A group of international shipping organizations is developing guidelines to deal with the emerging cybersecurity threat to vessels and vessel operators, with malicious email attachments often posing the biggest risk.
BIMCO is the lead organization developing the guidelines with a group that includes Intertanko, the International Association of Dry Cargo Shipowners (Intercargo) and the International Chamber of Shipping (ICS).
“We are getting ahead of the curve here, and showing that the industry’s best practices, based on our knowledge and experience, will be the best fit for the rest of the world,” said Phillip Belcher, marine director of Intertanko, based in London.
An update on formulating the guidelines was on the agenda at the 95th session of the International Maritime Organization’s (IMO) Maritime Safety Committee, which met in London in June. The group has been working for two years on the measures and the goal is to present the final guidelines to the IMO’s safety committee in 2016.
The guidelines will be voluntary and non-governmental. “We would like industry to create and maintain the guidelines,” said Lars Robert Pedersen, deputy secretary-general of BIMCO, based in Denmark. “It is a moving target. You have new exploitations being found every day. If you start down the regulation road then you get into a rigid framework, which is not easy to adopt to the changing nature of the subject.”
The problems stem from the fact that electronic and computer systems on modern ships are fully integrated, which means navigation, steering control, communications and cargo systems are vulnerable to a cyberattack. “The augmented use of electronic data exchanges increases the likelihood of cyberattacks in variety, frequency and sophistication,” states the outline of guidelines submitted to the IMO. In addition, the remote monitoring, diagnosis and maintenance of ship systems from shoreside companies is increasing.
The industry groups’ proposal focuses on cybersecurity for ships. The proposed guidelines include: education about the safe use of personal email, software and social media; education and training about protecting key software that controls navigation, steering, communication and cargo management; conducting a cybersecurity risk assessment of the ship using existing standards and the latest intelligence and best practices; and developing a contingency plan in case of a cyberattack.
Cyberattacks range from a mariner hooking up a cellphone to ship systems to listen to music (which can introduce malware) to a crewmember opening a malicious email attachment, said Capt. Andrew Tucci, chief of the Coast Guard Office of Port and Facilities Compliance.
“Despite all the high-tech aspects of cybersecurity, a very large proportion of cybersecurity incidents are caused by somebody clicking on a link,” Tucci said.
Capt. Michael Dickey, deputy commander of Coast Guard Cyber Command, agreed. “A huge percentage, probably about 90 percent of intrusions, are due to a failure to just do the basics,” he said.
Tucci said the Coast Guard has seen “extremely powerful Wi-Fi devices” concealed on ships with password-cracking software. Attacks could come from a USB stick that introduces malware, an email attachment, or from the ship’s shoreside IT system, according to the guidelines.
In addition, a hacker could attack ships through data connections with the home office as a way to get to mainland targets, such as the ship operator or charterer. It is “a vulnerable link,” Belcher said. “The levels of protection on a ship are far less than in other environments.”
Attacks can come from foreign intelligence services, criminal gangs or a lone hacker. The most publicized threat is GPS jamming or spoofing, in which a fake GPS signal is created and introduced into the ship’s navigation systems without the awareness of ship officers. Capt. David Moskoff, a professor in the Marine Transportation Department at the U.S. Merchant Marine Academy, said the industry guidelines are a good first step, but he would like more emphasis on cyberattacks of GPS signals.
However, officials stress that most cyberattacks would come through more mundane channels, such as malware or computer viruses. And recent publicity has exaggerated the actual threat cyberattacks pose to ships. “We should not blow this out of proportion, especially at a juncture when we have so little evidence of real incidents,” said Pedersen.
“To say that somebody is going to be hacking ships and making them turn circles in the middle of the Atlantic Ocean — I don’t see that happening right now,” said Dickey.
Cybersecurity preparedness should focus on addressing risk, so that threats can be assessed and prioritized, Tucci said. “I look at this not so much as cybersecurity but as cyber risk management,” he said.
Crew education is critical. “If you are not training your people about what to plug in and what to click on, you are going to get bad stuff in your system,” Tucci said.
Experts emphasize that cyber risk management should be handled as a team. “You don’t just say this is an IT problem,” Tucci said. “The team should include IT, security personnel, emergency managers and licensed mariners to figure out what are the vulnerabilities and what are the smart ways to mitigate that.”
And if critical systems such as navigation, steering control or communication are compromised, ship operators need to figure out how to operate these systems manually, according to the guidelines. For example, mariners may have to use traditional navigational methods, such as paper charts and celestial navigation, according to Belcher.