the guidelines on cyber security onboard ships business/document… · the guidelines on cyber...

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS

Produced and supported byBIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and WORLD SHIPPING COUNCIL

v3

The Guidelines on Cyber Security Onboard ShipsVersion 3

Terms of use

The advice and information given in the Guidelines on Cyber Security Onboard Ships (the guidelines) is intended purely as guidance to be used at the user’s own risk. No warranties or representations are given, nor is any duty of care or responsibility accepted by the Authors, their membership or employees of any person, firm, corporation or organisation (who or which has been in any way concerned with the furnishing of information or data, or the compilation or any translation, publishing, or supply of the guidelines) for the accuracy of any information or advice given in the guidelines; or any omission from the guidelines or for any consequence whatsoever resulting directly or indirectly from compliance with, adoption of or reliance on guidance contained in the guidelines, even if caused by a failure to exercise reasonable care on the part of any of the aforementioned parties.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 CONTeNTS

Introduction ..................................................................................................................................... 1

1 Cyber security and safety management .......................................................................................... 31.1 DifferencesbetweenITandOTsystems .......................................................................................... 51.2 Plans and procedures ...................................................................................................................... 61.3 Relationshipbetweenshipmanagerandshipowner ...................................................................... 71.4 Therelationshipbetweentheshipownerandtheagent ................................................................ 71.5 Relationshipwithvendors ............................................................................................................... 82 Identifythreats ................................................................................................................................ 93 Identifyvulnerabilities ................................................................................................................... 133.1 Shiptoshoreinterface .................................................................................................................. 144 Assess risk exposure ...................................................................................................................... 164.1 Riskassessmentmadebythecompany ........................................................................................ 214.2 Third-partyriskassessments ......................................................................................................... 214.3 Risk assessment process ................................................................................................................ 225 Developprotectionanddetectionmeasures ................................................................................ 245.1 Defenceindepthandinbreadth ................................................................................................... 245.2 Technicalprotectionmeasures ...................................................................................................... 255.3 Proceduralprotectionmeasures ................................................................................................... 296 Establishcontingencyplans ........................................................................................................... 347 Respondtoandrecoverfromcybersecurityincidents ................................................................. 367.1 Effectiveresponse ......................................................................................................................... 367.2 Recoveryplan ................................................................................................................................ 377.3 Investigatingcyberincidents ......................................................................................................... 387.4 Losses arising from a cyber incident .............................................................................................. 38

Annex1 Targetsystems,equipmentandtechnologies ....................................................................... 40Annex2 Cyberriskmanagementandthesafetymanagementsystem .............................................. 42Annex3 Onboardnetworks ................................................................................................................ 46Annex 4 Glossary ................................................................................................................................ 50Annex5 Contributorstoversion3oftheguidelines .......................................................................... 53

Contents

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 1INTrOduCTION

Shipsareincreasinglyusingsystemsthatrelyondigitisation,digitalisation,integration,andautomation,whichcallforcyberriskmanagementonboard.Astechnologycontinuestodevelop,informationtechnology(IT)andoperationaltechnology(OT)onboardshipsarebeingnetworkedtogether–andmorefrequentlyconnectedtotheinternet.

Thisbringsthegreaterriskofunauthorisedaccessormaliciousattackstoships’systemsandnetworks.Risksmayalsooccurfrompersonnelaccessingsystemsonboard,forexamplebyintroducingmalwareviaremovablemedia.

Tomitigatethepotentialsafety,environmentalandcommercialconsequencesofacyberincident,agroupofinternationalshippingorganisations,withsupportfromawiderangeofstakeholders(pleaserefertoannex5formoredetails),haveparticipatedinthedevelopmentoftheseguidelines,whicharedesignedtoassistcompaniesinformulatingtheirownapproachestocyberriskmanagementonboardships.

Approachestocyberriskmanagementwillbecompany-andship-specificbutshouldbeguidedbytherequirementsofrelevantnational,internationalandflagstateregulations.Theseguidelinesprovidearisk-basedapproachtoidentifyingandrespondingtocyberthreats.Animportantaspectisthebenefitthatrelevantpersonnelwouldobtainfromtraininginidentifyingthetypicalmodusoperandiofcyberattacks.

In2017,theInternationalMaritimeOrganization(IMO)adoptedresolutionMSC.428(98)onMaritimeCyberRiskManagementinSafetyManagementSystem(SMS).TheResolutionstatedthatanapprovedSMSshouldtakeintoaccountcyberriskmanagementinaccordancewiththeobjectivesandfunctionalrequirementsoftheISMCode.Itfurtherencouragesadministrationstoensurethatcyberrisksareappropriatelyaddressedinsafetymanagementsystemsnolaterthanthefirstannualverificationofthecompany’sDocumentofComplianceafter1January2021.Thesameyear,IMOdevelopedguidelines1thatprovidehigh-levelrecommendationsonmaritimecyberriskmanagementtosafeguardshippingfromcurrentandemergingcyberthreatsandvulnerabilities.AsalsohighlightedintheIMOguidelines,effectivecyberriskmanagementshouldstartattheseniormanagementlevel.Seniormanagementshouldembedacultureofcyberriskawarenessintoalllevelsanddepartmentsofanorganizationandensureaholisticandflexiblecyberriskmanagementregimethatisincontinuousoperationandconstantlyevaluatedthrougheffectivefeedbackmechanisms.

Thecommitmentofseniormanagementtocyberriskmanagementisacentralassumption,onwhichtheGuidelinesonCyberSecurityOnboardShipshavebeendeveloped.

TheGuidelinesonCyberSecurityOnboardShipsarealignedwithIMOresolutionMSC.428(98)andIMO’sguidelinesandprovidepracticalrecommendationsonmaritimecyberriskmanagementcoveringbothcybersecurityandcybersafety.(Seechapter1forthisdistinction).

Theaimofthisdocumentistoofferguidancetoshipownersandoperatorsonproceduresandactionstomaintainthesecurityofcybersystemsinthecompanyandonboardtheships.Theguidelinesarenotintendedtoprovideabasisfor,andshouldnotbeinterpretedas,callingforexternalauditingorvettingtheindividualcompany’sandship’sapproachtocyberriskmanagement.

LiketheIMOguidelines,theUSNationalInstituteofStandardsandTechnology(NIST)frameworkhasalsobeenaccountedforinthedevelopmentoftheseguidelines.TheNISTframeworkassistscompanieswiththeirriskassessmentsbyhelpingthemunderstand,manageandexpressthe1 MSC-FAL.1/Circ.3onGuidelinesonmaritimecyberriskmanagement

Introduction

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 2INTrOduCTION

potentialcyberriskthreatbothinternallyandexternally.Asaresultofthisassessment,a“profile”isdeveloped,whichcanhelptoidentifyandprioritiseactionsforreducingcyberrisks.Theprofilecanalsobeusedasatoolforaligningpolicy,businessandtechnologicalapproachestomanagetherisks.Sampleframeworkprofilesarepubliclyavailableformaritimebulkliquidtransfer,offshore,andpassengershipoperations2.TheseprofileswerecreatedbytheUnitedStatesCoastGuardandNIST’sNationalCybersecurityCenterofExcellencewithinputfromindustrystakeholders.Theprofilesareconsideredtobecomplimentarytotheseguidelinesandcanbeusedtogethertoassistindustryinassessing,prioritizing,andmitigatingtheircyberrisks.

2 TheNISTFrameworkProfilesformaritimebulkliquidtransfer,offshore,andpassengeroperationscanbeaccessedhere:http://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profiles.

http://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profiles

http://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profiles

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 3Cyber SeCurITy ANd SAfeTy mANAGemeNT

Cyber security and safety management

Bothcybersecurityandcybersafetyareimportantbecauseoftheirpotentialeffectonpersonnel,theship,environment,companyandcargo.CybersecurityisconcernedwiththeprotectionofIT,OT,informationanddatafromunauthorisedaccess,manipulationanddisruption.CybersafetycoverstherisksfromthelossofavailabilityorintegrityofsafetycriticaldataandOT.

Cybersafetyincidentscanariseastheresultof:

� acybersecurityincident,whichaffectstheavailabilityandintegrityofOT,forexamplecorruptionofchartdataheldinanElectronicChartDisplayandInformationSystem(ECDIS)

� afailureoccurringduringsoftwaremaintenanceandpatching

� lossoformanipulationofexternalsensordata,criticalfortheoperationofaship–thisincludesbutisnotlimitedtoGlobalNavigationSatelliteSystems(GNSS).

Whilstthecausesofacybersafetyincidentmaybedifferentfromacybersecurityincident,theeffectiveresponsetobothisbasedupontrainingandawareness.

1

Incident: Unrecognised virus in an ECDIS delays sailing

Anew-builddrybulkshipwasdelayedfromsailingforseveraldaysbecauseitsECDISwasinfectedbyavirus.Theshipwasdesignedforpaperlessnavigationandwasnotcarryingpapercharts.ThefailureoftheECDISappearedtobeatechnicaldisruptionandwasnotrecognizedasacyberissuebytheship’smasterandofficers.Aproducertechnicianwasrequiredtovisittheshipand,afterspendingasignificanttimeintroubleshooting,discoveredthatbothECDISnetworkswereinfectedwithavirus.TheviruswasquarantinedandtheECDIScomputerswererestored.Thesourceandmeansofinfectioninthiscaseareunknown.Thedelayinsailingandcostsinrepairstotalledinthehundredsofthousandsofdollars(US).

Cyberriskmanagementshould:

� identifytherolesandresponsibilitiesofusers,keypersonnel,andmanagementbothashoreandon board

� identifythesystems,assets,dataandcapabilities,whichifdisrupted,couldposeriskstotheship’soperationsandsafety

� implementtechnicalandproceduralmeasurestoprotectagainstacyberincidentandensurecontinuityofoperations

� implementactivitiestoprepareforandrespondtocyberincidents.


Someaspectsofcyberriskmanagementmayincludecommerciallysensitiveorconfidentialinformation.Companiesshould,therefore,considerprotectingthisinformationappropriately,andasfaraspossible,notincludesensitiveinformationintheirSafetyManagementSystem(SMS).

Development,implementation,andmaintenanceofacybersecuritymanagementprograminaccordancewiththeapproachinfigure1isnosmallundertaking.Itis,therefore,importantthatseniormanagementstaysengagedthroughouttheprocesstoensurethattheprotection,contingencyandresponseplanningarebalancedinrelationtothethreats,vulnerabilities,riskexposureandconsequencesofapotentialcyberincident.

Respond to and recover from cyber security incidents

Respond to and recover from cyber security incidents using the

contingency plan.Assess the impact of the

effectiveness of the response plan and re-assess threats and

vulnerabilities.

Understand the external cyber security threats to the ship.

Understand the internal cyber security threat posed by inappropriate use and

lack of awareness.

Identify threats

Identifyvulnerabilities

Develop inventories of onboard systems with direct and indirect

communications links.Understand the consequences of a

cyber security threat on these systems.

Understand the capabilities and limitations of existing protection measures.

Assess risk exposure

Determine the likelihood of vulnerabilities being exploited

by external threats.Determine the likelihood of

vulnerabilities being exposed by inappropriate use.

Determine the security and safety impact of any individual or

combination of vulnerabilities being exploited.

Reduce the likelihood of vulnerabilities being exploited through protection

measures.Reduce the potential impact

of a vulnerability being exploited.

Develop protection and

detection measures

Develop a prioritised contingency plan to mitigate any potential

identified cyber risk.

Establish contingency

plans

CYBER RISK MANAGEMENT

APPROACH

figure 1: Cyber risk management approach as set out in the guidelines


1.1 Differences between IT and OT systems

OTsystemscontrolthephysicalworldandITsystemsmanagedata.OTsystemsdifferfromtraditionalITsystems.OTishardwareandsoftwarethatdirectlymonitors/controlsphysicaldevicesandprocesses.ITcoversthespectrumoftechnologiesforinformationprocessing,includingsoftware,hardwareandcommunicationtechnologies.TraditionallyOTandIThavebeenseparated,butwiththeinternet,OTandITarecomingcloserashistoricallystand-alonesystemsarebecomingintegrated.DisruptionoftheoperationofOTsystemsmayimposesignificantrisktothesafetyofonboardpersonnel,cargo,damagetothemarineenvironment,andimpedetheship’soperation.TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.

TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.

Category IT system OT systemPerformance requirements � non-real-time

� response must be consistent

� lesscriticalemergencyinteraction

� tightlyrestrictedaccesscontrolcanbeimplementedtothedegreenecessaryfor security

� real-time

� responseistime-critical

� responsetohumanandanyotheremergencyinteractioniscritical

� accesstoOTshouldbestrictlycontrolled,butshouldnothamperorinterferewithhuman-machineinteraction

Availability (reliability) requirements

� responsessuchasrebootingareacceptable

� availabilitydeficienciesmaybetolerated,dependingonthesystem’soperationalrequirements

� responsessuchasrebootingmaynotbeacceptablebecauseofoperationalrequirements

� availabilityrequirementsmaynecessitateback-upsystems

Risk management requirements

� manage data

� dataconfidentialityandintegrityisparamount

� fault tolerance may be less important.

� riskimpactsmaycausedelayof:ship’sclearance,commencementofloading/unloading,andcommercialandbusinessoperations

� controlphysicalworld

� safetyisparamount,followedbyprotectionoftheprocess

� faulttoleranceisessential,evenmomentarydowntimemaynotbeacceptable

� riskimpactsareregulatorynon-compliance,aswellasharmtothepersonnelonboard,theenvironment,equipmentand/orcargo

System operation � systemsaredesignedforusewithcommonlyknownoperatingsystems

� upgradesarestraightforwardwiththeavailabilityofautomateddeploymenttools

� differingandpossiblyproprietaryoperatingsystems,oftenwithoutbuiltinsecuritycapabilities

� softwarechangesmustbecarefullymade,usuallybysoftwarevendors,becauseofthespecializedcontrolalgorithmsandpossibleinvolvementofmodifiedhardwareandsoftware

Resource constraints � systemsarespecifiedwithenoughresourcestosupporttheadditionofthird-partyapplicationssuchassecuritysolutions

� systemsaredesignedtosupporttheintendedoperationalprocessandmaynothaveenoughmemoryandcomputingresourcestosupporttheadditionofsecuritycapabilities

Table 1: differences between OT and IT3

3 Basedontable2-1inNISTSpecialPublication800-82,Revision2.


TheremaybeimportantdifferencesbetweenwhohandlesthepurchaseandmanagementoftheOTsystemsversusITsystemsonaship.ITdepartmentsarenotusuallyinvolvedinthepurchaseofOTsystems.Thepurchaseofsuchsystemsshouldinvolveachiefengineer,whoknowsabouttheimpactontheonboardsystemsbutwillmostprobablyonlyhavelimitedknowledgeofsoftwareandcyberriskmanagement.Itis,therefore,importanttohaveadialoguewiththeITdepartmenttoensurethatcyberrisksareconsideredduringtheOTpurchasingprocess.OTsystemsshouldbeinventoriedwiththeITdepartment,soastoobtainanoverviewofpotentialchallengesandtohelpestablishthenecessarypolicyandproceduresforsoftwaremaintenance.

OtherindustrysectorshaveseenthebarrierremovedbetweenITandOT,withmanagementandprocurementstrategiesallhandledunderthesameregime.

1.2 Plans and procedures

IMOResolutionMSC.428(98)identifiescyberrisksasspecificthreats,whichcompaniesshouldtrytoaddressasfaraspossibleinthesamewayasanyotherriskthatmayaffectthesafeoperationofashipandprotectionoftheenvironment.Moreguidanceonhowtoincorporatecyberriskmanagementintothecompany’sSMScanbefoundinannex2oftheseguidelines.

Cyberriskmanagementshouldbeaninherentpartofthesafetyandsecuritycultureconducivetothesafeandefficientoperationoftheshipandbeconsideredatvariouslevelsofthecompany,includingseniormanagementashoreandonboardpersonnel.Inthecontextofaship’soperation,cyberincidentsareanticipatedtoresultinphysicaleffectsandpotentialsafetyand/orpollutionincidents.ThismeansthatthecompanyneedstoassessrisksarisingfromtheuseofITandOTonboardshipsandestablishappropriatesafeguardsagainstcyberincidents.CompanyplansandproceduresforcyberriskmanagementshouldbeincorporatedintoexistingsecurityandsafetyriskmanagementrequirementscontainedintheISMCodeandISPSCode.

TheobjectiveoftheSMSistoprovideasafeworkingenvironmentbyestablishingappropriatepracticesandproceduresbasedonanassessmentofallidentifiedriskstotheship,onboardpersonnelandtheenvironment.TheSMSshouldincludeinstructionsandprocedurestoensurethesafeoperationoftheshipandprotectionoftheenvironmentincompliancewithrelevantinternationalandflagstaterequirements.TheseinstructionsandproceduresshouldconsiderrisksarisingfromtheuseofITandOTonboard,takingintoaccountapplicablecodes,guidelinesandrecommendedstandards.

Whenincorporatingcyberriskmanagementintothecompany’sSMS,considerationshouldbegivenastowhether,inadditiontoagenericriskassessmentoftheshipsitoperates,aparticularshipneedsaspecificriskassessment.Thecompanyshouldconsidertheneedforaspecificriskassessmentbasedonwhetheraparticularshipisuniquewithintheirfleet.ThefactorstobeconsideredincludebutarenotlimitedtotheextenttowhichITandOTareusedonboard,thecomplexityofsystemintegrationandthenatureofoperations.

Inaccordancewithchapter8oftheISPSCode,theshipisobligedtoconductasecurityassessment,whichincludesidentificationandevaluationofkeyshipboardoperationsandtheassociatedpotentialthreats.AsrecommendedbyPartB,paragraph8.3.5oftheISPSCode,theassessmentshouldaddressradioandtelecommunicationsystems,includingcomputersystemsandnetworks.Therefore,theship’ssecurityplanmayneedtoincludeappropriatemeasuresforprotectingboththeequipmentandtheconnection.DuetothefastadoptionofsophisticatedanddigitalisedonboardOTsystems,considerationshouldbegiventoincludingtheseproceduresbyreferencetotheSMSinordertohelpensuretheship’ssecurityproceduresareasup-to-dateaspossible.

