Local Area Network (LAN) isacomputernetworkthatinterconnectscomputerswithinalimitedareasuchasahome,shiporofficebuilding,usingnetworkmedia.

Malware isagenerictermforavarietyofmalicioussoftware,whichcaninfectcomputersystemsandimpactontheirperformance.

Operational technology (OT) includesdevices,sensors,softwareandassociatednetworkingthatmonitor and control onboard systems.

Patches aresoftwaredesignedtoupdatesoftwareorsupportingdatatoimprovethesoftwareoraddresssecurityvulnerabilitiesandotherbugsinoperatingsystemsorapplications.

Phishing referstotheprocessofdeceivingrecipientsintosharingsensitiveinformationwithathird-party.

Principle of least privilege referstotherestrictionofuseraccountprivilegesonlytothosewithprivilegesthatareessentialtofunction.

Producer istheentitythatmanufacturestheshipboardequipmentandassociatedsoftware.

Recovery referstotheactivitiesafteranincidentrequiredtorestoreessentialservicesandoperationsintheshortandmediumtermandfullyrestoreallcapabilitiesinthelongerterm.

Removable media isacollectivetermforallmethodsofstoringandtransferringdatabetweencomputers.Thisincludeslaptops,USBmemorysticks,CDs,DVDsanddiskettes.

Risk assessment istheprocesswhichcollectsinformationandassignsvaluestorisksasabaseonwhichtomakedecisiononprioritiesanddevelopingorcomparingcoursesofaction.

Risk management istheprocessofidentifying,analysing,assessingandcommunicatingriskandaccepting,avoiding,transferringorcontrollingittoanacceptablelevelconsideringassociatedcostsandbenefitsofanyactionstaken.

Sandbox isanisolatedenvironment,inwhichaprogrammaybeexecutedwithoutaffectingtheunderlyingsystem(computeroroperatingsystem)andanyotherapplications.Asandboxisoftenusedwhenexecutinguntrustedsoftware.

Service provider isacompanyorperson,whoprovidesandperformssoftwaremaintenance.

Social engineering isamethodusedtogainaccesstosystemsbytrickingapersonintorevealingconfidentialinformation.

Software whitelisting meansspecifyingthesoftware,whichispresentandactiveonanITorOTsystem.

Virtual Local Area Network (VLAN)isthelogicalgroupingofnetworknodes.AvirtualLANallowsgeographicallydispersednetworknodestocommunicateasiftheywerephysicallyonthesamenetwork.

Virtual Private Network (VPN)enablesuserstosendandreceivedataacrosssharedorpublicnetworksasiftheircomputingdevicesweredirectlyconnectedtotheprivatenetwork,therebybenefitingfromthefunctionality,securityandmanagementpoliciesoftheprivatenetwork.


Virus isahidden,self-replicatingsectionofcomputersoftwarethatmaliciouslyinfectsandmanipulatestheoperationofacomputerprogramorsystem.

Wi-Fi isallshort-rangecommunicationsthatusesometypeofelectromagneticspectrumtosendand/orreceiveinformationwithoutwires.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 53CONTrIbuTOrS TO verSION 3 Of The GuIdelINeS

Contributors to version 3 of the guidelinesANNEX 5

Thefollowingorganisationsandcompanieshaveparticipatedinthedevelopmentoftheseguidelines:

Anglo-EasternGroupAspidaBIMCOChamberofShippingofAmerica(CSA)ClassNKCOLUMBIAShipmanagementLtdCruiseLinesInternationalAssociation(CLIA)CyberKeelInternationalAssociationofDryCargoShipowners(INTERCARGO)InternationalAssociationofIndependentTankerOwners(INTERTANKO)InternationalChamberofShipping(ICS)InternationalgroupofProtection&IndemnityclubsInternationalUnionofMarineInsurance(IUMI)InterManagerMaerskLineMoranShippingAgencies,Inc.NCCGroupOilCompaniesInternationalMarineForum(OCIMF)SOFTimpactLtdTemplarExecutivesWorldShippingCouncil

