Ms. Siddhi Mundada, Batch of 2020, ILS Law College, Pune
Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber-attacks. It aims to reduce the risk of cyber-attacks, and protect against the unauthorized exploitation of systems, networks and technologies. In case of maritime activities, systems used for communication or navigation on major ports also require this security. Cyber security faces various threats of breach from hackers, terrorists, rival companies, criminal organisations or even insiders by various means such as spoofing or jamming. Spoofing is a type of scam in which criminals attempt to obtain someone’s personal information by pretending to be a legitimate business, a neighbor, or some other innocent party. Jamming is effectively blocking communication on a wireless channel, disrupt normal operation, cause performance issues, or even cause damage to the control system. Cyber security is an essential niche in maritime security as unauthorized internet access may give the attackers an opportunity to breach the shipboard network which could eventually pose various threats such as any sort of financial threat to the parties involved in shipping of the cargo as well as life threat to the crew on the ship.
Importance of cyber security in shipping industry
Maritime Cyber Security risk is defined by IMO (International Maritime Organisation) as “a measure of the extent to which a technology asset is threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.
The technological advancements have aided the growth of all the industries. The shipping industry also experienced advancement in its operation and management. The cyber technologies ensure safety and security of the crew members, marine environment, and the cargo. The technologies have integrated IT (Information Technology) and OT (Operational Technology) on the ships through connectivity to the internet.
It is anticipated by the Guidelines on ‘Cyber Security On-board Ships’ that breach of cyber security will consequently affect physically as well as potentially threaten safety and result in pollution. Hence, it is required by the companies to assess the risks arising from the use of IT equipment and OT equipment and establish safeguards against such potential threats.
Without appropriate cyber security mechanism, the infrastructure of the ship, safety of the cargo and crew as well as the finances and reputation of the company and the government are exposed to a plethora of risks. It can also hack and infect the systems that lack appropriate software on a vessel.
Therefore, it is important for an organisation to have Cyber Security to alleviate overall risk.
Past incidents of Cyber Threats
MAERSK line was hit by global ‘Not Petya Cyber-attack’ on 27 June, 2017 causing major disruptions in its global operations. This was targeted in Ukraine but a lot of companies world-wide became victims in this cyber war.
SOMALI pirates hacked into systems of ships by uploading malicious malware which allowed them access to ship data and carry out hijacking of cargo on the ship.
NORWEGIAN energy oil and gas sector was a victim to over 50 cyber security incidents in the year 2015.
Hackers are able to locate containers that are loaded with illegal drugs and can remove them undetected by accessing their cyber systems. Hackers can also cause a vessel to deviate from its route by jamming its navigation system.
Findings and suggestions
The Maritime Safety Committee in June 2017 adopted MSC.428(98), a resolution on Maritime Cyber Risk Management in Safety Management Systems and issued guidelines in circular MSC-FAL.1/Circ.3, issued on 5th July 2017. A safety management system should include cyber risk management in accordance with the objectives of the ISM Code. This has been made mandatory as of 1st January, 2021.
The IMO says that the goal of maritime cyber risk management is “to support safe and secure shipping, which is operationally resilient to cyber risks”.
Guidelines that are laid down by IMO:
Cyber risk management at the senior management level should be efficient and should embed a culture of cyber risk awareness.
The adopted approach should be risk based having a comprehensive assessment to compare an organisation’s cyber risk management postures both current and desired. This can help in a prioritized cyber risk management plan.
As a response to the risk management review, consideration to 5 NIST Cyber Security Framework domains should be made:
Identify the roles in cyber risk management and any kind of systems, assets, data or capabilities that, if disrupted, can pose a risk to ship operations.
Protect against a cyber-incident and implement risk control processes for the same.
Detect a cyber-incident in a timely manner.
Respond by developing and implementing plans to provide resilience and restore the systems necessary for shipping operations.
Recover the cyber systems necessary for shipping operations.
All operational systems must be reviewed regularly.
Awareness must be communicated regarding the same throughout the organisation.
The Guidelines identify systems like the bridge, cargo handling and management, propulsion and machinery, access control, passenger servicing and management, passenger facing public networks, administrative and crew welfare and communications that should be considered. In some cases, these guidelines need to be in compliance with the international standards and the requirements of the respective flag state.
IMO does not prescribe how the recommendations should be implemented, but refers to NIST, industry organisations and ISO/IEC 27001 as sources of additional guidance.
The Guidance applies to stakeholders in the Maritime Industry but is not made mandatory, but rather gives an overall approach that companies should take into account while addressing maritime cyber risks within SMS as required by the International Safety Management Code.
A maritime company’s plans and procedures for cyber risk management should be aligned with the existing security and safety risk management requirements as mentioned in the ISPS and ISM Codes. It shall also include requirements related to training, operations and maintenance of critical cyber systems on-board.
The ISM code requirements are to be complied by developing, implementing and maintaining a SMS which will ensure safe ship operations and also prevent pollution.
IMO of resolution MSC. 428(98) in June 2017:
Brings an approved safety management system that takes into account cyber risk management in accordance with the objectives requirements of ISM Code.
Asks the administrations to ensure cyber risks are being addressed appropriately in safety management systems.
It recognises the necessary precautions that are needed to preserve the confidentiality of aspects of cyber risk management.
It requests the member states to spread awareness about the resolution and make sure that the companies comply with the guidelines.
IMO has given time to ship operators, until 2021, to incorporate cyber risk management systems into their ships. Covid-19 has brought times of crisis which will lead to cybercriminals taking advantage of this situation through various methods.
In the era of high technological advancements, with increased communication, large networking and extensive use of the cloud, the threats in various and unimaginable forms to safety are ever-increasing. Cyber-criminals will prepare to carry out sophisticated and well-planned cyber-attacks that will prove to be highly destructive. Cybersecurity cannot completely depend on the system and process that are designed for the ship, but it also requires that the people operating such systems are trained properly to use it. Technology is a path to an advanced future, but it also opens doors to a lot of crimes. While progressing in this “tech world”, one needs to ensure that appropriate measures are taken to avoid breach of data and losses to the businesses.
[Disclaimer- The views expressed in the article are personal views of the author]
 Safety Management Systems