Shipping Sets Watch for Cyber ThreatsMorand Fachot, Communications Officer, International Electrotechnical Commission (IEC) | July 21, 2016
Piracy has posed a major security threat to mariners from Asia to the Mediterranean since time immemorial. In the future, threats from armed gangs boarding ships and holding vessels and crews for ransom may be replaced by threats from cyberspace.
Every day, many institutions, establishments and individuals are the targets of cyberattacks. While the maritime industry has yet to record a major cyber incident, it recognizes that it is only a matter of time before some of its assets are targeted. As a result, it is taking pre-emptive measures, which include adopting international standards to mitigate the possibility of cyberattacks and their potential impact.
Armed robbery and piracy against ships still poses a significant threat to shipping; it is concentrated in certain areas but has dropped 44% since 2011 when Somali pirates were most active. The International Chamber of Commerce (ICC) International Maritime Bureau (IMB) 2015 annual report on "Piracy and armed robbery against ships" recorded 246 incidents worldwide (245 in 2014 and 439 in 2011). Nearly 60% of these incidents took place in Southeast Asia. The report indicates that 203 vessels were boarded. There also were 27 attempted attacks and 15 hijackings, and 333 crew were victims of various acts of violence: kidnapping, being held hostage, injury, and in one case, killed.
Bulk carriers, tankers of various types and container and cargo ships made up some 90% of the targets. However a new, less spectacular form of piracy, cyberpiracy, looms on the horizon. It may prove far more costly and quite possibly no less dangerous to the shipping industry.
Cyber Incidents on Ships
Cyberattacks against maritime assets would have particularly serious ramifications since around 80% of global trade by volume and over 70% of global trade by value is carried by sea and is handled by ports worldwide, according to UNCTAD, the United Nations Conference on Trade and Development.
Furthermore, ships represent high-value assets. The cost of an 18,000 Twenty Foot Equivalent Unit (TEU) container ship, one of the largest types currently sailing, is around $200 million. If its cargo is included, it can be worth $1 billion or more.
The International Maritime Organization (IMO), the UN specialized agency with responsibility for the safety and security of shipping and the prevention of marine pollution by ships, is now considering cyber security matters together with other bodies and relevant international organizations.
Gert-Jan Panken, a senior executive from Inmarsat, the global satellite communication company set up by the IMO, told participants at a recent Maritime Cyber Risk Management Summit in London that 43% of seafarers reported having worked on vessels that had been compromised by a cyber incident. Such an incident could have constituted malware insertion, digital virus attack or a software updating issues. Some 95% of cyber incidents were human-related, yet only 10% of crew surveyed had received some form of cyber security training, according to Marine Electronics & Communications. This fact points to a weakness that should, however, be relatively easily remedied by applying appropriate training measures.
Outdated software and ships not designed with modern cyber security in mind are two existing vulnerabilities that have been identified in a study led by Plymouth University’s Maritime Cyberthreats Research Group. The paper, published in Engineering and Technology Reference, notes that maritime-related systems for navigation, propulsion, and cargo-related functions can be the targets of cyber-attacks. It points out that “the [maritime] sector is probably the most vulnerable aspect of critical national infrastructure.”
Cyber incidents could affect a number of systems and points of entry. Some of these were identified by speakers at the Maritime Cyber Risk Management Summit. They include the automatic identification system (AIS), global positioning system (GPS) and inputs to the electronic chart display and information system (ECDIS). They could also come from connection to online services over satellite communications, in-port Wi-Fi, or through contractors providing remote monitoring services, or engineers updating shipboard system software. The Global Maritime Distress and Safety System (GMDSS) developed by the IMO is seen as another potential target of cyber attacks.
IEC TC 80: Maritime navigation and radiocommunication equipment and systems, is involved in developing international standards for many of these systems via the International Electrotechnical Commission (IEC). An IEC Technical Committee, IEC TC 80: Maritime navigation and radiocommunication equipment and systems, is involved in developing international standards for many of these systems, in agreement with IMO.
It has published 12 standards covering various aspects of GMDSS (based on IMO resolutions) in the IEC 61097 series. It has also developed international standards for AIS and ECDIS.