SystemslikeTankerManagementandSelfAssessment(TMSA)alsorequireplansandprocedurestobe implemented.


1.3 Relationship between ship manager and shipowner

TheDocumentofComplianceholderisultimatelyresponsibleforensuringthemanagementofcyberrisksonboard.Iftheshipisunderthirdpartymanagement,thentheshipmanagerisadvisedtoreachanagreementwiththeshipowner.

Particularemphasisshouldbeplacedbybothpartiesonthesplitofresponsibilities,alignmentofpragmaticexpectations,agreementonspecificinstructionstothemanagerandpossibleparticipationinpurchasingdecisionsaswellasbudgetaryrequirements.

ApartfromISMrequirements,suchanagreementshouldtakeintoconsiderationadditionalapplicablelegislationliketheEUGeneralDataProtectionRegulation(GDPR)orspecificcyberregulationsinothercoastalstates.Managersandownersshouldconsiderusingtheseguidelinesasabaseforanopendiscussiononhowbesttoimplementanefficientcyberriskmanagementregime.

Agreementsoncyberriskmanagementshouldbeformalandwritten.

1.4 The relationship between the shipowner and the agent

Theimportanceofthisrelationshiphasplacedtheagent4asanamedstakeholder,interfacingcontinuouslyandsimultaneouslywithshipowners,operators,terminals,portservicesvendors,andportstatecontrolauthoritiesthroughtheexchangeofsensitive,financial,andportcoordinationinformation.Therelationshipgoesbeyondthatofavendor.Itcantakedifferentformsandespeciallyinthetramptrade,shipownersrequirealocalrepresentative(anindependentshipagent)toserveasanextensionofthecompany.

Coordinationoftheship’scallofportisahighlycomplextaskbeingsimultaneouslyglobalandlocal.Itcoversupdatesfromagents,coordinatinginformationwithallportvendors,portstatecontrol,handlingshipandcrewrequirements,andelectroniccommunicationbetweentheship,portandauthoritiesashore.Asoneexample,whichtouchescyberriskmanagement:OftenagentsarerequiredtobuildITsystems,whichuploadinformationreal-timeintoowner’smanagementinformationsystem.

Qualitystandardsforagentsareimportantbecauselikeallotherbusinesses,agentsarealsotargetedbycybercriminals.Cyber-enabledcrime,suchaselectronicwirefraudandfalseshipappointments,andcyberthreatssuchasransomwareandhacking,callformutualcyberstrategiesandcyber-enhancedrelationshipsbetweenownersandagentstomitigatesuchcyberrisks.

4 Thepartyrepresentingtheship’sownerand/orcharterer(thePrincipal)inport.Ifsoinstructed,theagentisresponsibletotheprincipalforarranging,togetherwiththeport,aberth,allrelevantportandhusbandryservices,tendingtotherequirementsofthemasterandcrew,clearingtheshipwiththeportandotherauthorities(includingpreparationandsubmissionofappropriatedocumentation)alongwithreleasingorreceivingcargoonbehalfoftheprincipal(source:ConventiononFacilitationofInternationalMaritimeTraffic(FALConvention).

5 Nothingintheseguidelinesshouldbetakenasrecommendingthepaymentofransom.

Incident: Ship agent and shipowner ransomware incident

Ashipownerreportedthatthecompany’sbusinessnetworkswereinfectedwithransomware,apparentlyfromanemailattachment.Thesourceoftheransomwarewasfromtwounwittingshipagents,inseparateports,andonseparateoccasions.Shipswerealsoaffectedbutthedamagewaslimitedtothebusinessnetworks,whilenavigationandshipoperationswereunaffected.Inonecase,theownerpaidtheransom5.

Theimportanceofthisincidentisthatharmonizedcybersecurityacrossrelationshipswithtrustedbusinesspartnersandproducersiscriticaltoallinthesupplychain.Individualeffortstofortifyone’sownbusinesscanbevaliantandwell-intendedbutcouldalsobeinsufficient.Principalsinthesupplychainshouldworktogethertomitigatecyberrisk.


1.5 Relationship with vendors

Companiesshouldevaluateandincludethephysicalsecurityandcyberriskmanagementprocessesofserviceprovidersinsupplieragreementsandcontracts.Processesevaluatedduringsuppliervettingandincludedincontractrequirementsmayinclude:

� securitymanagementincludingmanagementofsub-suppliers

� manufacturing/operationalsecurity

� softwareengineeringandarchitecture

� asset and cyber incident management

� personnel security

� dataandinformationprotection.

Evaluationofserviceprovidersbeyondthefirsttiermaybechallengingespeciallyforcompanieswithalargenumberoftieronesuppliers.Thirdpartyprovidersthatarecollectingandmanagingsupplierriskmanagementdatamaybeanoptiontoconsider.

Lackofphysicaland/orcybersecurityatasupplierwithintheirproductsorinfrastructuremayresultinabreachofcorporateITsystemsorcorruptionofshipOT/ITsystems.

Companiesshouldevaluatethecyberriskmanagementprocessesforbothnewandexistingcontracts.Itisgoodpracticeforthecompanytodefinetheirownminimumsetofrequirementstomanagesupplychainor3rdpartyrisks.Asetofcyberriskrequirementsthatreflectthecompany’sexpectationsshouldbeclearandunambiguoustovendors.Thismayalsohelpprocurementpracticeswhendealingwithmultiplevendors.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 9IdeNTIfy ThreATS

Identify threats

Thecyberrisk6isspecifictothecompany,ship,operationand/ortrade.Whenassessingtherisk,companiesshouldconsideranyspecificaspectsoftheiroperationsthatmightincreasetheirvulnerabilitytocyberincidents.

Unlikeotherareasofsafetyandsecurity,wherehistoricevidenceisavailable,cyberriskmanagementismademorechallengingbytheabsenceofanydefinitiveinformationaboutincidentsandtheirimpact.Untilthisevidenceisobtained,thescaleandfrequencyofattackswillcontinuetobeunknown.

Experiencesintheshippingindustryandfromotherbusinesssectorssuchasfinancialinstitutions,publicadministrationandairtransporthaveshownthatsuccessfulcyberattacksmightresultinasignificantlossofservices.Assetscanalsocompromisesafety.

Therearemotivesfororganisationsandindividualstoexploitcybervulnerabilities.Thefollowingexamplesgivesomeindicationofthethreatsposedandthepotentialconsequencesforcompaniesandtheshipstheyoperate:

Group Motivation ObjectiveActivists (including disgruntled employees)

� reputationaldamage

� disruptionofoperations

� destructionofdata

� publicationofsensitivedata

� mediaattention

� denialofaccesstotheserviceorsystemtargeted

Criminals � financialgain

� commercial espionage

� industrial espionage

� selling stolen data

� ransoming stolen data

� ransoming system operability

� arrangingfraudulenttransportationofcargo

� gatheringintelligenceformoresophisticatedcrime,exactcargolocation,shiptransportationandhandlingplansetc

Opportunists � thechallenge � gettingthroughcybersecuritydefences

� financialgain

States

State sponsored organisations

Terrorists

� politicalgain

� espionage

� gainingknowledge

� disruptiontoeconomiesandcriticalnationalinfrastructure

Table 2: motivation and objectives

Theabovegroupsareactiveandhavetheskillsandresourcestothreatenthesafetyandsecurityofshipsandacompany’sabilitytoconductitsbusiness.

2

6 ThetextinthischapterhasbeensummarisedfromCESG,CommonCyberAttacks:ReducingtheImpact.


Inaddition,thereisthepossibilitythatcompanypersonnel,onboardandashore,couldcompromisecybersystemsanddata.Ingeneral,thecompanyshouldrealisethatthismaybeunintentionalandcausedbyhumanerrorwhenoperatingandmanagingITandOTsystemsorfailuretorespecttechnicalandproceduralprotectionmeasures.Thereis,however,thepossibilitythatactionsmaybemaliciousandareadeliberateattemptbyadisgruntledemployeetodamagethecompanyandtheship.

Types of cyber attack

Ingeneral,therearetwocategoriesofcyberattacks,whichmayaffectcompaniesandships:

� untargetedattacks,whereacompanyoraship’ssystemsanddataareoneofmanypotentialtargets

� targetedattacks,whereacompanyoraship’ssystemsanddataaretheintendedtarget.

Untargetedattacksarelikelytousetoolsandtechniquesavailableontheinternet,whichcanbeusedtolocate,discoverandexploitwidespreadvulnerabilitiesthatmayalsoexistinacompanyandonboardaship.Examplesofsometoolsandtechniquesthatmaybeusedinthesecircumstancesinclude:

� Malware–Malicioussoftwarewhichisdesignedtoaccessordamageacomputerwithouttheknowledgeoftheowner.Therearevarioustypesofmalwareincludingtrojans,ransomware,spyware,viruses,andworms.Ransomwareencryptsdataonsystemsuntilaransomhasbeenpaid.Malwaremayalsoexploitknowndeficienciesandproblemsinoutdated/unpatchedbusinesssoftware.Theterm“exploit”usuallyreferstotheuseofasoftwareorcode,whichisdesignedtotakeadvantageofandmanipulateaprobleminanothercomputersoftwareorhardware.Thisproblemcan,forexample,beacodebug,systemvulnerability,improperdesign,hardwaremalfunctionand/orerrorinprotocolimplementation.Thesevulnerabilitiesmaybeexploitedremotelyortriggeredlocally.Locally,apieceofmaliciouscodemayoftenbeexecutedbytheuser,sometimesvialinksdistributedinemailattachmentsorthroughmaliciouswebsites.

� Phishing–Sendingemailstoalargenumberofpotentialtargetsaskingforparticularpiecesofsensitiveorconfidentialinformation.Suchanemailmayalsorequestthatapersonvisitsafakewebsiteusingahyperlinkincludedintheemail.

� Water holing–Establishingafakewebsiteorcompromisingagenuinewebsitetoexploitvisitors.

� Scanning–Attackinglargeportionsoftheinternetatrandom.

Targetedattacksmaybemoresophisticatedandusetoolsandtechniquesspecificallycreatedfortargetingacompanyorship.Examplesoftoolsandtechniques,whichmaybeusedinthesecircumstances,include:

� Social engineering–Anon-technicaltechniqueusedbypotentialcyberattackerstomanipulateinsiderindividualsintobreakingsecurityprocedures,normally,butnotexclusively,throughinteractionviasocialmedia.

� Brute force–Anattacktryingmanypasswordswiththehopeofeventuallyguessingcorrectly.Theattackersystematicallychecksallpossiblepasswordsuntilthecorrectoneisfound.

� Denial of service (DoS)–Preventslegitimateandauthorisedusersfromaccessinginformation,usuallybyfloodinganetworkwithdata.Adistributeddenialofservice(DDoS)attacktakescontrolofmultiplecomputersand/orserverstoimplementaDoSattack.


� Spear-phishing–Likephishingbuttheindividualsaretargetedwithpersonalemails,oftencontainingmalicioussoftwareorlinksthatautomaticallydownloadmalicioussoftware.

� Subverting the supply chain–Attackingacompanyorshipbycompromisingequipment,softwareorsupportingservicesbeingdeliveredtothecompanyorship.

Theaboveexamplesarenotexhaustive.Othermethodsareevolvingsuchasimpersonatingalegitimateshore-basedemployeeinashippingcompanytoobtainvaluableinformation,whichcanbeusedforafurtherattack.Thepotentialnumberandsophisticationoftoolsandtechniquesusedincyberattackscontinuetoevolveandarelimitedonlybytheingenuityofthoseorganisationsandindividualsdevelopingthem.

Stages of a cyber attack

In2018,ittookonaverage140daysbetweentimeofinfectionofavictim’snetworkanddiscoveryofacyberattack.However,intrusioncangoundetectedforyears.Thisfigureisdownfrom205daysin2015andcontinuestodropbecausedetectionisgettingbetter7.Cyberattacksareconductedinstages.Thelengthoftimetoprepareacyberattackcanbedeterminedbythemotivationsandobjectivesoftheattacker,andtheresilienceoftechnicalandproceduralcyberriskcontrolsimplementedbythecompany,includingthoseonboarditsships.Whenconsideringtargetedcyberattacks,thegenerally-observedstagesofanattackare:

� Survey/reconnaissance–Open/publicsourcesareusedtogaininformationaboutacompany,shiporseafarerinpreparationforacyberattack.Socialmedia,technicalforumsandhiddenpropertiesinwebsites,documentsandpublicationsmaybeusedtoidentifytechnical,proceduralandphysicalvulnerabilities.Theuseofopen/publicsourcesmaybecomplementedbymonitoring(analysing–sniffing)theactualdataflowingintoandfromacompanyoraship.

� Delivery–Attackersmayattempttoaccessthecompany’sandship’ssystemsanddata.Thismaybedonefromeitherwithinthecompanyorshiporremotelythroughconnectivitywiththeinternet.Examplesofmethodsusedtoobtainaccessinclude:

• companyonlineservices,includingcargoorcontainertrackingsystems

• sendingemailscontainingmaliciousfilesorlinkstomaliciouswebsitestopersonnel

• providinginfectedremovablemedia,forexampleaspartofasoftwareupdatetoanonboardsystem

• creatingfalseormisleadingwebsites,whichencouragethedisclosureofuseraccountinformationbypersonnel.

� Breach–Theextenttowhichanattackercanbreachacompany’sorship’ssystemwilldependonthesignificanceofthevulnerabilityfoundbyanattackerandthemethodchosentodeliveranattack.Itshouldbenotedthatabreachmightnotresultinanyobviouschangestothestatusoftheequipment.Dependingonthesignificanceofthebreach,anattackermaybeableto:

• makechangesthataffectthesystem’soperation,forexampleinterruptormanipulateinformationusedbynavigationequipment,oralteroperationallyimportantinformationsuchasloading lists

• gainaccesstocommerciallysensitivedatasuchascargomanifestsand/orcrewandpassenger/visitorlists

7 TheMicrosoftCybercrimeCenter.


• achievefullcontrolofasystem,forexampleamachinerymanagementsystem.

� Pivot–Pivotingisthetechniqueofusinganinstancealreadyexploitedtobeableto“move”andperformotheractivities.Duringthisphaseofanattack,anattackerusesthefirstcompromisedsystemtoattackotherwiseinaccessiblesystems.Anattackerwillusuallytargetthemostvulnerablepartofthevictim’ssystemwiththelowestlevelofsecurity.Onceaccessisgainedthentheattackerwilltrytoexploittherestofthesystem.Usually,inthePivotphase,theattackermaytryto:

• uploadtools,exploitsandscriptsinthesystemtosupporttheattackerinthenewattackphase

• executeadiscoveryofneighboursystemswithscanningornetworkmappingtools

• installpermanenttoolsorakeyloggertokeepandmaintainaccesstothesystem

• executenewattacksonthesystem.

Themotivationandobjectivesoftheattackerwilldeterminewhateffecttheyhaveonthecompanyorshipsystemanddata.Anattackermayexploresystems,expandaccessand/orensurethattheyareabletoreturntothesysteminorderto:

� accesscommerciallysensitiveorconfidentialdataaboutcargo,crew,visitorsandpassengers

� manipulatecreworpassenger/visitorslists,cargomanifestsorloadinglists.Thismaysubsequentlybeusedtoallowthefraudulenttransportofillegalcargo,orfacilitatethefts

� causecompletedenialofserviceonbusinesssystems

� enableotherformsofcrimeforexamplepiracy,theftandfraud

� disruptnormaloperationofthecompanyandshipsystems,forexamplebydeletingcriticalpre-arrivalordischargeinformationoroverloadingcompanysystems.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 13IdeNTIfy vulNerAbIlITIeS

Identify vulnerabilities3

Itisrecommendedthatashippingcompanyinitiallyperformsanassessmentofthepotentialthreatsthatmayrealisticallybefaced.Thisshouldbefollowedbyanassessmentofthesystemsandonboardprocedurestomaptheirrobustnesstohandlethecurrentlevelofthreat.Itmaybefacilitatedbyinternalexpertsorsupportedbyexternalexpertswithknowledgeofthemaritimeindustryanditskeyprocesses.Theresultshouldbeastrategycentredaroundthekeyrisks.

Stand-alonesystemswillbelessvulnerabletoexternalcyberattackscomparedtothoseattachedtouncontrollednetworksordirectlytotheinternet.Networkdesignandnetworksegregationwillbeexplainedinmoredetailinannex3.Careshouldbetakentounderstandhowcriticalshipboardsystemsmightbeconnectedtouncontrollednetworks.Whendoingso,thehumanelementshouldbetakenintoconsideration,asmanyincidentsareinitiatedbypersonnel’sactions.Onboardsystemscouldinclude:

� Cargo management systems–Digitalsystemsusedfortheloading,managementandcontrolofcargo,includinghazardouscargo,mayinterfacewithavarietyofsystemsashore,includingports,marineterminals.Suchsystemsmayincludeshipment-trackingtoolsavailabletoshippersviatheinternet.However,thetrackingisusuallydoneviathecompany’ssystemsconnectedtotheshipandnotdirectlybetweentheshipperandtheship.Interfacesofthiskindmakecargomanagementsystemsanddataincargomanifestsandloadinglistsvulnerabletocyberattacks.

� Bridge systems–Theincreasinguseofdigital,networknavigationsystems,withinterfacestoshoresidenetworksforupdateandprovisionofservices,makesuchsystemsvulnerabletocyberattacks.Bridgesystemsthatarenotconnectedtoothernetworksmaybeequallyvulnerable,asremovablemediaareoftenusedtoupdatesuchsystemsfromothercontrolledoruncontrollednetworks.Acyberincidentcanextendtoservicedenialormanipulationand,therefore,mayaffectallsystemsassociatedwithnavigation,includingECDIS,GNSS,AIS,VDRandRadar/ARPA.

