Implementing cyber risk management into SMS

13 min read

Having established in the last article that MSC.428(98) may not be mandatory as far as the IMO rules go but that individual flag and some port states do require shipping companies to address cyber security in their safety management systems, the next thing is to consider how best to do that.

The IMO guidelines published as MSC-FAL.1/Circ.3 in 2021 are no more than three and a half pages of high level recommendations and by themselves do not really contain much useful information for a ship operator addressing the issue for the first time. Section 3 of the guidelines does list five functional elements of cyber risk management which are:

  • Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
  • Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
  • Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
  • Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
  • Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

While the above does set out the aims, practical advice will not be found in the document. Instead, the IMO suggests companies to identify ‘Member Governments’ and Flag Administrations’ requirements, as well as relevant international and industry standards and best practices’. It also does list a selection of sources that can give more advice.

One of those sources is THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS first published in 2017 by a consortium of industry bodies including BIMCO, ICS, Chamber of Shipping of America, INTERCARGO, InterManager, INTERTANKO, IUMI and OCIMF amongst others. Those guidelines are now in their fourth version published in 2021.

The fourth version of the industry publication is a 64-page document and is much more helpful than the IMO guidelines being a more practical approach. As can be seen from the following diagram, which is taken from the industry publication, the approach covers all of the IMO functional elements but breaks down the approach to cyber risk management into six areas rather than five.

Linked to the industry guideline publication but available separately at a cost of £250 is Cyber Security Workbook for On Board Ship Use – 4th Edition, 2023 drawn up by BIMCO and ICS and published by Witherbys. This is an even more extensive volume and as well as a lot of practical information also contains checklists that internal auditors of an owner or managers SMS could use when integrating cyber security into the system.

As well as the two publications mentioned above, many classification societies and P&I clubs have issued their own variations of advice on how best to implement the guidelines.

Identifying threats

ISM code compliant safety management systems come in many guises from small scale covering small numbers or even single ships through to wide ranging systems of the largest management and operating companies where several hundred ships are covered. This means that the task of identifying roles and responsibilities will differ enormously.

While there may be a temptation to assign the matter to the department or individuals tasked with the organisation’s IT policies, it is very likely that an IT specialist will be ignorant of the level of digitalisation of onboard systems. They will doubtless be able to recognise the threat to communications systems but may have little or no knowledge of systems such as ECDIS, VDRs, AIS, radar, electronically controlled engines, power management systems, monitoring systems, pollution prevention equipment such OWS, ballast management and more. Therefore, it is clear that the involvement of superintendents and officers and crew will be essential.

One of the tasks will be to identify the difference between IT and OT. With IT being transfer of data and OT being operation of equipment and systems that may be controlled electronically.

In most fleets, the level of digitalised and potentially threatened systems on board will vary between ships so identifying those must be done on an individual ship basis. On older ships where most systems are of the analogue variety the range of threatened systems may be small, but most will have at least one ECDIS and a VDR on board and these are vulnerable to attack even if the ECDIS does not have remote updating facility. After the initial checking, future additions to equipment need to be assessed as they are installed to ensure the protection will remain current.

At the other end of the spectrum are new ships coming out of yards that have been designed as ‘smart’ ships. In these there is a high degree of integration as the image below from Hyundai indicates. It should be said that Hyundai and most other shipbuilders that offer this feature have had their systems assessed by classification societies and verified as cyber secure.

In 2020, the International Association of Classification Societies (IACS) published Recommendation on Cyber Resilience to ensure a set of standardised criteria for new builds. It applies to the use of technical systems that provide important functions on board such as control, alarm, monitor, safety and internal communication.
Of course, cyber threats evolve and change over time and what is secure today may not be in the future.

Most safety management systems incorporate the need for crew training in some way but very few would consider the crew to be an essential system per se. However, in the case of cyber threats, one of the main vulnerabilities is people. This can range from personnel making use of insecure data transfer methods such as USB sticks or memory cards, reacting to malware and phishing attempts or connecting compromised devices such as smartphones or tablets to networks.

Protecting & prevention

In an ideal world protection should be a one time exercise using tools and services currently available but unfortunately the cyber threat landscape is constantly changing and no system will ever be fully secure.

There are several precautions that can be taken to best protect systems, and which can be incorporated into a safety management system.

  • Top of the list is that firewalls should be in place between internal trusted networks and external networks.
  • All systems should be maintained up to date using a process that has been decided as providing the least risk. This may mean limiting use of USB sticks etc to approved units only.
  • Where service contractors may need to update firmware of equipment software via a USB or other transportable media, it is a good precaution to use a dedicated standalone computer or tablet to scan for viruses before allowing it to be used on the equipment.
  • Charging of smartphones or tablets using system USB ports should be prohibited. Only mains or battery chargers should be allowed.
  • Administrative rights should be needed to update or add software with strong password protection.
  • Regular password changes should be required, especially of key personnel who leave the organisation.
  • Consideration should be given to having separate crew and business networks so that the important networks on board are isolated from crew personal use. This should eliminate a large proportion of potential threats as personal emails and communications are a major source of malware attacks.
  • On all networks, restricting web access to selected known safe sites (whitelisting) and blocking suspect sites (blacklisting) can both help reduce the threat.
  • Training on email link usage and regular phishing penetration testing.
  • Vulnerability scanning by trusted third parties.
  • Anti-virus software used to regularly check systems and be used for monitoring internet usage.
  • Sharing information on newly discovered threats between ships in fleet with advice given as to prevention.

