The noise around cybersecurity in shipping is growing and owners need to make informed choices, writes Angeliki Zisimatou, Director, Cybersecurity, ABS
Cyber incidents in maritime are increasing in number and sophistication, with new forms of connectivity and new digital technologies creating additional risk for an industry that for a long time felt insulated from direct, targeted cyber attacks.
To address these risks, the industry has seen the implementation of various regulations driven by industry-led initiatives, but a global unified standard has yet to be developed. Shipowners must address recent regulations while keeping an eye on the horizon for the development of a more substantial regulatory framework.
New Unified Requirements from IACS covering ships and systems, new rules from the US Coast Guard covering US flagged vessels, guidelines from EMSA and BIMCO are all in place or coming soon. Since the introduction of provisions in the ISM Code, the International Maritime Organization has kept an eye on cybersecurity and will focus on the topic as a discussion item again in the near future.
Cyber presents a multi-faceted problem for shipping, a reality compounded by contrasting approaches to the problem that divide along familiar lines. Many operators are taking the issue seriously, but the response often depends on their size and capability – and whether they have previous experience of a cyber incident.
Some are investing heavily, establishing their own Security Operations Centres and cyber teams as well as addressing supply chain vulnerabilities. Smaller operators are less well advanced in the process of assessment and preparedness.
The same pattern broadly applies among vendors, with large original equipment manufacturers working to IEC standards and smaller technology providers sometimes struggling to meet the IACS requirements.
The same trend can be observed among shipyards, with some fully engaged and others believing their role as an integrator is primarily to collect information from vendors. In fact, the requirements of the IACS URs are quite specific in terms of what ship and system security should look like and there may be gaps in the data collected.
Understanding Risk
Among the challenges for operators is that effective cybersecurity generally requires a risk-based approach, whereas most maritime regulations attempt to be prescriptive in nature to better guide operators and assist them with implementation efforts. The lack of common data formats and the assumption that implementation of minimum security control levels is good enough can lead to compliance, but not necessarily security.
Some vessel operators continue to believe that being “air-gapped” from the internet or using only minimal connectivity reduces their risk to an acceptably low level. This assumption discounts the reality that 83% of organizations reported at least one attack attributed to insiders, normally employees, whether intentional or otherwise.
All operators, regardless of size, should start from the same baseline, but there are no restrictions on going further. All should, at the very least, have completed a risk management plan to understand their assets, associated vulnerabilities, and mitigating actions.
A major factor in building that plan is understanding the human factor and the risks that accrue from the lack of training and awareness. Crew training in particular is critical, as many crewmembers have not had cybersecurity training and are not aware of the risks.
At the same time, the noise around the subject and the welter of competing products are confusing buyers who find it hard to determine what will and won’t make a difference. If classification societies provide more information and resources, buyers will be able to have a better understanding of the cyber risks and the market and will be able to make more informed decisions.
Next Steps
The most important step is not to rely solely on the controls provided by regulations to feel cyber-secure. Using them as a starting point, vessel operators must acknowledge the necessity for additional measures, which will inevitably require increased investment and resources. This commitment to enhanced cybersecurity should be an ongoing effort.
The industry would also benefit from an anonymised system of reporting so that experiences and risks can be shared, similar to the ship safety database developed some years ago by ABS and Lamar University. USCG already requires a degree of information sharing regarding cyber incidents, so the trend will accelerate.
The industry also needs to carefully consider the cybersecurity of new technologies in shipping and the ever-present risk stemming from the long supply chain that connects third party equipment and system suppliers to operators.
The potential of machine learning, IIoT, blockchain technologies, and digital twins is clear, but some of these applications pose technology risks that have not been tested enough to provide historic vulnerability data. The prospect of AI in shipping is exciting to some, but do users understand how it can be exploited for malign intent?
At a time of so much information available to shipowners, the role of class as a source of impartial advice has never been more important. The first to issue guidance in 2016, ABS is updating its cyber notations for new and existing vessels and introducing new flexible notations to enable compliance with multiple standards depending on the needs of the vessel operator.
Some digital security experts suggest that cyber incidents of one sort or another are virtually inevitable, and it is best to consider them as such. The risk is real, but class has a collective responsibility in helping to defend the shipping industry and it is one we take seriously.
Energy News Beat