� Propulsion and machinery management and power control systems–Theuseofdigitalsystemstomonitorandcontrolonboardmachinery,propulsionandsteeringmakessuchsystemsvulnerabletocyberattacks.Thevulnerabilityofthesesystemscanincreasewhenusedinconjunctionwithremotecondition-basedmonitoringand/orareintegratedwithnavigationandcommunicationsequipmentonshipsusingintegratedbridgesystems.

� Access control systems–Digitalsystemsusedtosupportaccesscontroltoensurephysicalsecurity

Incident: Crash of integrated navigation bridge at sea

Ashipwithanintegratednavigationbridgesufferedafailureofnearlyallnavigationsystemsatsea,inahightrafficareaandreducedvisibility.Theshiphadtonavigatebyoneradarandbackuppaperchartsfortwodaysbeforearrivinginportforrepairs.ThecauseofthefailureofallECDIScomputerswasdeterminedtobeattributedtotheoutdatedoperatingsystems.Duringthepreviousportcall,aproducertechnicalrepresentativeperformedanavigationsoftwareupdateontheship’snavigationcomputers.However,theoutdatedoperatingsystemswereincapableofrunningthesoftwareandcrashed.TheshipwasrequiredtoremaininportuntilnewECDIScomputerscouldbeinstalled,classificationsurveyorscouldattend,andanear-missnotificationhadbeenissuedasrequiredbythecompany.Thecostsofthedelayswereextensiveandincurredbytheshipowner.

Thisincidentemphasizesthatnotallcomputerfailuresarearesultofadeliberateattackandthatoutdatedsoftwareispronetofailure.Moreproactivesoftwaremaintenancetotheshipmayhavepreventedthisincidentfrom occurring.


andsafetyofashipanditscargo,includingsurveillance,shipboardsecurityalarm,andelectronic“personnel-on-board”systemsarevulnerabletocyberattacks.

� Passenger servicing and management systems–Digitalsystemsusedforpropertymanagement,boardingandaccesscontrolmayholdvaluablepassengerrelateddata.Intelligentdevices(tablets,handheldscannersetc.)arethemselvesanattackvectorasultimatelythecollecteddataispassedontoothersystems.

� Passenger facing public networks–Fixedorwirelessnetworksconnectedtotheinternet,installedonboardforthebenefitofpassengers,forexampleguestentertainmentsystems,shouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.

� Administrative and crew welfare systems–Onboardcomputernetworksusedforadministrationoftheshiporthewelfareofthecrewareparticularlyvulnerablewhenprovidinginternetaccessandemail.Thiscanbeexploitedbycyberattackerstogainaccesstoonboardsystemsanddata.Thesesystemsshouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.Softwareprovidedbyshipmanagementcompaniesorownersisalsoincludedinthiscategory.

� Communication systems–Availabilityofinternetconnectivityviasatelliteand/orotherwirelesscommunicationcanincreasethevulnerabilityofships.Thecyberdefencemechanismsimplementedbytheserviceprovidershouldbecarefullyconsideredbutshouldnotbesolelyreliedupontosecureeveryshipboardsystemanddata.Includedinthesesystemsarecommunicationlinkstopublicauthoritiesfortransmissionofrequiredshipreportinginformation.Applicableauthenticationandaccesscontrolmanagementrequirementsbytheseauthoritiesshouldbestrictlycompliedwith.

Theabove-mentionedonboardsystemsconsistofpotentiallyvulnerableequipment,whichshouldbereviewedduringtheassessment.Moredetailcanbefoundinannex1oftheseguidelines.

3.1 Ship to shore interface

Shipsarebecomingmoreandmoreintegratedwithshoresideoperationsbecausedigitalcommunicationisbeingusedtoconductbusiness,manageoperations,andretaincontactwithheadoffice.Furthermore,criticalshipsystemsessentialtothesafetyofnavigation,powerandcargomanagementhavebecomeincreasinglydigitalisedandconnectedtotheinternettoperformawidevarietyoflegitimatefunctionssuchas:

� engine performance monitoring

� maintenance and spare parts management

� cargo,loadingandunloading,crane,pumpmanagementandstowplanning

� voyageperformancemonitoring.

Theabovelistprovidesexamplesofthisinterfaceandisnotexhaustive.Theabovesystemsprovidedata,whichmaybeofinteresttocybercriminalstoexploit.

Moderntechnologiescanaddvulnerabilitiestotheshipsespeciallyifthereareinsecuredesignsofnetworksanduncontrolledaccesstotheinternet.Additionally,shoresideandonboardpersonnelmaybeunawarehowsomeequipmentproducersmaintainremoteaccesstoshipboardequipmentanditsnetworksystem.Unknown,anduncoordinatedremoteaccesstoanoperatingshipshouldbetakenintoconsiderationasanimportantpartoftheriskassessment.


Itisrecommendedthatcompaniesshouldfullyunderstandtheship’sOTandITsystemsandhowthesesystemsconnectandintegratewiththeshoreside,includingpublicauthorities,marineterminalsandstevedores.Thisrequiresanunderstandingofallcomputerbasedonboardsystemsandhowsafety,operations,andbusinesscanbecompromisedbyacyberincident.

Thefollowingshouldbeconsideredregardingproducersandthirdpartiesincludingcontractorsandserviceproviders:

1. Theproducer’sandserviceprovider’scyberriskmanagementawarenessandprocedures:Suchcompaniesmaylackcyberawarenesstrainingandgovernanceintheirownorganisationsandthismayrepresentmoresourcesofvulnerability,whichcouldresultincyberincidents.Thesecompaniesshouldhaveanupdatedcyberriskmanagementcompanypolicy,whichincludestrainingandgovernanceproceduresforaccessibleITandOTonboardsystems.

2. Thematurityofathird-party’scyberriskmanagementprocedures:Theshipownershouldquerytheinternalgovernanceofcybernetworksecurity,andseektoobtainacyberriskmanagementassurancewhenconsideringfuturecontractsandservices.Thisisparticularlyimportantwhencoveringnetworksecurityiftheshipistobeinterfacedwiththethird-partysuchasamarineterminalorstevedoringcompany.

Common vulnerabilities

Thefollowingarecommoncybervulnerabilities,whichmaybefoundonboardexistingships,andonsomenewbuildships:

� obsoleteandunsupportedoperatingsystems

� outdatedormissingantivirussoftwareandprotectionfrommalware

� inadequatesecurityconfigurationsandbestpractices,includingineffectivenetworkmanagementandtheuseofdefaultadministratoraccountsandpasswords,

� shipboardcomputernetworks,whichlackboundaryprotectionmeasuresandsegmentationofnetworks

� safetycriticalequipmentorsystemsalwaysconnectedwiththeshoreside

� inadequateaccesscontrolsforthirdpartiesincludingcontractorsandserviceproviders.

Incident: Navigation computer crash during pilotage

AshipwasundertheconductofapilotwhentheECDISandvoyageperformancecomputerscrashed.Apilotwasonthebridge.Thecomputerfailuresbrieflycreatedadistractiontothewatchofficers;however,thepilotandthemasterworkedtogethertofocusthebridgeteamonsafenavigationbyvisualmeansandradar.Whenthecomputerswererebooted,itwasapparentthattheoperatingsystemswereoutdatedandunsupported.Themasterreportedthatthesecomputerproblemswerefrequent(referredtotheissuesas“gremlins”)andthatrepeatedrequestsforservicingfromtheshipownerhadbeenignored.

Itisaclearcaseofhowsimpleservicingandattentiontotheshipbymanagementcanpreventmishaps.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 16ASSeSS rISk expOSure

Assess risk exposure4

Cyberriskassessmentshouldstartatseniormanagementlevelofacompany,insteadofbeingimmediatelydelegatedtotheshipsecurityofficerortheheadoftheITdepartment.Thereareseveralreasonsforthis.

1. Initiativestoheightencybersecurityandsafetymayatthesametimeaffectstandardbusinessproceduresandoperations,renderingthemmoretimeconsumingand/orcostly.Itis,therefore,aseniormanagementleveldecisiontoevaluateanddecideonriskmitigation.

2. Anumberofinitiatives,whichwouldimprovecyberriskmanagement,arerelatedtobusinessprocesses,training,thesafetyoftheshipandtheenvironmentandnottoITsystems,andthereforeneedtobeanchoredorganisationallyoutsidetheITdepartment.

3. Initiativeswhichheightencyberawarenessmaychangehowthecompanyinteractswithcustomers,suppliersandauthorities,andimposenewrequirementsontheco-operationbetweentheparties.Itisaseniormanagementleveldecisionwhetherandhowtodrivethesechangesinrelationships.

Thefollowingquestionsmaybeusedasabasisforariskassessmentwhenaddressingcyberrisksonboardships:

� Whatassetsareatrisk?

� Whatisthepotentialimpactofacyberincident?

� Whohasthefinalresponsibilityforthecyberriskmanagement?

� AretheOTsystemsandtheirworkingenvironmentprotectedfromtheinternet?

� IsthereremoteaccesstotheOTsystems,andifsohowisitmonitoredandprotected?

� AretheITsystemsprotectedandisremoteaccessbeingmonitoredandmanaged?

� Whatcyberriskmanagementbestpracticesarebeingused?

� WhatisthetraininglevelofthepersonneloperatingtheITandOTsystems?

Basedontheanswers,thecompanyshoulddelegateauthorityandallocatethebudgetneededtocarryoutafullriskassessmentanddevelopsolutionsthatarebestsuitedforthecompanyandtheoperationoftheirships.Thefollowingshouldbeaddressed:

� identifysystemsthatareimportanttooperation,safetyandenvironmentalprotection

� assignthepersonsresponsibleforsettingcyberpolicies,proceduresandenforcemonitoring

� determinewheresecureremoteaccessshouldusemultipledefencelayersandwhereprotectionofnetworksshouldbedisconnectedfromtheinternet

� identificationofneedsfortrainingofpersonnel.


Thelevelofcyberriskwillreflectthecircumstancesofthecompany,ship(itsoperationandtrade),theITandOTsystemsused,andtheinformationand/ordatastored.Themaritimeindustrypossessesarangeofcharacteristics,whichaffectitsvulnerabilitytocyberincidents:

� thecybercontrolsalreadyimplementedbythecompanyonboarditsships

� multiplestakeholdersareofteninvolvedintheoperationandcharteringofashippotentiallyresultinginlackofaccountabilityfortheITinfrastructure

� theshipbeingonlineandhowitinterfaceswithotherpartsoftheglobalsupplychain

� shipequipmentbeingremotelymonitored,egbytheproducers

� business-critical,datasensitiveandcommerciallysensitiveinformationsharedwithshore-basedserviceproviders,includingmarineterminalsandstevedoresandalso,whereapplicable,publicauthorities

� theavailabilityanduseofcomputer-controlledcriticalsystemsfortheship’ssafetyandforenvironmentalprotection.

Theseelementsshouldbeconsidered,andrelevantpartsincorporatedintothecompanycybersecuritypolicies,safetymanagementsystems,andshipsecurityplans.Usersoftheseguidelinesshouldrefertospecificnational,internationalandflagstateregulationsaswellasrelevantinternationalandindustrystandardsandbestpracticeswhendevelopingandimplementingcyberriskmanagement procedures.

ITandOTsystems,softwareandmaintenancecanbeoutsourcedtothird-partyserviceprovidersandthecompany,itself,maynotpossessawayofverifyingthelevelofsecuritysuppliedbytheseproviders.Somecompaniesusedifferentprovidersresponsibleforsoftwareandcybersecuritychecks.

Thegrowinguseofbigdata,smartshipsandthe“internetofthings”8willincreasetheamountofinformationavailabletocyberattackersandthepotentialattacksurfacetocybercriminals.Thismakestheneedforrobustapproachestocyberriskmanagementimportantbothnowandinthefuture.

Incident: Worm attack on maritime IT and OT

Ashipwasequippedwithapowermanagementsystemthatcouldbeconnectedtotheinternetforsoftwareupdatesandpatching,remotediagnostics,datacollection,andremoteoperation.Theshipwasbuiltrecently,butthissystemwasnotconnectedtotheinternetbydesign.

Thecompany’sITdepartmentmadethedecisiontovisittheshipandperformedvulnerabilityscanstodetermineifthesystemhadevidenceofinfectionandtodetermineifitwassafetoconnect.Theteamdiscoveredadormantwormthatcouldhaveactivateditselfoncethesystemwasconnectedtotheinternetandthiswouldhavehadsevereconsequences.Theincidentemphasizesthatevenairgappedsystemscanbecompromisedandunderlinesthevalueofproactivecyberriskmanagement.

Theshipowneradvisedtheproduceraboutthediscoveryandrequestedproceduresonhowtoerasetheworm.Theshipownerstatedthatbeforethediscovery,aservicetechnicianhadbeenaboardtheship.Itwasbelievedthattheinfectioncouldpotentiallyhavebeencausedbythetechnician.

ThewormspreadviaUSBdevicesintoarunningprocess,whichexecutesaprogramintothememory.Thisprogramwasdesignedtocommunicatewithitscommandandcontrolservertoreceiveitsnextsetofinstructions.Itcould

8 Lloyd’sRegister,QinetiqandUniversityofSouthampton,GlobalMarineTechnologyTrends2030.


evencreatefilesandfolders.

Thecompanyaskedcybersecurityprofessionalstoconductforensicanalysisandremediation.Itwasdeterminedthatallserversassociatedwiththeequipmentwereinfectedandthatthevirushadbeeninthesystemundiscoveredfor875days.Scanningtoolsremovedthevirus.Ananalysisprovedthattheserviceproviderwasindeedthesourceandthatthewormhadintroducedthemalwareintotheship’ssystemviaaUSBflashdriveduringasoftwareinstallation.

Analysisalsoprovedthatthiswormoperatedinthesystemmemoryandactivelycalledouttotheinternetfromtheserver.Sincethewormwasloadedintomemory,itcouldaffecttheperformanceoftheserverandsystemsconnectedtotheinternet.

Third-party access

Visitstoshipsbythirdpartiesrequiringaconnectiontooneormorecomputersonboardcanalsoresultinconnectingtheshiptoshore.Itiscommonfortechnicians,vendors,portofficials,marineterminalrepresentatives,agents,pilots,andothertechnicianstoboardtheshipandplugindevices,suchaslaptopsandtablets.Sometechniciansmayrequiretheuseofremovablemediatoupdatecomputers,downloaddataand/orperformothertasks.Ithasalsobeenknownforcustomsofficialsandportstatecontrolofficerstoboardashipandrequesttheuseofacomputerto“printofficialdocuments”afterhavinginsertedanunknownremovablemedia.

Sometimesthereisnocontrolastowhohasaccesstotheonboardsystems,egduringdrydocking,layupsorwhentakingoveraneworexistingship.Insuchcases,itisdifficulttoknowifmalicioussoftwarehasbeenleftintheonboardsystems.Itisrecommendedthatsensitivedataisremovedfromtheshipandreinstalledonreturningtotheship.Wherepossible,systemsshouldbescannedformalwarepriortouse.OTsystemsshouldbetestedtocheckthattheyarefunctioningcorrectly.

SomeITandOTsystemsareremotelyaccessibleandmayoperatewithacontinuousinternetconnectionforremotemonitoring,datacollection,maintenancefunctions,safetyandsecurity.Thesesystemscanbe“third-partysystems”,wherebythecontractormonitorsandmaintainsthesystemsfromaremoteaccess.Thesesystemscouldincludebothtwo-waydataflowandupload-only.Systemsandworkstationswithremotecontrol,accessorconfigurationfunctionscould,forexample,be:

� bridgeandengineroomcomputersandworkstationsontheship’sadministrativenetwork

� cargosuchascontainerswithreefertemperaturecontrolsystemsorspecialisedcargothataretracked remotely

� stability decision support systems

� hullstressmonitoringsystems

� navigationalsystemsincludingElectronicNavigationChart(ENC)VoyageDataRecorder(VDR),dynamicpositioning(DP)

� cargohandlingandstowage,engine,andcargomanagementandloadplanningsystems

� safetyandsecuritynetworks,suchasCCTV(closedcircuittelevision)

� specialisedsystemssuchasdrillingoperations,blowoutpreventers,subseainstallationsystems,EmergencyShutDown(ESD)forgastankers,submarinecableinstallationandrepair.

Theextentandnatureofconnectivityofequipmentshouldbeknownbytheshipowneroroperatorandconsideredasanimportantpartoftheriskassessment.


Impact assessment

Theconfidentiality,integrityandavailability(CIA)model9providesaframeworkforassessingtheimpactof:

� unauthorisedaccesstoanddisclosureofinformationordataabouttheship,crew,cargoandpassengers

� lossofintegrity,whichwouldmodifyordestroyinformationanddatarelatingtothesafeandefficientoperationandadministrationoftheship

� lossofavailabilityduetothedestructionoftheinformationanddataand/orthedisruptiontoservices/operationofshipsystems.

Therelativeimportanceofconfidentiality,integrityandavailabilitydependsontheuseoftheinformationordata.Forexample,assessingthevulnerabilityofITsystemsrelatedtocommercialoperationsmayfocusonconfidentialityandintegrityratherthanavailability.Conversely,assessingthevulnerabilityofOTsystemsonboardships,particularlysafetycriticalsystems,mayfocusonavailabilityand/orintegrityinsteadofconfidentiality.

Potentialimpactscouldbesafety-related,operational,environmental-related,financial,reputationalandcompliance-related.Severalassessmentmethodologiesoffercriteriaandtechniquesthatcanhelpdefinethemagnitudeoftheimpactfromacyberattack10.

Potential impact Definition In practiceLow Thelossofconfidentiality,integrity,oravailability

couldbeexpectedtohavealimitedadverseeffectoncompanyandship,organisationalassets,orindividuals

Alimitedadverseeffectmeansthatasecuritybreachmight:(i)causeadegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsisnoticeablyreduced;(ii)resultinminordamagetoorganisationalassets;(iii)resultinminorfinancialloss;or(iv)resultinminorharmtoindividuals.