www.bimco.org

Industry publishes improved cyber guidelines The third edition of the industry cyber risk management guidelines, Guidelines on Cyber Security Onboard Ships, addresses the requirement to incorporate cyber risks in the ship’s safety management system (SMS). It also reflects a deeper experience with risk assessments of operational technology (OT) - such as navigational systems and engine controls - and provides more guidance for dealing with the cyber risks to the ship arising from parties in the supply chain. “The industry will soon be under the obligation to incorporate measures to deal with cyber risks in the ship’s safety management system. This had not been tackled in the previous versions,” says Dirk Fry, chair of BIMCO’s cyber security working group and Managing Director of Colombia Ship Management. “The third edition provides additional information which should help shipping companies carry out proper risk assessments and include measures in their safety management systems to protect ships from cyber-incidents. A new dedicated annex provides measures that all companies should consider implementing to address cyber risk management in an approved SMS,” Fry says. “This is much easier said than done”, he adds, and notes that the criminals trying to exploit companies or breach their security are getting more inventive by the minute. The new guidelines are the third edition in as many years, which reflects the constantly evolving nature of the risks and challenges. OT risks differ A second key expansion in the guidelines is around operational technology. Ships have more and more Operational technology (OT) which is integrated with Information technology (IT) and which can be connected to the internet, but the risks associated with OT are different from IT systems. For example, malfunctioning IT may cause significant delay of a ship’s unloading or clearance, but with malfunctioning or inoperative OT there can be a real risk of harm to people, the ship or the marine environment. “On a ship, the job may be less focused on protecting data while protecting operational systems working in the real world has direct safety implications. If the ECDIS system or software controlling an engine are hit with malware, or if it breaks down due to lack of compatibility after an update of software, it can lead to dangerous situations,” Fry says. Another new element in the guidelines is a number of examples of actual incidents to demonstrate some of the real-world situations shipowners and operators face. The examples have been anonymized.

www.bimco.org

According to the Cyber Security Survey by BIMCO, Fairplay and ABS Advanced Solutions, the joint Industry Guidelines on Cyber Security Onboard Ships, are widely used across the industry. The survey also showed industry is more aware of the issue and has increased cyber risk management training, but there remains room for improvement. Supply chain risks A third new focus area is the risk of malware infecting the ship’s systems via the many parties associated with the operation of a ship and its systems. “The ships are not just sitting there in the middle of the ocean. More and more ships are also closely connected to security systems in the companies’ offices and shippers’ offices and agents’ offices,” says Fry. Advice includes evaluating the security of service providers, defining a minimum set of requirements to manage supply chain or third-party risks and making sure that agreements on cyber risks are formal and written. The guidelines also underline the need for ships to be able to disconnect quickly and effectively from shore-based networks, where required. The following organisations produced the third edition: BIMCO, InterManager, International Association of Dry Cargo Shipowners (INTERCARGO), International Association of Independent Tanker Owners (INTERTANKO), International Chamber of Shipping (ICS), International Union of Marine Insurance (IUMI), Oil Companies International Marine Forum (OCIMF) and World Shipping Council (WSC).

The work was supported by: Anglo Eastern, Colombia Ship Management, Maersk Line, Moran Shipping Agencies as well as the cyber security experts NCC, SOFTimpact, Templar Executives and Cyber Keel.

Press contact: For further information or to request an interview, please contact: Rasmus Nord Jørgensen Communications Director Mobile: +45 2168 0421 Email: [email protected] About BIMCO: BIMCO is the world’s largest international shipping association, with around 2,000 members in more than 120 countries. Our global membership includes shipowners, operators, managers, brokers and agents. As a member, you have access to a wide range of services for free or at a discount. BIMCO’s four core service areas provide value and support to our members:

www.bimco.org

1. Products: BIMCO’s standard contracts and clauses for the shipping industry and our contract editor SmartCon is a key offering to our members. We also run the BIMCO Shipping KPI System which can be used to benchmark ships’ operational performance. 2. Regulation: BIMCO takes an active role on behalf of shipowners during discussions and decisions with global and regional regulators and have consultative status at the International Maritime Organisation. We work towards a level playing field for shipping – including fair trade and open access to markets. 3. Information and advice: we deal with 10,000 member queries every year via phone or email and see over three million page views on our website each year. Our staff share their expert knowledge on contractual, regulatory and technical matters with members. 4. Training: BIMCO conducts face-to-face courses, webinars and tailor-made courses for companies on a variety of shipping related topics.

Documents

11 December 2018 Cyber Risks and Cyber Security …...Cyber safety covers the risks from the loss of availability or integrity of safety critical data and OT. Cyber safety incidents