Shipping companies are currently facing the same challenge that other industrial sectors have already experienced with the arrival of Industry 4.0. That is, the necessary coexistence in the facilities of operational equipment (OT) connected to information systems (IT), both within a ship and with other workplaces.
Moreover, a malicious attack can originate anywhere and spread to the rest of the company’s locations, so it is necessary to draw up a comprehensive cybersecurity plan for the entire organisation to ensure that there are no loopholes in any facility that could be exploited by cybercriminals.
The production centres of a shipping company are the ships and should be the top priority in terms of cyber security. To ensure their cyber-resilience, the necessary mechanisms will have to be put in place to prevent security incidents internally or from other infected sites.
On the other hand, the sector is undergoing a legislative revolution that means that cybersecurity will have to be present in most ships, both in operation and in their construction:
– In January 2021, resolution MSC 428(98) came into force, requiring ships to include a cybersecurity plan as part of their ISM.
– In January 2024 a new IACS regulation will come into force (Regulations E26 and E27) which will oblige new constructions of ships and offshore platforms, certifiable by IACS classification societies, to include a cyber security notation.
So, what measures should we implement to guarantee cybersecurity in the fleet and in the rest of the shipping company’s facilities?
In this article we will describe the starting point of a cybersecurity management system in any shipping company: the Cybersecurity Plan.
In the next two articles we will evaluate how to protect the production facilities (ships) and the rest of the work centres (headquarters, warehouses ….).
Global Cybersecurity Plan
The development of a comprehensive cyber security plan allows an organisation to know what assets to protect, how to protect them and what mechanisms to develop to recover from a cyber attack.
- The starting point is an analysis of the OT/IT systems at each site, that is, an inventory of the assets that need to be protected. Each of these assets needs to be classified according to its criticality within the facility.
- Once we know the assets to be protected in each centre, it is essential to study them to find their vulnerabilities and establish countermeasures to protect them against cyber-attacks. At this point It is also necessary to apply measures that guarantee the isolation and containment of possible cyber-attacks, such as network segregation or access denial by default. This will prevent a malicious action from jumping from one system to another or even infecting other facilities.
- The next step would be to develop the necessary procedures (technical and operational) that guarantee the correct management of the equipment, taking into account all the situations that could put them at risk, such as: connections to TCP/IP networks, remote controls, software installation and updating procedures, etc.
- Once the procedures have been defined, it is necessary to design a comprehensive contingency plan that defines how to recover from a possible cyber-attack that affects our assets, so that we have measures in place to restore the most sensitive systems in the shortest possible time.
- An essential aspect is to create user guidelines to train users on how to use the assets, make them aware of the risks and generate a culture of cybersecurity in the company.
The Cybersecurity Plan will include all systems in each workplace and should be developed as a standard that can be applied to all company facilities.This cyber security plan should be used as a regulatory framework for the installation of new vessels or workplaces.
There are many best practice guides that can assist in this process. One of the best is that of BIMCO, which helps to identify the most sensitive systems, describes a procedure for drawing up the cyber security plan and gives guidelines on how to implement TCP/IP networks on board.
Conclusions
Cybersecurity has to be addressed globally by looking at all OT/IT assets of all ships, offices, warehouses and other workplaces of a shipping company. Unsecured sites are likely to be the gateway for potential security incidents and, depending on their interconnectedness, responsible for spreading them to the rest of the organisation.
The cybersecurity plan allows us not only to identify the vulnerabilities of the systems that make up each production or work centre. It also serves as a basis for establishing standard cybersecurity procedures and training all members of the organisation.
The ultimate goal is to create a culture of cyber security that will help implement the necessary changes in the future to ensure that the cyber resilience of the business is maintained.
Need more information? – Contact us