Moderate Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasubstantialadverseeffectoncompanyandship,assetsorindividuals

Asubstantialadverseeffectmeansthatasecuritybreachmight:(i)causeasignificantdegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsissignificantlyreduced;(ii)resultinsignificantdamagetoorganisationalassets;(iii)resultinsignificantfinancialloss;or(iv)resultinsignificantharmtoindividualsthatdoesnotinvolvelossoflifeorseriouslifethreateninginjuries.

High Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasevereorcatastrophicadverseeffectoncompanyandshipoperations,assets,environmentorindividuals.

Asevereorcatastrophicadverseeffectmeansthatasecuritybreachmight:(i)causeaseveredegradationinorlossofshipoperationtoanextentanddurationthattheorganisationisnotabletoperformoneormoreofitsprimaryfunctions;(ii)resultinmajordamagetoenvironmentand/ororganisationalassets;(iii)resultinmajorfinancialloss;or(iv)resultinsevereorcatastrophicharmtoindividualsinvolvinglossoflifeorseriouslife-threateninginjuries.

Table 3: potential impact levels when using the CIA model

WhenitcomestoOTsystems,anextradimensionmustbeaddedtotheCIAmodel.

9 FederalInformationProcessingStandards,Publication199,ComputerSecurityDivisionInformationTechnologyLaboratory,NationalInstituteofStandardsandTechnology,Gaithersburg,MD20899-8900.

10Methodologiesinclude,andarenotlimitedto,ISO/IEC27005:2018Informationtechnology–Securitytechniques–Informationsecurityriskmanagement,COSOEnterpriseRiskManagementFramework,andISO31000:2018Riskmanagement–Guidelines.


AriskassessmentofOTsystemsneedstobebasedonaninventoryoverviewofequipmentand/orcomputer-basedsystemsandamapofthenetworks’connections.Further,accesspointsandcommunicationdevicesshouldbepartofthisoverview.AstheimpactofanonboardOTsystem’scyberincidentmayincludephysicaleffects,riskassessmentsshouldinclude:

� impactsonthesafetyofonboardpersonnel,theshipandcargo

� physicalimpactonanOTsystem,includingtheenvironmentsurroundingitonboard;theeffectontheprocessthatisbeingcontrolledandthephysicaleffectontheOTsystemitself

� theconsequencesforriskassessmentsofnon-digitalcontrolcomponentswithinanOTsystem.

TheimplementationofprotectionmeasuresbasedonriskassessmentsiswellestablishedonallshipsviatheISMcodeandtheship’sSMS.Safetyassessmentsareconcernedprimarilywiththephysicalworldbearinginmindthatthephysicalandthedigitalworldsarenowintertwined.Assessingthepotentialphysicaldamagefromacyberincidentshouldinclude:

1. howanincidentcouldmanipulatetheoperationofsensorsandactuatorstoimpactthephysicalenvironment

2. whatredundantcontrolsandmanualoverridingpossibilitiesexistintheOTsystemtopreventan incident

3. howaphysicalincidentcouldemerge.

4. howtoevaluatepotentialeffectstothephysicalprocessperformedbytheOTsystem.

Example

Ashipisequippedwithacomplexpowermanagementsystem.Itconsistsofswitchboardsandgeneratorscontrollingsystemsforautoloadsharing,powercontrolandautosynchronizing.Ontopofthepowermanagementsystem,asupervisorycontrolanddataacquisition(SCADA)systemprovidesoutputandmakesitpossibleforthecrewtocontrolthedistributionofonboardelectricpower.

Powermanagementisimportanttothesafetyofthecrew,ship,andcargo.Italsohasaclearenvironmentalandfinancialimpactaspowerisgeneratedbyuseoffueleitherbytheship’smainengine(shaftgenerator)and/orauxiliaryengines.Therefore,acyberincidentthatdisablesorcausesthepowermanagementsystemtomalfunctioncanplacetheoperationandsafetyoftheshipatrisk.Tolowertherisk,thecompanyshouldaddprotectionmeasuresthatminimizethepossibilityofsuchacyberincidenttakingplace.

TheSCADAsystemcontainsreal-timesensordata,whichisusedonboardforpowermanagement.Italsogeneratesdataaboutthepowerconsumption,whichisusedbytheshippingcompanyforadministrativepurposes.Todetermineifthepotentialimpactofdataandinformationisbeingbreached,theCIAmodelshouldbeused.Whendoingso,theshippingcompanyshoulddeterminethepotentialimpactofthemostsensitiveinformationstored,processedortransmittedbytheSCADAsystem.

UsingtheCIAmodel,theshippingcompanycanconcludethat:

� losingconfidentialityofthesensordataacquiredbytheSCADAsystemwillhavealowimpactasthesensorsarepubliclydisplayedonboard.However,fromasafetypointofview,itisimportantthattheinformationtransmittedbythesensorscanbereliedupon.Therefore,thereisapotentialhighimpactfromalossofintegrity.Itwillalsobeasafetyissueiftheinformationcannotberead.So,thereisapotentialhighimpactfromalossofavailability.

� alossofconfidentialityregardingthepowerconsumptioninformationbeingsenttotheshippingcompanyforstatisticalpurposesisassessedasapotentiallowimpact.Therewillalsobeapotentiallowimpactfromalossofintegrityandavailabilityasthedataisonlyusedforin-houseconsiderations.


Thefollowingtableshowstheresultoftheassessment.

SCADA system Confidentiality Integrity Availability Overall impact

Sensor data Low High High High

Statistical data Low Low Low Low

Table 4: result of CIA assessment of SCAdA system

Bring your own device (BYOD)

Itisrecognisedthatpersonnelmaybeallowedtobringtheirowndevices(BYOD)onboardtoaccesstheship’ssystemornetwork.Althoughthismaybebothbeneficialandeconomicalforships,itsignificantlyincreasesthelevelofvulnerabilitybecausethesedevicesmaybeunmanaged.PoliciesandproceduresshouldaddressthecontrolanduseofBYODs,aswellashowtoprotectvulnerabledata,byusingnetworksegregationforexample.

4.1 Risk assessment made by the company

Asmentionedabove,theriskassessmentprocessstartsbyassessingthesystemsonboard,inordertomaptheirrobustnesstohandlethecurrentlevelofcyberthreats.TheassessmentshouldassesstheITandOTsystemsonboard.Whenconductingtheassessment,thecompanyshouldconsidertheoutcomesoftheshipsecurityassessmentaswellasthefollowing:

1. identificationofexistingtechnicalandproceduralcontrolstoprotecttheonboardITandOTsystems

2. identificationofITandOTsystemsthatarevulnerableincludingthehumanfactor,andthepoliciesandproceduresgoverningtheuseofthesesystems.Theidentificationshouldincludesearchesforknownvulnerabilitiesrelevanttotheequipmentaswellasthecurrentlevelofpatchingandfirmwareupdates

3. identificationandevaluationofkeyshipboardoperationsthatarevulnerabletocyberattacks

4. identificationofpossiblecyberincidentsandtheirimpactonkeyshipboardoperations,andthelikelihoodoftheiroccurrencetoestablishandprioritiseprotectionmeasures.

Companiesmayconsultwiththeproducersandserviceprovidersofonboardequipmentandsystemstounderstandthetechnicalandproceduralcontrolsthatmayalreadybeinplacetoaddresscyberriskmanagement.Furthermore,anyidentifiedcybervulnerabilityinthefactorystandardconfigurationofacriticalsystemorcomponentshouldbedisclosedtofacilitatebetterprotectionoftheequipmentinthefuture.

4.2 Third-party risk assessments

Self-assessmentscanserveasagoodstartbutmaybecomplementedbythird-partyriskassessmentstodrilldeeperandidentifytherisksandthegapsthatmaynotbefoundduringtheself-assessment.PenetrationtestsofcriticalITandOTinfrastructurecanalsobeperformedtoidentifywhethertheactualdefencelevelmatchesthedesiredlevelsetforthinthecybersecuritystrategyforthecompany.SuchtestscanbeperformedbyexternalexpertssimulatingattacksusingbothIT-systems,social


engineeringand,ifdesired,evenphysicalpenetrationofafacility’ssecurityperimeter.Thesetestsarereferredtoasactivetestsbecausetheyinvolveaccessingandinsertingsoftwareintoasystem.ThismayonlybeappropriateforITsystems.WhererisktoOTsystemsduringpenetrationtestingisunacceptable,passivetestingapproachesshouldbeconsidered.Passivemethodsrelyonscanningdatatransmittedbyasystemtoidentifyvulnerabilities.Ingeneral,noattemptismadetoactivelyaccessorinsertsoftwareintothesystem.

4.3 Risk assessment process

Phase 1: Pre-assessment activities

Priortostartingacyberriskassessmentonboard11,thefollowingactivitiesshouldbeperformed:

� maptheship’skeyfunctionsandsystemsandtheirpotentialimpactlevels,forexampleusingtheCIAmodel,takingintoconsiderationtheoperationofOTsystems

� identifymainproducersofcriticalshipboardITandOTequipment

� reviewdetaileddocumentationofcriticalOTandITsystemsincludingtheirnetworkarchitecture,interfacesandinterconnections

� identifycybersecuritypoints-of-contactwitheachoftheproducersandestablishaworkingrelationshipwiththem

� reviewdetaileddocumentationontheship’smaintenanceandsupportoftheITandOTsystems

� establishcontractualrequirementsandobligationsthattheshipowner/shipoperatormayhaveformaintenanceandsupportofshipboardnetworksandequipment

� support,ifnecessary,theriskassessmentwithanexternalexperttodevelopdetailedplansandincludeproducersandserviceproviders.

Phase 2: Ship assessment

Thegoaloftheassessmentofaship’snetworkanditssystemsanddevicesistoidentifyanyvulnerabilitiesthatcouldcompromiseorresultineitherlossofconfidentiality,lossofintegrityorresultinalossofoperationoftheequipment,system,network,oreventheship.Thesevulnerabilitiesandweaknessescouldfallintooneofthefollowingcategories:

� technicalsuchassoftwaredefectsoroutdatedorunpatchedsystems

� designsuchasaccessmanagement,unmanagednetworkinterconnections

� implementationerrorsforexamplemisconfiguredfirewalls

� proceduralorotherusererrors.

Theactivitiesperformedduringanassessmentcouldincludereviewingtheconfigurationofallcomputers,servers,routers,andcybersecuritytechnologiesincludingfirewalls.ItcouldalsoincludereviewsofallavailablecybersecuritydocumentationandproceduresforconnectedITandOTsystemsanddevices.

11Basedonathird-partyriskassessmentmethoddescribedbyNCCGroup.


Anaspectofon-shipassessmentisinvolvementofcrewofalllevels;particularlythemaster,chiefengineerandfirstmate.ThisprocessassiststounderstandtheimplementationoftheITandOTsystemsonboard,andhowtheymayvaryfromstateddesigndocumentation,andalsotounderstandthelevelofcybertrainingdeliveredtotheship’screw.

Phase 3: Debrief and vulnerability review/reporting

Followingtheassessment,eachidentifiedvulnerabilityshouldbeevaluatedforitspotentialimpactandtheprobabilityofitsexploitation.Recommendedtechnicaland/orproceduralcorrectiveactionsshouldbeidentifiedforeachvulnerability.

Ideally,thecyberriskassessmentshouldinclude:

� executivesummary–ahigh-levelsummaryofresults,recommendationsandtheoverallsecurityprofileoftheassessedship

� technicalfindings–breakdownofdiscoveredvulnerabilities,theirprobabilityofexploitation,theresultingimpact,andappropriatetechnicalfixandmitigationadvice

� prioritisedlistofactions–theprioritiesallocatedshouldreflecttheeffectivenessofthemeasure,thecost,theapplicability,etc.Itisimportantthatthislistshouldbeacompletelistofoptionsavailableandnotrepresentalistofservicesandproductsthethird-partyriskassessor,ifapplicable,wouldliketosell.

� supplementarydata–asupplementcontainingthetechnicaldetailsofallkeyfindingsandcomprehensiveanalysisofcriticalflaws.Thissectionshouldalsoincludesampledatarecoveredduringthepenetrationtesting,ifany,ofcriticalorhigh-riskvulnerabilities

� appendices–recordsofactivitiesconductedbythecyberriskassessmentteamandthetoolsusedduringtheengagement.

Considerationshouldbegivenastowhetherpartsofthecyberriskassessmentshouldbetreatedasconfidential.

Whilstcyberriskmanagementpoliciesandproceduresshouldbeincludedinthecompanysafetymanagementsystem,theseshouldnotcontaininformation,whichifmadeavailableoutsidethecompanycouldbecomeavulnerability.

Phase 4: Producer debrief

Oncetheshipownerhashadanopportunitytoreview,discussandassessthefindings,asubsetofthefindingsmayneedtobesenttotheproducersoftheaffectedsystems.Anyfindings,whichareapprovedbytheshipownerfordisclosuretotheproducers,couldbefurtheranalysedwithsupportfromexternalexperts,whoshouldworkwiththeproducer’scybersecuritypointofcontacttoensurethatafullriskandtechnicalunderstandingoftheproblemisachieved.Thissupportingactivityisintendedtoensurethatanyremediationplandevelopedbytheproduceriscomprehensiveinnatureandidentifiesthecorrectsolutiontoeliminatethevulnerabilities.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 24develOp prOTeCTION ANd deTeCTION meASureS

Develop protection and detection measures5

Theoutcomeofthecompany’sriskassessmentandsubsequentcybersecuritystrategyshouldbeareductioninrisktobeaslowasreasonablypracticable.Atatechnicallevel,thiswouldincludethenecessaryactionstobeimplementedtoestablishandmaintainanagreedlevelofcybersecurity.

Itisimportanttoidentifyhowtomanagecybersecurityonboardandtodelegateresponsibilitiestothemaster,responsibleofficersandwhenappropriatethecompanysecurityofficer.

5.1 Defence in depth and in breadth

Itisimportanttoprotectcriticalsystemsanddatawithmultiplelayersofprotectionmeasures,whichtakeintoaccounttheroleofpersonnel,proceduresandtechnologyto:

� increasetheprobabilitythatacyberincidentisdetected

� increasetheeffortandresourcesrequiredtoprotectinformation,dataortheavailabilityofITandOTsystems.

ConnectedOTsystemsonboardshouldrequiremorethanonetechnicaland/orproceduralprotectionmeasure.Perimeterdefencessuchasfirewallsareimportantforpreventingunwelcomedentryintothesystems,butthismaynotbesufficienttocopewithinsiderthreats.

Thisdefenceindepthapproachencouragesacombinationof:

� physicalsecurityoftheshipinaccordancewiththeshipsecurityplan(SSP)

� protectionofnetworks,includingeffectivesegmentation

� intrusiondetection

� periodicvulnerabilityscanningandtesting

� softwarewhitelisting

� access and user controls

� appropriateproceduresregardingtheuseofremovablemediaandpasswordpolicies

� personnel’sawarenessoftheriskandfamiliaritywithappropriateprocedures.

Companypoliciesandproceduresshouldhelpensurethatcybersecurityisconsideredwithintheoverallapproachtosafetyandsecurityriskmanagement.Thecomplexityandpotentialpersistenceofcyberthreatsmeansthata“defenceindepth”approachshouldbeconsidered.Equipmentanddataprotectedbylayersofprotectionmeasuresaremoreresilienttocyberattacks.

Whendevelopingintegrationbetweensystems,atrustboundarymodelshouldbeconsidered,wherebysystemsaregroupedintothosebetweenwhichtrustisimplicit(forexampleuserworkstations),andthosebetweenwhichtrustshouldbeexplicit(betweenbridgecomputersandcorporatenetworks).Forlargeorcomplexnetworks,threatmodellingshouldbeconsideredasan


activitytounderstandwheretechnicalcontrolsshouldbeimplementedbetweensystemsinordertosupportadefenceinbreadthapproach.

However,onboardshipswherelevelsofintegrationbetweenITandOTsystemsmaybehigh,defenceindepthonlyworksiftechnicalandproceduralprotectionmeasuresareappliedinlayersacrossallvulnerableandintegratedsystems.Thisis“defenceinbreadth”anditisusedtopreventanyvulnerabilitiesinonesystembeingusedtocircumventprotectionmeasuresofanothersystem.

Cyberriskprotectionmeasuresmaybeeithertechnicalorproceduralinnature,withtechnicalcontrolsimplementedtoenforceproceduralcontrols;acombinationapproachusingappropriatemeasuresprovidesthemosteffectivelevelofprotection.

Defenceindepthanddefenceinbreadtharecomplementaryapproaches,which,whenimplementedtogether,providethefoundationofaholisticresponsetothemanagementofcyberrisks.

Cyberriskprotectionmeasuresmaybetechnicalandfocusedonensuringthatonboardsystemsaredesignedandconfiguredtoberesilienttocyberattacks.Protectionmeasuresmayalsobeproceduralandshouldbecoveredbycompanypolicies,safetymanagementprocedures,securityproceduresandaccess controls.

Considerationneedstobegiventoimplementingtechnicalcontrolsthatarepracticalandcosteffective,particularlyonexistingships.

Implementationofcybersecuritycontrolsshouldbeprioritised,focusingfirstonthosemeasures,orcombinationsofmeasures,whichofferthegreatestbenefit.

5.2 Technical protection measures

TheCentreforInternetSecurity(CIS)providesguidanceonmeasures12thatcanbeusedtoaddresscybersecurityvulnerabilities.TheprotectionmeasuresarealistofCriticalSecurityControls(CSC)thatareprioritisedandvettedtohelpensurethattheyprovideaneffectiveapproachforcompaniestoassessandimprovetheirdefences.TheCSCsincludebothtechnicalandproceduralaspects.

ThebelowmentionedexamplesofCSCshavebeenselectedasparticularlyrelevanttoequipmentanddataonboardships13. Limitation to and control of network ports, protocols and services

Accessliststonetworksystemscanbeusedtoimplementthecompany’ssecuritypolicy.Thishelpsensurethatonlyappropriatetrafficwillbeallowedviaacontrollednetworkorsubnet,basedonthecontrolpolicyofthatnetworkorsubnet.