Some of the above will require new dedicated procedures to be written but others – for example updating of ECDIS software – may need to be amended by including features unique to the equipment into an existing procedure.

On the question of passwords, some thought should be given to rules as to length and mixing of character types. There is evidence that suggests a hacker using a single computer will be able to crack an 8 character password in one month if it is a mixture of upper and lower case letters, digits and special characters. That may sound reasonable but a botnet cracking system could achieve the same result in one minute. The botnet method would require two years if the character mix was increased to 11 characters. Passwords using numbers or letters only are cracked almost instantly.

Passwords become easier to crack if they are used in multiple places.

Detecting threats

Threats are not likely to announce themselves unless the attack is made by ransomware so it can be incredibly difficult to detect attacks. The use of scanning and anti-virus software approved by head office on all computers connected to a network will be a useful precaution.
When a specific threat is known to be circulating, IT specialists may be aware of ‘symptoms’ that indicate its presence and the Safety Management System should have in place a process whereby any known threats are circulated to all parties involved in the SMS at the earliest opportunity.

Some threats can be suspected if expected results are not achieved after following a link but this requires vigilance from the user. If this occurs after an inappropriate action such as clicking on a link in an email thought to be genuine the matter should be reported immediately and appropriate responses initiated. A no blame culture within the company will likely make the person involved admit to an error more readily than if no such system is in place. Some third party vulnerability training used on a regular basis will help keep users alert to this threat.

One of the biggest fears of the maritime sector is that a cyber threat could potentially cause a ship to deviate from a set navigation course, lose power or suffer in some other way that affects safety for the ship and potentially for other vessels as well. In these cases, even if not thought likely when considering the cyber threat, procedures for response need to be incorporated. The basics for such procedures may already exist within the SMS as responses to malfunctions in equipment.

Responding to cyberattacks

There should be written procedures for responding to and recovering from cyberattacks. Of necessity these should be available in hard copy as computer systems may be offline. The procedure should include detailed instructions on restoring from backups.

When any device or system is thought to be compromised by a cyberattack, it should be disconnected from any networks as soon as possible. That may not necessarily prevent a contagion having already spread but it could protect other systems if it has not. Simultaneously the ship’s security officer and other key personnel need to be alerted.

If there is duplicated equipment or an alternative system on board that can handle the work of the compromised system, that should be brought into service as the compromised system is shut down. Every SMS should have procedures and contingency measures in case there is a system failure that compromises the safety of the ship, personnel or the environment. The cyber threat is no different in this respect but as things stand most ships do have analogue back ups that can be used in case digital systems malfunction.

One system that may not have an obvious alternative is the communications system especially if the ship has the minimal GMDSS requirements. It might be an easy matter to disable the satellite communications, but VHF radios should not be affected too much. The benefit of segregating crew and ship communications could be that even if one system is compromised the other remains operational. And as new LEO satellite networks begin coming into operation, the likelihood that smartphones and tablets being able to connect to the internet independently could give an alternative communications option.

Electronic navigation systems might give false positions and courses if compromised but a standalone GPS for use in lifeboats should be sufficient to advise the accurate position and ships are still obliged to carry sextants and navigators must be able to use them. Incidentally, the threat of cyberattack and jamming of GPS signals led to the US Navy reintroducing celestial navigation training in 2016 after having begun to phase it out in 2000.

If the attack is serious enough to put the ship and other vessels/facilities in danger then emergency procedures need to be activated.
Details of the attack should be shared with all vessels in the fleet and all shore personnel likely to have been impacted. It is also a good idea to inform the P&I club as there may be consequences that affect insurance cover. P&I clubs should be allowed to share details with other companies in the interests of the industry as a whole.

Recovery from attack

The route to recovery will depend upon the threat and its consequences. IT systems should be backed-up on a regular basis and once the threat (virus, malware, etc) has been removed from the system, a full system restore should be initiated. As previously mentioned, all ships should have hard copy instructions for restoring from backups. These should also be available for shore personnel but for ships they are essential as the vessel may be many days away from outside assistance.

If it is believed that any equipment has been compromised, that equipment should remain unused until the operating system can be checked, restored or replaced as necessary. Advice needs to be sought from the OEM if the system is capable of being rectified remotely as reconnecting it to the ship’s communication system may reactivate the problem.
There are always lessons to be learned from any attack. How did it happen?? Why did it happen? Did the response and recovery procedures work as anticipated? These are all questions that need to be addressed and procedures amended as necessary.

If the source of the problem is found to be related to use of an obsolete operating system that cannot be updated, then consideration should be given to replacing all obsolete equipment as a priority.