A number of maritime industry organizations and bodies have highlighted the potential risks posed by cyber incidents and are preparing for these.
A September 2015 information paper on cyber risk by the Joint Hull Committee (JHC), which brings together underwriting representatives from both Lloyd’s and the International Underwriting Association of London (IUA) notes that "the risk of a loss to a ship as a result of cyber disruption is foreseeable, but is not yet a reality".
The Baltic and International Maritime Council (BIMCO), one of the world’s largest international shipping associations, published guidelines on cyber security onboard ships in January 2016. BIMCO Secretary General Angus Frew said at the time that the aim of these guidelines was “to provide the shipping industry with clear and comprehensive information on cyber security risks to ships.” He added that they “should help companies take a risk-based approach to cyber security that is specific to their business and the ships they operate.”
Canada and the United States submitted a framework document for cyber risk management (CRM) to the IMO Facilitation Committee in January 2016. These “Guidelines on the facilitation aspects of protecting the maritime transport network from cyberthreats”, list five functional elements – identify, protect, detect, respond, recover – “which taken together can form the foundation of an effective CRM system.”
Cyber Risk Management
A common thread to all these documents is that they show clearly that all of the measures recommended to be taken to ensure better cyber security rest on a number of international standards, many of which are developed by ISO/IEC JTC 1/SC 27: Security Techniques.
ISO/IEC JTC 1/SC 27 is a Subcommittee of ISO/IEC JTC 1, the Joint TC formed by the IEC and the International Organization for Standardization (ISO) to prepare International Standards for Information Technology.
The Guidelines submitted by Canada and the US to IMO list the following CRM-related Standards and Technical requirements (TR) developed by ISO/IEC JTC 1/SC 27:
ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements
ISO/IEC TR 27019:2013, Information technology – Security techniques – Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
ISO/IEC 27031:2011, Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity
ISO/IEC 27033-3: 2010, Information technology – Security techniques – Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues
ISO/IEC 27039:2015, Information technology – Security techniques – Selection, deployment and operations of intrusion detection systems (IDPS)
The BIMCO guidelines focus on “issues facing the shipping industry onboard ships” but give the “ISO/IEC 27000 series of Information Security Management Systems (ISMS) standards” as an example of international standards and guidelines that “cover cyber security issues for shoreside operations.”
As for the JHC, its Cyber Risk Assessment Guidance background checks state that shipping companies should carry out “a thorough threat assessment, contemplating (...) the current level of compliance with international security standards (ISO/IEC
27001 / 27002, NERC [North American Electric Reliability Corporation] 1300, ISA/IEC 62443.) The IEC 62443 series of IS, TS and TR on Industrial communication networks – Network and system security, is developed by IEC TC 65: Industrial-process measurement, control and automation.
Cyber incidents may not stay limited to cargo theft and smuggling for long
In recent years a number of cyber incidents focusing on cargo rather than vessels have been reported.
In June 2013 Belgian and Dutch police broke a drug smuggling ring after tracking down hackers who had penetrated shipping companies computers to follow the movement of containers loaded with drugs to let traffickers locate the right containers and remove them undetected.
Pirates have also been found to have hacked a shipping company’s computers to locate valuable cargo, according to findings published in a data breach investigation report by Verizon. “They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate – and that crate only – and then depart the vessel without further incident,” the report notes.
So far no major shipping disaster has resulted from cyber attacks. However, the industry considers this to be a possibility, as previously mentioned reports indicate. Insurers also worry about the possibility of a shipping disaster resulting from a cyber incident. In its 2015 Safety and Shipping Review, Allianz Global Corporate & Specialty notes that “A cyber-attack could result in a total loss, leading to substantial insurance claims for hull, cargo and protection & indemnity underwriters. It could even involve multiple vessels from the same company.”
Allianz says that the cost of a maritime disaster involving two megaships could reach $2 billion.
The trend towards increased automation and ongoing work on the introduction of remotely operated unmanned vessels, may see cyber incidents on shipping assets increase in the future.
Reports and recommendations from the IMO and the maritime sector organizations show that the cyberthreats are being taken seriously; these reports also show that International Standards developed by the IEC on its own or within ISO/IEC JTC 1 are seen as central to protecting shipping against these threats.