Itisrecommendedthatroutersaresecuredagainstattacksandunusedportsshouldbeclosedtopreventunauthorisedaccesstosystemsordata.

Configuration of network devices such as firewalls, routers and switches

Itshouldbedeterminedwhichsystemsshouldbeattachedtocontrolledoruncontrolled14networks.Controllednetworksaredesignedtopreventanysecurityrisksfromconnecteddevicesbyuseof

12 CIS,CriticalSecurityControlsforEffectiveCyberSecurity,availableatwww.cisecurity.org/critical-controls.cfm.13 StephensonHarwood(2015),CyberRisk.14 InaccordancewithEC61162-460:2015:Maritimenavigationandradiocommunicationequipmentandsystems-Digitalinterfaces-Part460:Multipletalkersandmultiplelisteners-Ethernetinterconnection-Safetyandsecurity.

https://www.cisecurity.org/controls/


firewalls,securitygateways,routersandswitches.Uncontrollednetworksmayposerisksduetolackofdatatrafficcontrolandshouldbeisolatedfromcontrollednetworks,asdirectinternetconnectionmakesthemhighlypronetoinfiltrationbymalware.Forexample:

� networksthatarecriticaltotheoperationofashipitself,shouldbecontrolled.Itisimportantthatthesesystemshaveahighlevelofsecurity

� networksthatprovidesupplierswithremoteaccesstonavigationandotherOTsystems’softwareonboard,shouldalsobecontrolled.Thesenetworksmaybenecessarytoallowsupplierstouploadsystemupgradesorperformremoteservicing.Shoresideexternalaccesspointsofsuchconnectionsshouldbesecuredtopreventunauthorisedaccess

� cargostowage,loadplanningandmanagementsystemsshouldbecontrolled.So,shouldthosesystemsthatperformmandatoryshipreportingtopublicauthorities

� othernetworks,suchasguestaccessnetworks,maybeuncontrolled,forinstancethoserelatedtopassengerrecreationalactivitiesorprivateinternetaccessforcrew.Normally,anywirelessnetworkshouldbeconsidereduncontrolled.

Effectivesegregationofsystems,basedonnecessaryaccessandtrustlevels,isoneofthemostsuccessfulstrategiesforthepreventionofcyberincidents.Effectivelysegregatednetworkscansignificantlyimpedeanattacker’saccesstoaship’ssystemsandisoneofthemosteffectivetechniquesforpreventingthespreadofmalware.Onboardnetworksshouldbepartitionedbyfirewallstocreatesafezones.Thefewercommunicationslinksanddevicesinazone,themoresecurethesystemsanddataareinthatzone.Confidentialandsafetycriticalsystemsshouldbeinthemostprotectedzone.Seeannex3oftheseguidelinesformoreinformationonshipboardnetworksandalsorefertoISO/IEC62443. Physical security

Physicalsecurity15isacentralaspectofcyberriskmanagementandaneffectivedefenceindepthstrategyreliesonensuringthattechnicalcontrolscannotbecircumventedthroughtrivialtechnicalmeans.AreascontainingsensitiveOTorITcontrolcomponentsshouldbesecurelylocked,securityandsafetycriticalequipmentandcablerunsshouldbeprotectedfromunauthorisedaccess,andphysicalaccesstosensitiveuserequipment(suchasexposedUSBportsonbridgesystems)shouldbesecured.

Detection, blocking and alerts

Identifyingintrusionsandinfectionsisacentralpartofthecontrolprocedures.Abaselineofnetworkoperationsandexpecteddataflowsforusersandsystemsshouldbeestablishedandmanaged,sothatcyberincidentalertthresholdscanbeestablished.Keytothiswillbethedefinitionofrolesandresponsibilitiesfordetectiontohelpensureaccountability.Additionally,acompanymaychoosetoincorporateanIntrusionDetectionSystem(IDS)oranIntrusionPreventionSystem(IPS)intothenetworkoraspartofthefirewall.Someoftheirmainfunctionsincludeidentifyingthreats/maliciousactivityandcode,andthenlogging,reportingandattemptingtoblocktheactivity.FurtherdetailsconcerningIDSandIPScanbefoundinannex3oftheseguidelines.Ithelpstoensurethatdedicatedonboardpersonnelcanunderstandthealertsandtheirimplications.Incidentsdetectedshouldbedirectedtoanindividualorserviceprovider,whoisresponsibleforactingonthistypeofalert.

15 SeealsotheISPSCode.


Satellite and radio communication

Cybersecurityoftheradioandsatelliteconnectionshouldbeconsideredincollaborationwiththeserviceprovider.Inthisconnection,thespecificationofthesatellitelinkshouldbeconsideredwhenestablishingtherequirementsforonboardnetworkprotection.

Whenestablishinganuplinkconnectionforaship’snavigationandcontrolsystemstoshore-basedserviceproviders,considerationshouldbegivenonhowtopreventillegitimateconnectionsgainingaccesstotheonboardsystems.

Theaccessinterconnectisthedistributionpartner’sresponsibility.Thefinalroutingofusertrafficfromtheinternetaccesspointtoitsultimatedestinationonboard(“lastmile”)istheresponsibilityoftheshipowner.Usertrafficisroutedthroughthecommunicationequipmentforonwardtransmissiononboard.Attheaccesspointforthistraffic,itisnecessarytoprovidedatasecurity,firewallingandadedicated“last-mile”connection.

WhenusingaVirtualPrivateNetwork(VPN),thedatatrafficshouldbeencryptedtoanacceptableinternationalstandard.Furthermore,afirewallinfrontoftheserversandcomputersconnectedtothenetworks(ashoreoronboard)shouldbedeployed.Thedistributionpartnershouldadviseontheroutingandtypeofconnectionmostsuitedforspecifictraffic.Onshorefiltering(inspection/blocking)oftrafficisalsoamatterbetweenashipownerandthedistributionpartner.Bothonshorefilteringoftrafficandfirewalls/securityinspection/blockinggatewaysontheshipareneededandsupplementeachothertoachieveasufficientlevelofprotection.

Producersofsatellitecommunicationterminalsandothercommunicationequipmentmayprovidemanagementinterfaceswithsecuritycontrolsoftwarethatareaccessibleoverthenetwork.Thisisprimarilyprovidedintheformofweb-baseduserinterfaces.Protectionofsuchinterfacesshouldbeconsideredwhenassessingthesecurityofaship’sinstallation.

Wireless access control

Wirelessaccesstonetworksontheshipshouldbelimitedtoappropriateauthoriseddevicesandsecuredusingastrongencryptionkey,whichischangedregularly.Thefollowingcanbeconsideredforcontrollingwirelessaccess:

� theuseofenterpriseauthenticationsystemsusingasymmetricencryptionandisolatingnetworkswithappropriatewirelessdedicatedaccesspoints(e.g.guestnetworksisolatedfromadministrativenetworks)

� theadoptionofsystems,suchaswirelessIPS,thatcaninterceptnon-authorizedwirelessaccesspointsorroguedevices

� theprotectionofthephysicalinterconnectionbetweenwirelessaccessdevicesandthenetwork,suchasnetworkplugs,networkracks,etc.)toavoidunauthorizedaccessbyroguedevices.

Malware detection

Scanningsoftwarethatcanautomaticallydetectandaddressthepresenceofmalwareinsystemsonboardshouldberegularlyupdated.

Asageneralguideline,onboardcomputersshouldbeprotectedtothesamelevelasofficecomputersashore.Anti-virusandanti-malwaresoftwareshouldbeinstalled,maintainedandupdatedonall


personalwork-relatedcomputersonboard.Thiswillreducetheriskofthesecomputersactingasattackvectorstowardsserversandothercomputersontheship’snetwork.Howregularlythescanningsoftwarewillbeupdatedmustbetakenintoconsiderationwhendecidingwhethertorelyonthesedefencemethods.

Secure configuration for hardware and software

Onlyseniorofficersshouldbegivenadministratorprofiles,sothattheycancontrolthesetupanddisablingofnormaluserprofiles.Userprofilesshouldberestrictedtoonlyallowthecomputers,workstationsorserverstobeusedforthepurposes,forwhichtheyarerequired.Userprofilesshouldnotallowtheusertoalterthesystemsorinstallandexecutenewprograms. Email and web browser protection

Emailcommunicationbetweenshipandshoreisavitalpartofaship’soperation.Appropriateemailandwebbrowserprotectionservesto:

� protectshoresideandonboardpersonnelfrompotentialsocialengineering

� preventemailbeingusedasamethodofobtainingsensitiveinformation

� ensurethattheexchangeofsensitiveinformationviaemailorbyvoiceisappropriatelyprotectedtoensureconfidentialityandintegrityofdata,egencryptionprotection

� preventwebbrowsersandemailclientsfromexecutingmaliciousscripts.

Somebestpracticesforsafeemailtransferare:emailasziporencryptedfilewhennecessary,disablehyperlinksonemailsystem,avoidusinggenericemailaddressesandensurethesystemhasconfigureduseraccounts.

Data recovery capability

Datarecoverycapabilityistheabilitytorestoreasystemand/ordatafromasecurecopyorimage,therebyallowingtherestorationofacleansystem.Essentialinformationandsoftware-adequatebackupfacilitiesshouldbeavailabletohelpensurerecoveryfollowingacyberincident.

Retentionperiodsandrestorescenariosshouldbeestablishedtoprioritisewhichcriticalsystemsneedquickrestorecapabilitiestoreducetheimpact.Systemsthathavehighdataavailabilityrequirementsshouldbemaderesilient.OTsystems,whicharevitaltothesafenavigationandoperationoftheship,shouldhavebackupsystemstoenabletheshiptoquicklyandsafelyregainnavigationalandoperationalcapabilitiesafteracyberincident.Moredetailsonrecoverycanbefoundinchapter7oftheseguidelines.

Application software security (patch management)

Safetyandsecurityupdatesshouldbeprovidedtoonboardsystems.Ordinarysecuritypatchesshouldbeincludedintheperiodicmaintenancecycle.CriticalpatchesshouldbeevaluatedintermsofoperationalimpactontheOTsystems.Theseupdatesorpatchesshouldbeappliedcorrectlyandinatimelymannertoensurethatanyflawsinasystemareaddressedbeforetheyareexploitedbyacyberattack.Ifacriticalpatchcannotbeinstalled,alternativemeasuresshouldbeevaluatedtohelpimplementvirtualpatchingtechniques.


5.3 Procedural protection measures

Proceduralcontrolsarefocusedonhowpersonnelusetheonboardsystems.Plansandproceduresthatcontainsensitiveinformationshouldbekeptconfidentialandhandledaccordingtocompanypolicies.Examplesforproceduralactionscanbe: Training and awareness

Trainingandawarenessarethekeysupportingelementstoaneffectiveapproachtocyberriskmanagementasdescribedintheseguidelinesandsummarisedinfigure1.

Theinternalcyberthreatshouldbetakenintoaccount.PersonnelhaveakeyroleinprotectingITandOTsystemsbutcanalsobecareless,forexamplebyusingremovablemediatotransferdatabetweensystemswithouttakingprecautionsagainstthetransferofmalware.Trainingandawarenessshouldbetailoredtotheappropriatelevelsfor:

� onboardpersonnelincludingthemaster,officersandcrew

� shoresidepersonnel,whosupportthemanagement,loadingandoperationoftheship.

Theseguidelinesassumethatothermajorstakeholdersinthesupplychain,suchascharterers,classificationsocietiesandserviceproviders,willcarryouttheirownbest-practicecybersecurityprotectionandtraining.Itisadvisableforownersandoperatorstoascertainthestatusofcybersecuritypreparednessoftheirthird-partyproviders,includingmarineterminalsandstevedores,aspartoftheirsourcingproceduresforsuchservices.

Anawarenessprogrammeshouldbeinplaceforallonboardpersonnel,coveringatleastthefollowing:

� risksrelatedtoemailsandhowtobehaveinasafemanner.Examplesarephishingattackswheretheuserclicksonalinktoamalicioussite

� risksrelatedtointernetusage,includingsocialmedia,chatforumsandcloud-basedfilestoragewheredatamovementislesscontrolledandmonitored

� risksrelatedtotheuseofowndevices.Thesedevicesmaybemissingsecuritypatchesandcontrols,suchasanti-virus,andmaytransfertherisktotheenvironment,towhichtheyareconnected

� risksrelatedtoinstallingandmaintainingsoftwareoncompanyhardwareusinginfectedhardware(removablemedia)orsoftware(infectedpackage)

� risksrelatedtopoorsoftwareanddatasecuritypractices,wherenoanti-viruschecksorauthenticityverificationsareperformed

� safeguardinguserinformation,passwordsanddigitalcertificates

� cyberrisksinrelationtothephysicalpresenceofnon-companypersonnel,eg,wherethird-partytechniciansarelefttoworkonequipmentwithoutsupervision

� detectingsuspiciousactivityordevicesandhowtoreportapossiblecyberincident.Examplesofthisarestrangeconnectionsthatarenotnormallyseenorsomeoneplugginginanunknowndeviceontheshipnetwork


� awarenessoftheconsequencesorimpactofcyberincidentstothesafetyandoperationsoftheship

� understandinghowtoimplementpreventativemaintenanceroutinessuchasanti-virusandanti-malware,patching,backups,andincident-responseplanningandtesting

� proceduresforprotectionagainstrisksfromserviceproviders’removablemediabeforeconnectingtotheship’ssystems.

Inaddition,personnelneedtobemadeawarethatthepresenceofanti-malwaresoftwaredoesnotremovetherequirementforrobustsecurityprocedures,forexamplecontrollingtheuseofallremovablemedia.

Further,applicablepersonnelshouldknowthesignswhenacomputerhasbeencompromised.Thismayincludethefollowing:

� anunresponsiveorslowtorespondsystem

� unexpectedpasswordchangesorauthorisedusersbeinglockedoutofasystem

� unexpectederrorsinprograms,includingfailuretoruncorrectlyorprogramsrunningunexpectedly

� unexpectedorsuddenchangesinavailablediskspaceormemory

� emails being returned unexpectedly

� unexpectednetworkconnectivitydifficulties

� frequentsystemcrashes

� abnormalharddriveorprocessoractivity

� unexpectedchangestobrowser,softwareorusersettings,includingpermissions.

And,nominatedpersonnelshouldbeabletounderstandreportsfromIDSsystems,ifused.Thislistisnotcomprehensiveandisintendedtoraiseawarenessofpotentialsigns,whichshouldbetreatedaspossible cyber incidents.

Access for visitors

Visitorssuchasauthorities,technicians,agents,portandterminalofficials,andownerrepresentativesshouldberestrictedwithregardtocomputeraccesswhilstonboard.UnauthorisedaccesstosensitiveOTnetworkcomputersshouldbeprohibited.Ifaccesstoanetworkbyavisitorisrequiredandallowed,thenitshouldberestrictedintermsofuserprivileges.Accesstocertainnetworksformaintenancereasonsshouldbeapprovedandco-ordinatedfollowingappropriateproceduresasoutlinedbythecompany/shipoperator. Ifavisitorrequirescomputerandprinteraccess,anindependentcomputer,whichisair-gappedfromallcontrollednetworks,shouldbeused.Toavoidunauthorisedaccess,removablemediablockersshouldbeusedonallotherphysicallyaccessiblecomputersandnetworkports.


Upgrades and software maintenance

Hardwareorsoftwarethatisnolongersupportedbyitsproducerorsoftwaredeveloperwillnotreceiveupdatestoaddresspotentialvulnerabilities.Forthisreason,theuseofhardwareandsoftware,whichisnolongersupported,shouldbecarefullyevaluatedbythecompanyaspartofthecyber risk assessment.

Relevanthardwareandsoftwareinstallationsonboardshouldbeupdatedtohelpmaintainasufficientlevelofsecurity.Proceduresfortimelyupdatingofsoftwaremayneedtobeputinplacetakingintoaccounttheshiptype,speedofinternetconnectivity,seatime,etc.Softwareincludescomputeroperatingsystems,whichshouldalsobekeptuptodate.

Additionally,anumberofrouters,switchesandfirewalls,andvariousOTdeviceswillberunningtheirownfirmware,whichmayrequireregularupdatesandsoshouldbeaddressedintheproceduralrequirements.

Effectivemaintenanceofsoftwaredependsontheidentification,planningandexecutionofmeasuresnecessarytosupportmaintenanceactivitiesthroughoutthefullsoftwarelifecycle.Anindustrystandard16tohelpensuresafeandsecuresoftwaremaintenancehasbeendeveloped.Itspecifiesrequirementsforallstakeholdersinvolvedinsoftwaremaintenanceofshipboardequipmentandassociatedintegratedsystems.Thestandardcoversonboard,onshoreandremotesoftwaremaintenance.

Anti-virus and anti-malware tool updates

Inorderforscanningsoftwaretoolstodetectanddealwithmalware,theyneedtobeupdated.Proceduralrequirementsshouldbeestablishedtoensureupdatesaredistributedtoshipsonatimelybasisandthatallrelevantcomputersonboardareupdated. Remote access

PolicyandproceduresshouldbeestablishedforcontroloverremoteaccesstoonboardITandOTsystems.Clearguidelinesshouldestablishwhohaspermissiontoaccess,whentheycanaccess,andwhattheycanaccess.Anyproceduresforremoteaccessshouldincludecloseco-ordinationwiththeship’smasterandotherkeyseniorshippersonnel.

AllremoteaccessoccurrencesshouldberecordedforreviewincaseofadisruptiontoanITorOTsystem.Systems,whichrequireremoteaccess,shouldbeclearlydefined,monitoredandreviewedperiodically.

