Cyber Security on Ships

Cyber Security on Ships

The ship and its crew must possess capabilities to effectively cope with cyber incidents occurring on computer-based systems onboard which contribute to operate and maintain the ship in a safe condition. If no measures are implemented, such events could potentially affect the human safety, safety of vessel and/ or the threat to the marine environment. The most effective method of dealing with an incident is to prevent it ever happening, so in this context “prevention” is even more important than “cure”.

What is meant by Cyber Incident?

An occurrence, which actually or potentially results in adverse consequences to an on-board system, network and computer or the information that they process, store or transmit, and which may require a response action to mitigate the consequences.

What is meant by IT and OT?

Information Technology (IT): Devices, software and associated networking focusing on the use of data as information, as opposed to Operational Technology (OT).

Operational technology (OT): Devices, sensors, software and associated networking that monitor and control onboard systems.

What is meant by Cyber attack?

Any type of offensive maneuver that targets IT and OT systems, computer networks, and/or personal computer devices and attempts to compromise, destroy or access company and ship systems and data.

What is meant by Contingency Plan in cyber security onboard ships?

The plan which provides essential information and established procedures to ensure effective response and recovery in case of a cyber incident affecting computer-based system providing essential contribution.

What is meant by Cyber resilience of a ship?

Cyber resilience means capability to reduce the occurrence and mitigating the effects of incidents arising from the disruption or impairment of operational technology (OT) used for the safe operation of a ship, which potentially lead to dangerous situations for human safety, safety of the vessel and/or threat to the environment.

What is meant by Cyber risk management?

The process of identifying, analyzing, assessing, and communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level by taking into consideration the costs and benefits of actions taken by stakeholders.

What is meant by Cyber safety?

The condition of being protected against vulnerabilities resulting from inadequate operation, integration, maintenance and design of cyber related systems, and from intentional and unintentional cyber threats.

What is meant by System Categories (I, II, III)?

  1. Those systems, failure of which will not lead to dangerous situations for human safety, safety of the vessel and/or threat to the environment.
  2. Those systems, failure of which could eventually lead to dangerous situations for human safety, safety of the vessel and/or threat to the environment.
  3. Those systems, failure of which could immediately lead to dangerous situations for human safety, safety of the vessel and/or threat to the environment.

What are 5 elements of effective cyber risk management?

  1. Identify:Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
  2. Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
  3. Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
  4. Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
  5. Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

What are the factors to be considered while carrying out risk assessment of onboard computer based systems ?

  1. A detailed risk assessment of onboard computer based systems should be carried out using standard risk assessment techniques. The risk assessment during new building phase should be carried out by the yard/system integrator and owners.
  2. Risk analysis should identify immediate effect on the equipment and overall impact on ship operation which can affect human safety, safety of vessel and environment. The risk analysis should consider the effect on the systems integrated or interfaced to other systems.
  3. The risk analysis could be qualitative or quantitative and the consequence should be graded in order of severity. (e.g. trouble to daily life, serious trouble to daily life, damage to life, impact on business activity, suspension of business activity).
  4. The consequences should be analysed for availability, integrity and confidentiality of the data for the computer based system due to cyber threat, which could eventually affect human safety, safety of vessel and threat to environment.
  5. Type of vessel, extent of connectivity between various systems and between ship and shore, should be considered in risk assessment. The assessment should include identification of each designed safe state.
  6. The risk analysis should consider the effect on the systems integrated or interfaced to other systems, including the effects of systems not onboard, if remote access function from shore is provided.
  7. A document containing a description of the safeguards (controls) and instructions on how to verify their effective implementation, or a rationale for those not implemented should be developed.

How is SSP (Ship Security Plan) and SMS (Safety Management System) related to cyber risk management?

Physical security aspects of cyber security, such as procedures related to physical access to areas with IT and OT systems, should be addressed in ship security plan (SSP) under the ISPS code. Also there must be a reference to SMS regarding cyber security procedures.

The remaining procedures on cyber risk management should be reflected in the SMS. SMS procedures should consider risks arising from the use of IT and OT on board, taking into account applicable codes, guidelines and recommended standards. It can be considered that procedures addressing eg: commercial risks are also included in the SMS rather than a separate document.

List a few threat actors and their motivations?

  1. Accidental actors (No malicious motive but still end up causing unintended harm through bad luck, lack of knowledge or lack of care, eg: inserting infected USB in onboard IT or OT systems.
  2. Activists, including disgruntled employees (revenge, disruption of operations, media attention, reputation damage)
  3. Criminals (financial gain, commercial espionage, industrial espionage)
  4. Opportunists (the challenge, reputational gain, financial gain)
  5. States, State sponsored organisations, Terrorists (political/idealogical gain eg: (un)controlled disruption to economies and critical national infrastructure, espionage, financial gain, commercial espionage, industrial espionage, commercial gain)

What are the types of cyber threats?

