This article is the second in a series of three, that attempt to analyse the global measures that could be put in place to secure all the productive and non-productive installations of a shipping company.
In this post we will focus on describing how to address ship security, developing common guidelines to ensure that cybersecurity is applied, on the same terms, achieving a standardisation of the level of cybersecurity across the fleet.
Before taking this step, it is necessary for the company to draw up a comprehensive cybersecurity plan, including the particularities of each vessel, office, etc. This cybersecurity plan should be as standard as possible, at least in terms of the operational procedures to be developed by the crew and employees of the shipping company.
For more information on this first level you can review the article Cybersecurity of Shipping Companies – Cybersecurity Plan.
Fleet cybersecurity
Ships are the most complicated centres to secure, as more and more operating equipment allows remote updating or monitoring, transports data over TCP/IP networks or through insecure industrial protocols, and/or is managed by software that in many cases is not up to date.
These OT systems will, in the short term, be the gateway to most security incidents, as has already happened in other industrial sectors with the advent of Industry 4.0.
On the other hand, it is necessary to highlight the differences in the implementation of security measures on ships that are under construction, compared to ships that are already in operation.
We will analyse each of these two scenarios separately, as there are factors that affect both the difficulty and the method of installing cybersecurity. Some of these factors are: access to information, knowledge of connected OT systems and applicable regulations.
Cybersecurity in new buildings
New ship constructions allow cybersecurity to be incorporated into all phases of the project, analysing each system and ensuring that appropriate measures are put in place to make the ship cyber-resilient.
One advantage is access to the necessary documentation, which can be requested from suppliers/manufacturers or directly from the shipyard.
A new building is an excellent opportunity to design a good segregation of networks by critical systems to ensure the isolation against possible attacks.
In addition, it is easier to check the implementation and integration of systems according to documentation and to carry out penetration tests to ensure the ship’s cybersecurity.
On the other hand, from January 2024, the E26 and E27 regulations of IACS (International Association of Certification Societies), to which most of the Classification Societies that certify ships around the world belong, will come into operation.
These regulations make it compulsory to include a cybersecurity notation in the ship certification process.
Regarding the IACS regulations, there are several factors to consider:
- Each Classification Society has created its own cybersecurity levels, which are expressed in different notations, depending on the level to be implemented on a ship. The methods and documentation to be submitted to each of these companies is different, which means that being certified by Bureau Veritas, DNV, Rina, etc. is not the same.
- Being certified does not mean that the ship is cyber-resilient. Many certifications exclude systems that, although not essential, may have connections that are the entry point for a security incident.
- The concept of resilience to cyber attack requires the analysis of all OT/IT equipment to be installed on a ship, discarding them only when they are studied, and it is proven that their installation on board cannot be the source of a cyber-attack.
The application of cybersecurity by design is a process that begins with the signing of the agreement for construction, between the shipyard and the shipowner, and concludes with the delivery of the ship.
Throughout this process there are several phases: project specification, analysis of the ship’s IT/OT systems, analysis of the integration of the systems with other systems and IT networks, security testing and certification/delivery.
To learn more about each of these phases, you can access the article What is cybersecurity by design in the shipbuilding industry?
Cybersecurity on Operating Ships
Ships in service are more difficult to analyse under the prism of cybersecurity. However, depending on the age of the installation, they may be at lower risk of attack, as most OT equipment will be isolated.
In most cases, vessels in operation have obsolete OT systems with outdated operating systems and software. Some of them may even no longer be developed or have no security patches available.
It should be considered that the lifetime of most operational equipment is more than 20 years and it is usually not replaced unless it becomes inoperative or a regulation arises requiring it to be upgraded or replaced with a more advanced capability.
In addition, there is a lack of visibility of many of the devices, i.e. it is not known which assets comprise the OT environment, which are connected and which are not.
Moreover, there is no OT configuration management. Many equipment have the default configured during its installation. It is common practice for technicians of some systems to set up the same passwords on all ships, to facilitate access to the configuration for support technicians.
From January 2021 all merchant ships in operation must comply with IMO MSC.428(98), which requires ships to develop a cybersecurity plan, including a cyber attack recovery procedure, as part of their ISM.
In order to develop a cybersecurity plan that complies with the directive, it is necessary to conduct:
– an asset inventory.
– a risk analysis to detect the criticality of each system, its threats and vulnerabilities.
– an implementation of barriers to mitigate the deficiencies found.
– the necessary security procedures.
– a threat recovery plan for each system analysed.
The procedures and best practice guidelines that emerge from this cybersecurity plan should be communicated to the entire crew, so that a culture of cybersecurity is gradually created on the ship and, by extension, throughout the fleet.
However, in many cases it is advisable to carry out an external consultancy on board to detect undocumented or undetected systems, and to perform system implementation and penetration tests to ensure that all the ship’s assets are included in the analysis.
One of the typical problems that can arise in these installations is when an old system is replaced with new equipment that has remote connection capabilities, or new IT networks are installed that interconnect obsolete systems that were previously isolated.
To mitigate the threats that may arise, it is necessary to analyse each modification made to the ship from a cybersecurity perspective, looking at the information exchange of the new system with others and its remote control service capabilities (software update, monitoring or maintenance).
Conclusions
Cybersecurity cannot be implemented in the same way on new ship building and ships in operation.
The analysis on new buildings is easier, as cybersecurity can be included as part of the ship’s design and all information from OT/IT systems can be accessed.
For ships in operation, it is necessary to know the actual inventory of OT/IT systems and to create a good cybersecurity plan to ensure cyber resilience. This often requires an external cyber security audit.
Do you need more information – Contact us