16 See:IndustrystandardonsoftwaremaintenanceofshipboardequipmentbyBIMCOandCIRM(ComitéInternationalRadio-Maritime).

Incident: Bunker surveyor’s access to a ship’s administrative network

Adrybulkshipinporthadjustcompletedbunkeringoperations.Thebunkersurveyorboardedtheshipandrequestedpermissiontoaccessacomputerintheenginecontrolroomtoprintdocumentsforsignature.ThesurveyorinsertedaUSBdriveintothecomputerandunwittinglyintroducedmalwareontotheship’sadministrativenetwork.Themalwarewentundetecteduntilacyberassessmentwasconductedontheshiplater,andafterthecrewhadreporteda“computerissue”affectingthebusinessnetworks.

ThisemphasisestheneedforprocedurestopreventorrestricttheuseofUSBdevicesonboard,includingthosebelongingtovisitors.


Use of administrator privileges

Accesstoinformationshouldonlybeallowedtorelevantauthorisedpersonnel.

Administratorprivilegesallowfullaccesstosystemconfigurationsettingsandalldata.Usersloggingontosystemswithadministratorprivilegesmayenableexistingvulnerabilitiestobemoreeasilyexploited.Administratorprivilegesshouldonlybegiventoappropriatelytrainedpersonnel,whoaspartoftheirroleinthecompanyoronboard,needtologontosystemsusingtheseprivileges.Inanycase,useofadministratorprivilegesshouldalwaysbelimitedtofunctionsrequiringsuchaccess.

Userprivilegesshouldberemovedwhenthepeopleconcernedarenolongeronboard.Useraccountsshouldnotbepassedonfromoneusertothenextusinggenericusernames.Similarrulesshouldbeappliedtoanyonshorepersonnel,whohaveremoteaccesstosystemsonships,whentheychangerole and no longer need access.

Inabusinessenvironment,suchasshipping,accesstoonboardsystemsisgrantedtovariousstakeholders.Suppliersandcontractorsareariskbecausetheyoftenhavebothintimateknowledgeofaship’soperationsandfullaccesstosystems.

Toprotectaccesstoconfidentialdataandsafetycriticalsystems,arobustpasswordpolicyshouldbedeveloped17.Passwordsshouldbestrongandchangedperiodically.Thecompanypolicyshouldaddressthefactthatover-complicatedpasswords,whichmustbechangedtoofrequently,areatriskofbeingwrittenonapieceofpaperandkeptnearthecomputer.

Physical and removable media controls

Whentransferringdatafromuncontrolledsystemstocontrolledsystems,thereisariskofintroducingmalware.Removablemediacanbeusedtobypasslayersofdefencesandattacksystemsthatareotherwisenotconnectedtotheinternet.Aclearpolicyfortheuseofsuchmediadevicesisimportant;itmusthelpensurethatmediadevicesarenotnormallyusedtotransferinformationbetweenun-controlled and controlled systems.

Thereare,however,situationswhereitisunavoidabletousethesemediadevices,forexampleduringsoftwaremaintenance.Insuchcases,thereshouldbeaprocedureinplacetocheckremovablemediaformalwareand/orvalidatelegitimatesoftwarebydigitalsignaturesandwatermarks.

Policiesandproceduresrelatingtotheuseofremovablemediashouldincludearequirementtoscananyremovablemediadeviceinacomputerthatisnotconnectedtotheship’scontrollednetworks.Ifitisnotpossibletoscantheremovablemediaonboard,egthelaptopofamaintenancetechnician,

Incident: Main application server infected by ransomware

AransomwareinfectiononthemainapplicationserveroftheshipcausedcompletedisruptionoftheITinfrastructure.Theransomwareencryptedeverycriticalfileontheserverandasaresult,sensitivedatawerelost,andapplicationsneededforship’sadministrativeoperationswereunusable.Theincidentwasreoccurringevenaftercompleterestorationoftheapplicationserver.

Therootcauseoftheinfectionwaspoorpasswordpolicythatallowedattackerstobruteforceremotemanagementservicessuccessfully.Thecompany’sITdepartmentdeactivatedtheundocumenteduserandenforcedastrongpasswordpolicyontheship’ssystemstoremediatetheincident.

16 MoreinformationcanbefoundinNISTpublicationSP800-63-3DigitalIdentityGuidelines.


thenthescancouldbedonepriortoboarding.Companiesshouldconsidernotifyingportsandterminalsabouttherequirementtoscanremovablemediapriortopermittingtheuploadingoffilesontoaship’ssystem.Thisscanningshouldbecarriedoutwhentransferringthefollowingfiletypes:

� cargofilesandloadingplansegcontainershipBAPLIEfiles

� national,customs,andportauthorityforms

� bunkeringandlubricationoilforms

� ship’sstoresandprovisionslists

� engineeringmaintenancefiles.

Thislistrepresentsexamplesandshouldnotbeseenasexhaustive.Whereverpossible,thefilesandformsshouldbetransferredelectronicallyorbedownloadeddirectlyfromatrustedsourcewithoutusingremovablemedia.

Equipment disposal, including data destruction

Obsoleteequipmentcancontaindatawhichiscommerciallysensitiveorconfidential.Priortodisposaloftheequipment,thecompanyshouldhaveaprocedureinplacetoensurethatthedataheldinobsoleteequipmentisproperlydestroyedandcannotberetrieved. Obtaining support from ashore and contingency plans

Shipsshouldhaveaccesstotechnicalsupportintheeventofacyberattack.Detailsofthissupportandassociatedproceduresshouldbeavailableonboard.Pleaserefertochapter6oftheseguidelinesformoreinformationoncontingencyplanning.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 34eSTAblISh CONTINGeNCy plANS

Establish contingency plans6

Whendevelopingcontingencyplansforimplementationonboardships,itisimportanttounderstandthesignificanceofanycyberincidentandprioritiseresponseactionsaccordingly.

Anycyberincidentshouldbeassessedinaccordancewithchapter4toestimatetheimpactonoperations,assetsetc.Inmostcases,andwiththeexceptionofloadplanningandmanagementsystems,alossofITsystemsonboard,includingadatabreachofconfidentialinformation,willbeabusinesscontinuityissueandshouldnothaveanyimpactonthesafeoperationoftheship.IntheeventofacyberincidentaffectingITsystemsonly,theprioritymaybetheimmediateimplementationofaninvestigationandrecoveryplan.

ThelossofOTsystemsmayhaveasignificantandimmediateimpactonthesafeoperationoftheship.ShouldacyberincidentresultinthelossormalfunctioningofOTsystems,itwillbeessentialthateffectiveactionsaretakentohelpensuretheimmediatesafetyofthecrew,ship,cargoandprotectionofthemarineenvironment.Ingeneral,appropriatecontingencyplansforcyberincidents,includingthelossofcriticalsystemsandtheneedtousealternativemodesofoperation,shouldbeaddressedbytherelevantoperationalandemergencyproceduresincludedinthesafetymanagementsystem.

Someoftheexistingproceduresintheship’ssafetymanagementsystemwillalreadycoversuchcyberincidents.However,cyberincidentsmayresultinmultiplefailurescausingmoresystemstoshutdownatthesametime.Thecontingencyplanningshouldtakesuchincidentsintoconsideration.

Disconnecting OT from shore network connection

ConnectionsbetweenshoreandOTsystemscanberelevantinawiderangeofapplicationslikeperformancemonitoring,predictivemaintenance,andremotesupportjusttomentionafew.Commonforthesesystemsarethattheyarenotstrictlynecessaryforoperatingtheshipsafely.However,theyrepresentapotentialattackvectortothesystemsthatareneededfortheship’ssafeoperation.Therefore,itisrelevanttoassesswhentheseconnectionsareallowedandunderwhatcircumstances.PlansshouldbeestablishedspecifyingwhensuchOTsystemsshouldbetemporarilyseparatedfromtheshorenetworkconnectiontoprotecttheship’ssafeoperation.Disconnectingwillhelppreventtheattackerfrombeingabletomanipulatesafetycriticalsystemsortakedirectcontrolofthesystem.Disconnectingcouldalsotakeplacetoavoidmalwarespreadingbetweennetworksegments.

Toeffectivelyshutdownshoreconnections,itisimportanttohavethenetworkandconnectivityservicesdesignedinsuchawaythatthenetworkscanbephysicallysegregatedquicklybyremovingasinglenetworkcable(egmarkedinanoddcolor)orpoweringoffthefirewall.

Safety management system

Thesafetymanagementsystemwillalreadyincludeproceduresforreportingaccidentsorhazardoussituationsanddefinelevelsofcommunicationandauthorityfordecisionmaking.Whereappropriate,suchproceduresshouldbeamendedtoreflectcommunicationandauthorityintheeventofacyberincident.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 35eSTAblISh CONTINGeNCy plANS

Thefollowingisanon-exhaustivelistofcyberincidents,whichshouldbeaddressedincontingencyplansonboard:

� lossofavailabilityofelectronicnavigationalequipmentorlossofintegrityofnavigationrelateddata

� lossofavailabilityorintegrityofexternaldatasources,includingbutnotlimitedtoGNSS

� lossofessentialconnectivitywiththeshore,includingbutnotlimitedtotheavailabilityofGlobalMaritimeDistressandSafetySystem(GMDSS)communications

� lossofavailabilityofindustrialcontrolsystems,includingpropulsion,auxiliarysystemsandothercriticalsystems,aswellaslossofintegrityofdatamanagementandcontrol

� theeventofaransomwareordenialorserviceincident.

Furthermore,itisimportanttohelpensurethatalossofequipmentorreliableinformationduetoacyberincidentdoesnotmakeexistingemergencyplansandproceduresineffective.Contingencyplansandrelatedinformationshouldbeavailableinanon-electronicformassometypesofcyberincidentscanincludethedeletionofdataandshutdownofcommunicationlinks.

Theremaybeoccasionswhenrespondingtoacyberincidentmaybebeyondthecompetenciesonboardoratheadofficeduetothecomplexityorseverityofsuchincidents.Inthesecases,externalexpertassistancemayberequired(forexample,posteventforensicanalysisandclean-up).

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 36reSpONd TO ANd reCOver frOm Cyber SeCurITy INCIdeNTS

Respond to and recover from cyber security incidents7

Itisimportanttounderstandthatcyberincidentsmaynotdisappearbythemselves.Ifforexample,theECDIShasbeeninfectedwithmalware,startinguptheback-upECDISmaycauseanothercyberincident.Itis,therefore,recommendedtoplanhowtocarryoutthecleaningandrestoringofinfectedsystems.

Knowledgeaboutpreviousidentifiedcyberincidentsshouldbeusedtoimprovetheresponseplansofallshipsinthecompany’sfleetandaninformationstrategyforsuchincidentsmaybeconsidered.

7.1 Effective response

Ateam,whichmayincludeacombinationofonboardandshore-basedpersonneland/orexternalexperts,shouldbeestablishedtotaketheappropriateactiontorestoretheITand/orOTsystemssothattheshipcanresumenormaloperations.Theteamshouldbecapableofperformingallaspectsoftheresponse.

Aneffectiveresponseshouldatleastconsistofthefollowingsteps:

1. Initialassessment.Tohelpensureanappropriateresponse,theresponseteamshouldfindout:

• howtheincidentoccurred

• whichITand/orOTsystemswereaffectedandhow

• theextenttowhichthecommercialand/oroperationaldataisaffected

• towhatextentanythreattoITandOTremains.

2. Recoversystemsanddata.Followinganinitialassessmentofthecyberincident,ITandOTsystemsanddatashouldbecleaned,recoveredandrestored,sofarasispossible,toanoperationalconditionbyremovingthreatsfromthesystemandrestoringsoftware.Thecontentofarecoveryplaniscoveredinsection7.2.

3. Investigatetheincident.Tounderstandthecausesandconsequencesofacyberincident,aninvestigationshouldbeundertakenbythecompany,withsupportfromanexternalexpert,ifappropriate.Theinformationfromaninvestigationwillplayasignificantroleinpreventingapotentialrecurrence.Investigationsintocyberincidentsarecoveredinsection7.3.

4. Preventare-occurrence.Consideringtheoutcomeoftheinvestigationmentionedabove,actionstoaddressanyinadequaciesintechnicaland/orproceduralprotectionmeasuresshouldbeconsidered,inaccordancewiththecompanyproceduresforimplementationofcorrectiveaction.


Whenacyberincidentiscomplex,forexampleifITand/orOTsystemscannotbereturnedtonormaloperation,itmaybenecessarytoinitiatetherecoveryplanalongsideonboardcontingencyplans.Whenthisisthecase,theresponseteamshouldbeabletoprovideadvicetotheshipon:

� whetherITorOTsystemsshouldbeshutdownorkeptrunningtoprotectdata

� whethercertainshipcommunicationlinkswiththeshoreshouldbeshutdown

� theappropriateuseofanyadvancedtoolsprovidedinpre-installedsecuritysoftware

� theextenttowhichtheincidenthascompromisedITorOTsystemsbeyondthecapabilitiesofexistingrecoveryplans.

Itisimportantforrelevantpersonneltoexecuteregularcybersecurityexercisesinordertohelpkeeptheresponsecapabilityeffective.Cybersecurityexercisescould,whereappropriate,beinspiredbyreal-lifeeventsandcanbesimulationsoflarge-scaleincidentsthatescalatetobecomecybercrises.Thisoffersanopportunitytoanalyseadvancedtechnicalcybersecurityincidents,butalsotohelpaddressbusinesscontinuityandcrisismanagement.

7.2 Recovery plan

Recoveryplansshouldbeavailableinhardcopyonboardandashore.ThepurposeoftheplanistosupporttherecoveryofsystemsanddatanecessarytorestoreITandOTtoanoperationalstate.Tohelpensurethesafetyofonboardpersonnel,theoperationandnavigationoftheshipshouldbeprioritisedintheplan.Therecoveryplanshouldbeunderstoodbypersonnelresponsibleforcybersecurity.ThedetailandcomplexityofarecoveryplanwilldependonthetypeofshipandtheIT,OTandothersystemsinstalledonboard.

Theincidentresponseteamshouldconsidercarefullytheimplicationsofrecoveryactions(suchaswipingofdrives),whichmayresultinthedestructionofevidencethatcouldprovidevaluableinformationastothecausesofanincident.Wherepossible,professionalcyberincidentresponsesupportshouldbeobtainedinordertoassistinpreservationofevidencewhilstrestoringoperationalcapability.

Asexplainedinsection5.1,adatarecoverycapabilityisavaluabletechnicalprotectionmeasure.DatarecoverycapabilitiesarenormallyintheformofsoftwarebackupforITdata.Theavailabilityofasoftwarebackup,eitheronboardorashore,shouldenablerecoveryofITtoanoperationalconditionfollowingacyberincident.

RecoveryofOTmaybemorecomplexespeciallyiftherearenobackupsystemsavailableandmayrequireassistancefromashore.Detailsofwherethisassistanceisavailableandbywhom,shouldbepartoftherecoveryplan,forexamplebyproceedingtoaporttoobtainassistancefromaserviceengineer.

Ifqualifiedpersonnelareavailableonboard,moreextensivediagnosticandrecoveryactionsmaybeperformed.Otherwise,therecoveryplanwillbelimitedtoobtainingquickaccesstotechnicalsupport.


7.3 Investigating cyber incidents

Investigatingacyberincidentcanprovidevaluableinformationaboutthewayinwhichavulnerabilitywasexploited.Companiesshould,whereverpossible,investigatecyberincidentsaffectingITandOTonboardinaccordancewithcompanyprocedures.Adetailedinvestigationmayrequireexternalexpert support.

Theinformationfromaninvestigationcanbeusedtoimprovethetechnicalandproceduralprotectionmeasuresonboardandashore.Itmayalsohelpthewidermaritimeindustrywithabetterunderstandingofmaritimecyberrisks.Anyinvestigationshouldresultin18:

� abetterunderstandingofthepotentialcyberrisksfacingthemaritimeindustrybothonboardandashore

� identificationoflessonslearned,includingimprovementsintrainingtoincreaseawareness

� updatestotechnicalandproceduralprotectionmeasurestopreventarecurrence.

7.4 Losses arising from a cyber incident

Forinsurers,theterm“cyber”includesmanydifferentaspectsanditisimportanttodistinguishbetweenthemandtheireffectsoninsurancecover.Someinsurersbelievethatthereisnosystemicrisktoshipsarisingfromacyberincidentandtheimpactofanincidentwillmostlikelybeconfinedtoasingleship.

Companieswillbeawarethatspecificnon-marineinsurancecovermaybeavailabletocoverdatalossandanyresultingfinesandpenalties.

Companiesshouldbeabletodemonstratethattheyareactingwithreasonablecareintheirapproachtomanagingcyberriskandtoprotectingtheshipfromanydamagethatmayarisefromacyberincident.

Cover for property damage

Generally,inmanymarketsofferingmarinepropertyinsurance,thepolicymaycoverlossordamagetotheshipanditsequipmentcausedbyashippingincidentsuchasgrounding,collision,fireorflood,evenwhentheunderlyingcauseoftheincidentisacyberincident.Itmaybenotedthatcurrentlyinsomemarkets,exclusionclausesforcyberattacksexist.Ifthemarinepolicycontainsanexclusionclauseforcyberattacks,thelossordamagemaynotbecovered.

Companiesarerecommendedtocheckwiththeirinsurers/brokersinadvancewhethertheirpolicycoversclaimscausedbycyberincidentsand/orbycyberattacks.

Guidelinesforthemarkethavebeenpublished,inwhichmarineinsurersarerecommendedtoaskquestionsaboutacompany’scyberriskawarenessandnon-technicalprocedures.Companiesshould,therefore,expectarequestfornon-technicalinformationregardingtheirapproachtocyberriskmanagement from insurers.

Thelimiteddataonthefrequency,severityoflossorprobabilityofphysicaldamageresultingfromcyberincidents,representsachallengeandmeansthatstandardpricingisnotavailable.

18 BasedonCREST,CyberSecurityIncidentResponseGuide,Version1.


Cover for liability

ItisrecommendedtocontacttheP&IClubfordetailedinformationaboutcoverprovidedtoshipownersandcharterersinrespectofliabilitytothirdparties(andrelatedexpenses)arisingfromtheoperationofships.