In general, there are two categories of cyber threats that may affect companies and ships:

  • Untargeted attacks, where a company or a ship’s systems and data are one of many potential targets
  • Targeted attacks, where a company or a ship’s systems and data are the intended target or one of multiple targets.

List a few untargeted cyber attacks?

Untargeted attacks are likely to use tools and techniques available on the internet, which can be used to locate, discover and exploit widespread vulnerabilities that may also exist in a company and onboard a ship. Examples of some tools and techniques that may be used in these circumstances include:

  • Malware: Malicious software, which is designed to access or damage a computer without the knowledge of the owner. There are various types of malware including trojans, ransomware, spyware, viruses, and worms. Ransomware encrypts data on systems until a ransom has been paid. Malware may also exploit known deficiencies and problems in outdated/unpatched business software. The term “exploit” usually refers to the use of a software or code, which is designed to take advantage of and manipulate a problem in another computer software or hardware. This problem can, for example, be a code bug, system vulnerability, improper design, hardware malfunction and/or error in protocol implementation. These vulnerabilities may be exploited remotely or triggered locally eg a piece of malicious code may often be executed by the user, sometimes via links distributed in email attachments or through malicious websites.
  • Water holing: Establishing a fake website or compromising a genuine website to exploit unsuspecting visitors.
  • Scanning: Searching large portions of the internet at random for vulnerabilities that could be exploited.
  • Typosquatting: Also called URL hijacking or fake URL. Relies on mistakes such as typos made by internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to an alternative and often malicious website.

List a few targeted cyber attacks?

Targeted attacks may be more sophisticated and use tools and techniques specifically created for targeting a certain company or ship. Examples of tools and techniques, which may be used in these circumstances, include:

  • Spear-phishing: Like phishing but the individuals are targeted with personal emails, often containing malicious software or links that automatically download malicious software. In some instances, SAT-C messages have been used to establish a sense of familiarity with a malicious sender’s email address.
  • Subverting the supply chain: Attacking a company or ship by compromising equipment, software or supporting services being delivered to the company or ship.

What are the stages of a cyber incident?

Survey/reconnaissance: Open/public sources such as social media are used to gain information about a potential target (eg a company, ship or seafarer) in preparation for a cyber attack. Social media, technical forums and hidden properties in websites, documents and publications may be used to identify technical, procedural and physical vulnerabilities. The use of open/public sources may be complemented by monitoring (analysing –sniffing) the actual data flowing into and from a company or a ship.

Delivery: Attackers may attempt to access the company’s and ship’s systems and data. This may be done from either within the company or ship or remotely through connectivity with the internet. Examples of methods used to obtain access include:

  • company online services, including cargo or container tracking systems
  • sending emails containing malicious files or links to malicious websites to personnel providing infected removable media, for example as part of a software update to an onboard system
  • creating false or misleading websites, which encourage the disclosure of user account information by personnel.

Breach:The extent to which an attacker can breach a company’s or ship’s system will depend on the significance of the vulnerability found by an attacker and the method chosen to deliver an attack. It should be noted that abreach might not result in any obvious changes to the status of the equipment. Depending on the significance of thebreach, an attacker may be able to:

  • make changes that affect the system’s operation, for example interrupt or manipulate information used by navigation equipment.
  • gain access to, take copies of or alter operationally important information such as loading lists or commercially sensitive data such as cargo manifests and/or crew and passenger/visitor lists.
  • achieve full control of a system, for example a machinery management system.

Pivot. Pivoting is the technique of using an already compromised system to attack other systems in the same network. During this phase of an attack, an attacker uses the first compromised system to attack otherwise inaccessible systems. An attacker will usually target the most vulnerable part of the victim’s system with the lowest level of security. Once access is gained then the attacker will try to exploit the rest of the system. Usually, in the pivot phase, the attacker may try to:

  • upload tools, exploits and scripts in the system to support the attacker in the new attack phase
  • execute a discovery of neighbour systems with scanning or network mapping tools
  • install permanent tools or a key logger to keep and maintain access to the system
  • execute new attacks on the system.

References:

IACS “Recommendation on Cyber Resilience”, No. 166 (Apr 2020) (Corr.1 July 2020)

IMO MSC-FAL.1/Circ.3, “Guidelines on Maritime Cyber Risk Management”, July 2017

NIST “Framework for Improving Critical Infrastructure Cyber security”, version 1.1 2018

“The Guidelines on Cyber Security Onboard Ships”, version 3.0, BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, OCIMF, WSC and IUMI, 2018

IACS UR E22 “On Board Use and Application of Computer Based Systems”, June 2016

    HP P