Anincidentcaused,forexamplebymalfunctionofaship’snavigationormechanicalsystemsbecauseofacriminalactoraccidentalcyberattack,doesnotinitselfgiverisetoanyexclusionofnormalP&Icover.Intheeventofaclaiminvolvingacyberincident,claimantsmaywellseektoarguethattheclaimaroseasaresultofaninadequatelevelofcyberpreparedness.This,therefore,furtherstressestheimportanceofcompaniesbeingabletodemonstratethattheyareactingwithreasonablecareintheirapproachtomanagingcyberriskandtoprotectingtheship.

Itshouldbenotedthatmanylosses,whichcouldarisefromacyberincident,arenotinthenatureofthird-partyliabilitiesarisingfromtheoperationoftheshipandarethereforenotcoveredbyP&Iinsurance.Forexample,financiallosscausedbyransomware,orcostsofrebuildingscrambleddatawouldnotbeidentifiedinthecoverage.

Itshould,however,benotedthatnormalP&Icoverinrespectofliabilitiesissubjecttoawarriskexclusionandcyberincidentsinthecontextofawarorterrorriskwillnotnormallybecovered.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 40TArGeT SySTemS, equIpmeNT ANd TeChNOlOGIeS

Target systems, equipment and technologiesANNEX 1

Thisannexprovidesasummaryofpotentiallyvulnerablesystemsanddataonboardshipstoassistcompanieswithassessingtheircyberriskexposure.Vulnerablesystems,equipmentandtechnologiesmayinclude:

Communication systems � integratedcommunicationsystems � satellitecommunicationequipment � VoiceOverInternetProtocols(VOIP)equipment � wirelessnetworks(WLANs) � public address and general alarm systems � systemsusedforreportingmandatoryinformationtopublicauthorities.

Bridge systems � integratednavigationsystem � positioningsystems(GPS,etc.) � ElectronicChartDisplayInformationSystem(ECDIS) � DynamicPositioning(DP)systems � systemsthatinterfacewithelectronicnavigationsystemsandpropulsion/manoeuvringsystems � AutomaticIdentificationSystem(AIS) � GlobalMaritimeDistressandSafetySystem(GMDSS) � radarequipment � VoyageDataRecorders(VDRs) � othermonitoringanddatacollectionsystems.

Propulsion and machinery management and power control systems � enginegovernor � powermanagement � integrated control system � alarm system � emergency response system.

Access control systems � surveillancesystemssuchasCCTVnetwork � BridgeNavigationalWatchAlarmSystem(BNWAS) � ShipboardSecurityAlarmSystems(SSAS) � electronic“personnel-on-board”systems.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 41TArGeT SySTemS, equIpmeNT ANd TeChNOlOGIeS

Cargo management systems � CargoControlRoom(CCR)anditsequipment � onboardloadingcomputersandcomputersusedforexchangeofloadinginformationandloadplanupdateswiththemarineterminalandstevedoringcompany

� remote cargo and container sensing systems � levelindicationsystem � valveremotecontrolsystem � ballastwatersystems � wateringressalarmsystem.

Passenger or visitor servicing and management systems � PropertyManagementSystem(PMS) � electronichealthrecords � financialrelatedsystems � shippassenger/visitor/seafarerboardingaccesssystems � infrastructuresupportsystemslikedomainnamingsystem(DNS)anduserauthentication/authorisationsystems.

Passenger-facing networks � passengerWi-FiorLocalAreaNetwork(LAN)internetaccess,forexamplewhereonboardpersonnelcanconnecttheirowndevices19

� guest entertainment systems.

Core infrastructure systems � securitygateways � routers � switches � firewalls � VirtualPrivateNetwork(s)(VPN) � VirtualLAN(s)(VLAN) � intrusionpreventionsystems � securityeventloggingsystems.

Administrative and crew welfare systems � administrativesystems � crewWi-FiorLANinternetaccess,forexamplewhereonboardpersonnelcanconnecttheirowndevices.

19 ThisisnotconsideredasBringYourOwnDevice(BYOD).Devicesarenotusedtoaccessprotectedinformation.Theycanonlybeusedforanindividual’spersonal,non-company,use.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 42Cyber rISk mANAGemeNT ANd The SAfeTy mANAGemeNT SySTem

Cyber risk management and the safety management systemANNEX 2

IMOResolutionMSC.428(98)makesclearthatanapprovedSMSshouldtakeintoaccountcyberriskmanagementwhenmeetingtheobjectivesandfunctionalrequirementsoftheISMCode.TheguidanceprovidedintheGuidelinesonmaritimecyberriskmanagement(MSC-FAL.1/Circ.3)provideshighlevelrecommendationsregardingtheelementsofanappropriateapproachtoimplementingcyberriskmanagement.TheguidanceinthisannexisdesignedtoprovidetheminimummeasuresthatallcompaniesshouldconsiderimplementingsoastoaddresscyberriskmanagementinanapprovedSMS.

IDENTIFY20

Roles and responsibilities21

Action RemarksISMCode:3.2IndustryGuidelines:1.1Updatethesafetyandenvironmentprotectionpolicytoincludereferencetotheriskposedbyunmitigatedcyberrisks.

Anupdatedsafetyandenvironmentprotectionpolicyshoulddemonstrate: � acommitmenttomanagecyberrisksaspartoftheoverallapproachtosafetymanagement(includingsafetyculture)andprotectionoftheenvironment

� anunderstandingthatCRMhasbothsafetyandsecurityaspects,buttheemphasisisonmanagingthesafetyrisksintroducedbyOT,ITandnetworks

� anunderstandingthatwithoutappropriatetechnicalandproceduralriskprotectionandcontrolmeasures,OTisvulnerabletodisruptionaffectingthesafeoperationofashipandprotectionoftheenvironment.

NothingintheupdatedpolicyshouldsuggestthatCRMisgivenanymoreorlessattentionthananyotherrisksidentifiedbythecompany.

ISMCode:3.3IndustryGuidelines:1.1UpdatetheresponsibilityandauthorityinformationprovidedintheSMStoincludeappropriateallocationofresponsibilityandauthorityforcyberriskmanagement(CRM).

Ingeneral,ITpersonnelshouldunderstandpotentialvulnerabilitiesincomputer-basedsystemsandknowtheappropriatetechnicalandproceduralprotectionmeasurestohelpensuretheavailabilityandintegrityofsystemsanddata.Operationalandtechnicalpersonnelshouldgenerallyunderstandthesafetyandenvironmentalimpactsofdisruptiontocriticalsystems22onboardshipsandareresponsiblefortheSMS.AllocationofresponsibilityandauthoritymayneedtobeupdatedtoenableCRM.Thisshouldinclude:

� allocationofresponsibilitiesandauthoritieswhichencouragecooperationbetweenITpersonnel(whichmaybeprovidedbyathirdparty)andthecompany’soperationalandtechnicalpersonnel

� incorporatingcompliancewithcyberriskmanagementpoliciesandproceduresintotheexistingresponsibilityandauthorityoftheMaster.

ISMCode:6.5IndustryGuidelines:5.2Usingexistingcompanyprocedures,identifyanytrainingwhichmayberequiredtosupporttheincorporationofcyberriskmanagementintotheSMS.

Cyberawarenesstrainingisnotamandatoryrequirement.Notwithstandingthis,trainingisaprotectionandcontrolmeasurethatformsthebasisofCRM.Ithelpstoensurethatpersonnelunderstandhowtheiractionswillinfluencetheeffectivenessofthecompany’sapproachtoCRM.Existingcompanyproceduresforidentifyingtrainingrequirementsshouldbeusedtoassessthebenefitsandneedfor:

� allcompanypersonneltoreceivebasiccyberawarenesstraininginsupportofthecompany’sCRMpoliciesandprocedures

� companypersonnel,whohavebeenassignedCRMduties,toreceiveatypeandlevelofcybertrainingappropriatetotheirresponsibilityandauthority.

Identify systems, assets, data and capabilities that, when disrupted, pose risks to ship operationsAction RemarksISMCode:10.3IndustryGuidelines:3&4Usingexistingcompanyprocedures,identifyequipmentandtechnicalsystems(OTandIT)thesuddenoperationalfailureofwhichmayresultinhazardoussituations.

AnapprovedSMSwillalreadyidentifytheequipmentandtechnicalsystems(includingOTandIT),andcapabilities,whichmaycausehazardoussituationsiftheybecomeunavailableorunreliable.TheimpactsshouldalreadyhavebeendocumentedinanapprovedSMS.However,anapprovedSMS,whichincorporatesCRMwillalsoneedtoaddressdatainthecontextofsuddenoperationalfailure.Lossofavailabilityorintegrityofdatausedbycriticalsystemscanhavethesameimpactonsafetyandprotectionoftheenvironmentasthesystembecomingunavailableorunreliableforsomeotherreason.Consequently,itisrecommendedthatthelistofequipmentandtechnicalsystems,shouldbesupplementedbyalistofthedatausedbythosesystemsanditssource(s).

20 Identify,Protect,Detect,RespondandRecoverasdescribedintheGuidelinesonMaritimeCyberRiskManagement(MSC-FAL.1/Circ.3).21 FunctionalelementfromtheGuidelinesonMaritimeCyberRiskManagement(MSC-FAL.1/Circ.3).22 Forthepurposeofthisannex,“criticalsystems”meanstheOT,IT,softwareanddatathesuddenoperationalfailureorunavailabilityofwhichisidentifiedbythecompanyashavingthepotentialtoresultinhazardoussituations.


PROTECTImplement risk control measuresAction RemarksISMCode:1.2.2.2IndustryGuidelines:5andAnnex1Assessallidentifiedriskstoships,personnelandtheenvironmentandestablishappropriatesafeguards.

Thefullscopeofriskcontrolmeasuresimplementedbythecompanyshouldbedeterminedbyariskassessment,takingintoaccounttheinformationprovidedintheseguidelines.Asabaseline,thefollowingmeasuresshouldbeconsideredbeforeariskassessmentisundertaken.Thebaselineconsistsofthetechnicalandproceduralmeasures,whichshouldbeimplementedinallcompaniestotheextentappropriate.Thesemeasuresare:

� Hardwareinventory–Developandmaintainaregisterofallcriticalsystemhardwareonboard,includingauthorizedandunauthorizeddevicesoncompanycontrollednetworks.TheSMSshouldincludeproceduresformaintainingthisinventorythroughouttheoperationallifeoftheship.

� Softwareinventory–Developandmaintainaregisterofallauthorizedandunauthorizedsoftwarerunningoncompany-controlledhardwareonboard,includingversionandupdatestatus.TheSMSshouldbeupdatedtoincludeproceduresfor:• maintainingthisinventorywhenhardwarecontrolledbythecompanyisreplaced• maintainingthisinventorywhensoftwarecontrolledbythecompanyisupdatedor

changed• authorizingtheinstallationofneworupgradedsoftwareonhardwarecontrolledby

thecompany• preventionofinstallationofunauthorizedsoftware,anddeletionofsuchsoftwareif

identified• softwaremaintenance.

� Mapdataflows–Mapdataflowsbetweencriticalsystemsandotherequipment/technicalsystemsonboardandashore,includingthoseprovidedbythirdparties.Vulnerabilitiesidentifiedduringthisprocessshouldberecordedandsecurelyretainedbythecompany.TheSMSshouldbeupdatedtoincludeproceduresfor:• maintainingthemapofdataflowstoreflectchangesinhardware,softwareand/or

connectivity• identifyingandrespondingtovulnerabilitiesintroducedwhennewdataflowsare

createdfollowingtheinstallationofnewhardware• reviewingtheneedforconnectivitybetweencriticalsystemsandotherOTandIT

systems.Suchareviewshouldbebasedontheprinciplethatsystemsshouldonlybeconnectedwherethereisaneedforthesafeandefficientoperationoftheship,ortoenable planned maintenance

• controllingtheuseofremovablemedia,accesspointsandthecreationofad-hocoruncontrolleddataflows.ThismaybeachievedbyrestrictionsontheuseofremovablemediaanddisablingUSBandsimilarportsoncriticalsystems.

� Implementsecureconfigurationsforallhardwarecontrolledbythecompany–Thisshouldincludedocumentingandmaintainingcommonlyacceptedsecurityconfigurationstandardsforallauthorizedhardwareandsoftware.TheSMSshouldincludepoliciesontheallocationanduseofadministrativeprivilegesbyshipandshore-basedpersonnel,andthirdparties.However,itisnotrecommendedthatthedetailsofsecureconfigurationsareincludedintheSMS.Thisinformationshouldberetainedseparatelyandsecurelybythecompany.

� Auditlogs–Securitylogsshouldbemaintainedandperiodicallyreviewed.Securityloggingshouldbeenabledonallcriticalsystemswiththiscapability.TheSMSshouldbeupdatedtoincludeproceduresfor:• policiesandproceduresforthemaintenanceofsecuritylogsandperiodicreviewby

competentpersonnelaspartoftheoperationalmaintenanceroutine• proceduresforthecollationandretentionofsecuritylogsbythecompany,if

appropriate. � Awarenessandtraining–Seeline3above. � Physicalsecurity–Thephysicalsecurityoftheshipisenhancedbycompliancewiththesecuritymeasuresaddressedintheshipsecurityplan(SSP)requiredbytheISPSCode.Measuresshouldbetakentorestrictaccessandpreventunauthorizedaccesstocriticalsystemnetworkinfrastructureonboard.


Develop contingency plansAction RemarksISMCode:7IndustryGuidelines:6Updateprocedures,plansandinstructionsforkeyshipboardoperationsconcerningthesafetyofthepersonnel,shipandprotectionoftheenvironmentwhichrelyonOT.

AnapprovedSMSshouldalreadyaddressprocedures,plansandinstructionsforkeyshipboardoperationsconcerningthesafetyofthepersonnel,shipandprotectionoftheenvironment.Ingeneral,theseplansshouldbeunaffectedbytheincorporationofCRMintotheSMS.ThisisbecausetheeffectofthelossofavailabilityofOT,orlossofintegrityofthedatausedorprovidedbysuchsystems,isthesameasiftheOTwasunavailableorunreliableforsomeotherreason.Notwithstandingthis,considerationshouldbegiventodevelopinginstructionsontheactionstobetakenifdisruptiontocriticalsystemsissuspected.Thiscouldincludeproceduresforrevertingtoback-uporalternativearrangementsasaprecautionwhilstanysuspecteddisruptionisinvestigated.ProceduresforperiodicallycheckingtheintegrityofinformationprovidedbyOTtooperatorsshouldbeconsideredforinclusioninoperationalmaintenanceroutines.

ISMCode:8.1IndustryGuidelines:6Updateemergencyplanstoincluderesponses to cyber incidents.

AnapprovedSMSshouldalreadyaddressemergencyplansforthedisruptionofcriticalsystemsrequiredforthesafeoperationofshipsandprotectionoftheenvironment.Ingeneral,theseplansshouldbeunaffectedbytheincorporationofcyberriskmanagementintosafetymanagementsystems.Thisisbecausetheeffectofcommonshipboardemergenciesshouldbeindependentoftherootcause.Forexample,afiremaybecausedbyequipmentmalfunctioningbecauseofasoftwarefailureorinappropriatemaintenanceoroperationoftheequipment.Notwithstandingtheabove,considerationshouldbegiventothedevelopmentofacyberincidentmoduleintheintegratedsystemofshipboardemergencyplansforsignificantdisruptiontotheavailabilityofOTorthedatausedbythem.ThepurposeofthemodulecouldbetoprovideinformationontheactionstobetakenintheeventofasimultaneousdisruptiontomultipleOTsystemsrequiredforthesafeoperationoftheshipandprotectionoftheenvironment.Inthismorecomplexsituation,additionalinformationonappropriateimmediateactionstobetakeninresponsemaybenecessary.

DETECTDevelop and implement activities necessary to detect a cyber-event in a timely mannerAction RemarksISMCode:9.1IndustryGuidelines:5.1Updateproceduresforreportingnon-conformities,accidentsandhazardoussituationstoincludereportsrelatingtocyberincidents.

AnapprovedSMSshouldalreadyaddressproceduresrelatingtonon-conformities.WhenincorporatingCRMintotheSMS,companyreportingrequirementsfornon-conformitiesmayneedtobeupdatedtoincludecyberrelatednon-conformities.Examplesofsuchnon-conformitiesandcyberincidents:

� unauthorisedaccesstonetworkinfrastructure � unauthorizedorinappropriateuseofadministratorprivileges � suspiciousnetworkactivity � unauthorisedaccesstocriticalsystems � unauthoriseduseofremovablemedia � unauthorisedconnectionofpersonaldevices � failuretocomplywithsoftwaremaintenanceprocedures � failuretoapplymalwareandnetworkprotectionupdates � lossordisruptiontotheavailabilityofcriticalsystems � lossordisruptiontotheavailabilityofdatarequiredbycriticalsystems.


RESPONDDevelop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations and/or services impaired due to a cyber-eventAction RemarksISMCode:3.3IndustryGuidelines:7.1Ensurethatadequateresourcesandshore-basedsupportareavailabletosupporttheDPAinrespondingtothelossofcriticalsystems.

AnapprovedSMSshouldalreadybesupportedbyadequateresourcestosupporttheDPA.However,theincorporationofCRMintotheSMSshouldrequirethatthisresourcingincludesappropriateITexpertise.Thisresourcecouldcomefromwithinthecompanybutmayalsobeprovidedbyathirdparty.Inprovidingtheadequateresources,thefollowingshouldbeconsidered:

� companyorthirdpartytechnicalsupportshouldbefamiliarwithonboardITandOTinfrastructure and systems

� anyinternalresponseteamorexternalcyberemergencyresponseteam(CERT)shouldbeavailabletoprovidetimelysupporttotheDPA

� provisionofanalternativemeansofcommunicationbetweentheshipandtheDPA,whichshouldbeabletofunctionindependentlyofallothershipboardsystems,ifandwhentheneed arises

� internalauditsshouldconfirmthatadequateresources,includingthirdpartieswhenappropriate,areavailabletoprovidesupportinatimelymannertosupporttheDPA.

ISMCode:9.2IndustryGuidelines:7.1Updateproceduresforimplementingcorrectiveactionsto include cyber incidents and measurestopreventrecurrence.

AnapprovedSMSshouldalreadyincludeproceduresforrespondingtonon-conformities.Ingeneral,theseshouldnotbeaffectedbytheincorporationofCRMinSMS.However,theproceduresshouldhelpensurethatconsiderationofnon-conformitiesandcorrectiveactionsinvolvesthepersonnelwithresponsibilityandauthorityforCRM.Thisshouldhelpensurethatcorrectiveactions,includingmeasurestopreventrecurrence,areappropriateandeffective.

ISMCode:10.3IndustryGuidelines:7.1UpdatethespecificmeasuresaimedatpromotingthereliabilityofOT.

AnapprovedSMSshouldalreadyincludeproceduresforoperationalmaintenanceroutinestopromotethereliabilityofequipmentonboard.ASMS,whichincorporatesCRM,shouldoutlineproceduresfor:

� Softwaremaintenanceasapartofoperationalmaintenanceroutines–Suchproceduresshouldensurethatapplicationofsoftwareupdates,includingsecuritypatches,areappliedandtestedinatimelymanner,byacompetentperson.

� Authorizingremoteaccess,ifnecessaryandappropriate,tocriticalsystemsforsoftwareorothermaintenancetasks–Thisshouldincludeauthorizingaccessingeneral(includingverificationthatserviceprovidershavetakenappropriateprotectivemeasuresthemselves)andforeachspecificremoteaccesssession.

� Preventingtheapplicationofsoftwareupdatesbyserviceprovidersusinguncontrolledorinfectedremovablemedia.

� Periodicinspectionoftheinformationprovidedbycriticalsystemstooperatorsandconfirmationoftheaccuracyofthisinformationwhencriticalsystemsareinaknownstate.

� Controlleduseofadministratorprivilegestolimitsoftwaremaintenancetaskstocompetent personnel.

RECOVERYIdentify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber incidentAction RemarksISMCode:10.4IndustryGuidelines:5.1and7.2Includecreationandmaintenanceofback-upsintotheship’soperationalmaintenanceroutine.

AnapprovedSMSshouldalreadyincludeproceduresformaintainingandtestingback-uparrangementsforshipboardequipment.Notwithstandingthis,itmaynotaddressproceduresformaintainingandstoringofflineback-upsfordataandsystemsrequiredforthesafeoperationoftheshipandprotectionoftheenvironment.ASMS,whichincorporatesCRM,shouldincludeproceduresfor:

� checkingback-uparrangementsforcriticalsystems,ifnotcoveredbyexistingprocedures � checkingalternativemodesofoperationforcriticalsystems,ifnotcoveredbyexisting

procedures � creatingorobtainingback-ups,includingcleanimagesforOTtoenablerecoveryfroma

cyber incident � maintainingback-upsofdatarequiredforcriticalsystemstooperatesafely � offlinestorageofback-upsandcleanimages,ifappropriate � periodictestingofback-upsandback-upprocedures.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 46ONbOArd NeTwOrkS

Onboard networksANNEX 3

AsecurenetworkdependsontheIT/OTsetuponboardtheship,andtheeffectivenessofthecompanypolicybasedontheoutcomeoftheriskassessment.Controlofentrypointsandphysicalnetworkcontrolonanexistingshipmaybelimitedbecausecyberriskmanagementhadnotbeenconsideredduringtheship’sconstruction.Itisrecommendedthatnetworklayoutandnetworkcontrolshouldbeplannedforallnewbuildings.

Directcommunicationbetweenanuncontrolledandacontrollednetworkshouldbeprevented.Furthermore,severalprotectionmeasuresshouldbeadded:

� implementnetworkseparationand/ortrafficmanagement

� manageencryptionprotocolstoensurecorrectlevelofprivacyandcommercialcommunication

� manageuseofcertificatestoverifyoriginofdigitallysigneddocuments,softwareorservices.

Ingeneral,onlyequipmentorsystemsthatneedtocommunicatewitheachotheroverthenetworkshouldbeabletodoso.Theoverridingprincipleshouldbethatthenetworkingofequipmentorsystemsisdeterminedbyoperationalneed.

Physical layout

Thephysicallayoutofthenetworkshouldbecarefullyconsidered.Itisimportanttoconsiderthephysicallocationofessentialnetworkdevices,includingservers,switches,firewallsandcabling.Thiswillhelprestrictaccessandmaintainthephysicalsecurityofthenetworkinstallationandcontrolofentrypointstothenetwork.

Network management

Anynetworkdesignwillneedtoincludeaninfrastructureforadministeringandmanagingthenetwork.Thismayincludeinstallingnetworkmanagementsoftwareondedicatedworkstationsandserversprovidingfilesharing,emailandotherservicestothenetwork.

Network segmentation

Onboardnetworksshouldnormallyaccommodatethefollowing:

1. necessarycommunicationbetweenOTequipment

2. configurationandmonitoringofOTequipment

3. onboardadministrativeandbusinesstasksincludingemailandsharingbusinessrelatedfilesorfolders(ITnetworks)

4. recreationalinternetaccessforcrewand/orpassengers/visitors.

Effectivenetworksegmentationisakeyaspectof“defenceindepth”.OT,ITandpublicnetworksshouldbeseparatedorsegmentedbyappropriateprotectionmeasures.Theprotectionmeasuresusedmayinclude,butarenotlimitedtoanappropriatecombinationofthefollowing:

� aperimeterfirewallbetweentheonboardnetworkandtheinternet


� networkswitchesbetweeneachnetworksegment

� internalfirewallsbetweeneachnetworksegment

� VirtualLocalAreaNetworks(VLAN)tohostseparatesegments.

Inaddition,eachsegmentshouldhaveitsownrangeofInternetProtocol(IP)addresses.Networksegmentationdoesnotremovetheneedforsystemswithineachsegmenttobeconfiguredwithappropriatenetworkaccesscontrolsandsoftwarefirewallsandmalwaredetection.

figure 2: example of an onboard network

Internet

Business administra�on network

OT network

VPN connec�onNetwork connec�on

Guest networkFleet broadband4G router

Wi-fi

Firewall

Intheexampleshownabove,thenetworkhasbeensegmentedusingaperimeterfirewall,whichsupportsthreeVLANs:

1. theOTNetworkcontainingequipmentandsystems,thatperformssafetycriticalfunctions

2. theITnetworkcontainingequipmentandsystems,thatperformsadministrativeorbusinessfunctions

3. acrewandguestnetwork,providinguncontrolledinternetaccess.


Considerationsshouldbemadeonhowtomaximisethesecurityoftheswitchesthemselves.Toachievethehighestlevelofsecurity,eachnetworkshoulduseadifferenthardwareswitch.Thiswillminimisethechanceofanattackerjumpingbetweennetworksduetomisconfigurationorbyacquiringaccesstotheconfigurationofaswitch.

Acorrectlyconfiguredandappropriatefirewallisanimportantelementofthepropersegmentationofanetworkinstallation.Theonboardinstallationshouldbeprotectedbyatleastaperimeterfirewalltocontroltrafficbetweentheinternetandtheonboardnetwork.Topreventanyunintendedcommunicationtakingplace,thefirewallshouldbeconfiguredbydefaulttodenyallcommunication.Basedonthisconfiguration,rulesshouldbeimplemented.Therulesshouldbedesignedtoallowthepassageofdatatrafficthatisessentialfortheintendedoperationofthatnetwork.

Forexample,ifaspecificendpointreceivesupdatesfromtheinternet,theruleshouldallowthespecificendpointtoconnectspecificallytotheserverhandlingthespecificupdateservice.Enablinggeneralinternetaccesstoaspecifiedendpointforupdatesisnotrecommended.

Uncontrollednetworkslikeacreworpassengernetworkshouldnotbeallowedanycommunicationwiththecontrollednetworks.Theuncontrollednetworkshouldbeconsideredasunsafeastheinternet,sincethedevicesconnectingtoitareunmanaged,theirsecuritystatus(antivirus,updates,etc.)isunknownandtheiruserscouldbeactingmaliciously,intentionallyorunintentionally.

Monitoring data activity

Itisimportanttomonitorandmanagesystemstobeawareofthenetworks’statusandtodetectanyunauthoriseddatatraffic.Loggingshouldbeimplementedinthefirewallandideallyinallnetwork-attacheddevicessothatincaseofabreach,theresponsiblepersoncantracebackthesourceandmethodologyoftheattack.Thiswillhelptosecurethenetworkfromanysimilarattacksinthefuture.

AnetworkIntrusionDetectionSystem(IDS)orIntrusionProtectionSystem(IPS)canalertthesystemadministratorinreal-timeofanyattackstothenetworksystems.TheIDSandIPSinspectdatatraffic,entrypointsorbothtoidentifyknownthreatsortorejecttraffic,whichdoesnotcomplywiththesecuritypolicy.AnIPSshouldcomplywiththelatestindustrybestpracticesandguidelines.

Itisrecommendedtoplaceasensorontheinternet-facingsegment,becausethepublicserversareavisibletargettoattackers.Anothersensorshouldbeplacedbehindthefirewall,tomonitortrafficbetweentheinternetandtheinternalnetwork.AnlDS/IPSsensorcouldalsobeplacedbyaremote-accesssegment,forinstanceaVirtualPrivateNetwork(VPN).

Protection measures

Protectionmeasuresshouldbeimplementedinawaythatmaintainsthesystem’sintegrityduringnormaloperationsaswellasduringacyberincident.EveryOTnetworkonboardhasseveralendpointssuchasworkstations,servers,routers,inputandoutputmodules,transducersetc.Theendpointsareveryimportantastheycontroltheoperationandthesecurityofthesystem.

Asinglesecurityproduct,technologyorsolutioncannotadequatelyprotectanOTsystembyitself.Amultiplelayerstrategyinvolvingtwo(ormore)differentoverlappingsecuritymechanismsisdesired,sothattheimpactofafailureinanyonemechanismisminimized(seechapter5.1defence-in-depth).Inaddition,aneffectivedefence-in-depthstrategyrequiresathoroughunderstandingofpossibleattackvectorsonanOTsystem.Thesemayinclude:

� backdoorsandholesinnetworkperimeterandinstruments

� vulnerabilitiesincommonlyusedprotocols


� vulnerableendpointsandsensors

� unprotected databases.

Asecurerunningenvironmentcanbeestablishedbyusingasandbox,whichprovidesadditionalprotectionagainstcyberthreatsbyisolatingexecutablesoftwarefromtheunderlyingoperatingsystem.Thispreventsunauthorisedaccesstotheoperatingsystems,onwhichthesoftwareisrunning.Thesandboxenablessoftwaretoberununderaspecificsetofrulesandthisaddscontroloverprocessesandcomputerresources.Therefore,thesandboxhelpspreventmalicious,malfunctioningoruntrustedsoftwarefromaffectingtherestofthesystem.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 50GlOSSAry

GlossaryANNEX 4

Access controlisselectivelimitingoftheabilityandmeanstocommunicatewithorotherwiseinteractwithasystem,tousesystemresourcestohandleinformation,togainknowledgeoftheinformationthesystemcontainsortocontrolsystemcomponentsandfunctions.

Back door isasecretmethodofbypassingnormalauthenticationandverificationwhenaccessingasystem.Abackdoorissometimescreatedinhiddenpartsofthesystemitselforestablishedbyseparatesoftware.

Bring your own device (BYOD) allowsemployeestobringpersonallyowneddevices(laptops,tablets,andsmartphones)totheshipandtousethosedevicestoaccessprivilegedinformationandapplicationsforbusinessuse.

Cyber attack isanytypeofoffensivemanoeuvrethattargetsITandOTsystems,computernetworks,and/orpersonalcomputerdevicesandattemptstocompromise,destroyoraccesscompanyandshipsystems and data.

Cyber incident isanoccurrence,whichactuallyorpotentiallyresultsinadverseconsequencestoanonboardsystem,networkandcomputerortotheinformationthattheyprocess,storeortransmit,andwhichmayrequirearesponseactiontomitigatetheconsequences.

Cyber risk management meanstheprocessofidentifying,analysing,assessing,andcommunicatingacyber-relatedriskandaccepting,avoiding,transferring,ormitigatingittoanacceptablelevelbytakingintoconsiderationthecostsandbenefitsofactionstakenbystakeholders.

Cyber system isanycombinationoffacilities,equipment,personnel,proceduresandcommunicationsintegratedtoprovidecyberservices;examplesincludebusinesssystems,controlsystemsandaccesscontrol systems.

Defence in breadth isaplanned,systematicsetofactivitiesthatseektoidentify,manage,andreduceexploitablevulnerabilitiesinITandOTsystems,networksandequipmentateverystageofthesystem,network,orsub-componentlifecycle.Onboardships,thisapproachwillgenerallyfocusonnetworkdesign,systemintegration,operationsandmaintenance.

Defence in depth isanapproachwhichuseslayersofindependenttechnicalandproceduralmeasurestoprotectITandOTonboard.

Executable software includesinstructionsforacomputertoperformspecifiedtasksaccordingtoencodedinstructions.

Firewall isalogicalorphysicalbreakdesignedtopreventunauthorisedaccesstoITinfrastructureandinformation.

Firmware issoftwareimbeddedinelectronicdevicesthatprovidescontrol,monitoringanddatamanipulationofengineeredproductsandsystems.Thesearenormallyself-containedandnotaccessibletousermanipulation.

Flaw isunintendedfunctionalityinsoftware.

Intrusion Detection System (IDS) isadeviceorsoftwareapplicationthatmonitorsnetworkorsystemactivitiesformaliciousactivitiesorpolicyviolationsandproducesreportstoamanagementstation.


Intrusion Prevention System (IPS),alsoknownasIntrusionDetectionandPreventionSystems(IDPSs),arenetworksecurityappliancesthatmonitornetworkand/orsystemactivitiesformaliciousactivity.

Local Area Network (LAN) isacomputernetworkthatinterconnectscomputerswithinalimitedareasuchasahome,shiporofficebuilding,usingnetworkmedia.

Malware isagenerictermforavarietyofmalicioussoftware,whichcaninfectcomputersystemsandimpactontheirperformance.

Operational technology (OT) includesdevices,sensors,softwareandassociatednetworkingthatmonitor and control onboard systems.

Patches aresoftwaredesignedtoupdatesoftwareorsupportingdatatoimprovethesoftwareoraddresssecurityvulnerabilitiesandotherbugsinoperatingsystemsorapplications.

Phishing referstotheprocessofdeceivingrecipientsintosharingsensitiveinformationwithathird-party.

Principle of least privilege referstotherestrictionofuseraccountprivilegesonlytothosewithprivilegesthatareessentialtofunction.

Producer istheentitythatmanufacturestheshipboardequipmentandassociatedsoftware.

Recovery referstotheactivitiesafteranincidentrequiredtorestoreessentialservicesandoperationsintheshortandmediumtermandfullyrestoreallcapabilitiesinthelongerterm.

Removable media isacollectivetermforallmethodsofstoringandtransferringdatabetweencomputers.Thisincludeslaptops,USBmemorysticks,CDs,DVDsanddiskettes.

Risk assessment istheprocesswhichcollectsinformationandassignsvaluestorisksasabaseonwhichtomakedecisiononprioritiesanddevelopingorcomparingcoursesofaction.

Risk management istheprocessofidentifying,analysing,assessingandcommunicatingriskandaccepting,avoiding,transferringorcontrollingittoanacceptablelevelconsideringassociatedcostsandbenefitsofanyactionstaken.

Sandbox isanisolatedenvironment,inwhichaprogrammaybeexecutedwithoutaffectingtheunderlyingsystem(computeroroperatingsystem)andanyotherapplications.Asandboxisoftenusedwhenexecutinguntrustedsoftware.

Service provider isacompanyorperson,whoprovidesandperformssoftwaremaintenance.

Social engineering isamethodusedtogainaccesstosystemsbytrickingapersonintorevealingconfidentialinformation.

Software whitelisting meansspecifyingthesoftware,whichispresentandactiveonanITorOTsystem.

Virtual Local Area Network (VLAN)isthelogicalgroupingofnetworknodes.AvirtualLANallowsgeographicallydispersednetworknodestocommunicateasiftheywerephysicallyonthesamenetwork.

Virtual Private Network (VPN)enablesuserstosendandreceivedataacrosssharedorpublicnetworksasiftheircomputingdevicesweredirectlyconnectedtotheprivatenetwork,therebybenefitingfromthefunctionality,securityandmanagementpoliciesoftheprivatenetwork.


Virus isahidden,self-replicatingsectionofcomputersoftwarethatmaliciouslyinfectsandmanipulatestheoperationofacomputerprogramorsystem.

Wi-Fi isallshort-rangecommunicationsthatusesometypeofelectromagneticspectrumtosendand/orreceiveinformationwithoutwires.

THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 53CONTrIbuTOrS TO verSION 3 Of The GuIdelINeS

Contributors to version 3 of the guidelinesANNEX 5

Thefollowingorganisationsandcompanieshaveparticipatedinthedevelopmentoftheseguidelines:

Anglo-EasternGroupAspidaBIMCOChamberofShippingofAmerica(CSA)ClassNKCOLUMBIAShipmanagementLtdCruiseLinesInternationalAssociation(CLIA)CyberKeelInternationalAssociationofDryCargoShipowners(INTERCARGO)InternationalAssociationofIndependentTankerOwners(INTERTANKO)InternationalChamberofShipping(ICS)InternationalgroupofProtection&IndemnityclubsInternationalUnionofMarineInsurance(IUMI)InterManagerMaerskLineMoranShippingAgencies,Inc.NCCGroupOilCompaniesInternationalMarineForum(OCIMF)SOFTimpactLtdTemplarExecutivesWorldShippingCouncil

the guidelines on cyber security onboard ships business/document… · the guidelines on cyber...

Documents