Recently, the Baltic and International Maritime Council BIMCO published “The guidelines on Cyber Security onboard ships”. (Ref.1)
In this article, I present a summary of some of the main concepts in the BIMCO guide along with my comments and interpretation. Since the article presents my interpretation of the guide based on my experience in cybersecurity, I recommend reading the original guide as well.
The BIMCO guide follows a risk-based approach for identifying and responding to cyber threats. This is aligned with well established cybersecurity best practices (e.g.: ISO 27001 and NIST SP 800-30).
Approaches presented for cybersecurity and cyber risk management should be company and ship specific but informed and guided by regulations, standards and best practices.
Also, Company plans and procedures for cyber risk should be seen as complementary to existing security and safety plans as required by ISPS and ISM codes.
The guidelines are designed to develop understanding and raise awareness on cybersecurity issues onboard ships. However, they are not intended to be used as a basis for audit criteria. Although in my opinión, future audit criteria for cybersecurity onboard ships may be derived from this and similar guides.
Cyber security is presented as a management process with the following main steps:
1. Understanding cyber threat
Cyber risk is specific to the company, ship, operation and trade. A problem we face when assessing ship cyber risk is the lack of historic information about cyber incidents and its impact.
Threats can be posed by different groups that may have the motivation and interest in exploiting ship cyber vulnerabilities.
The groups and its motivations may be:
- Activists (including disgruntled employees): Reputational damage, Disruption of operations.
- Criminals: Financial gain, Commercial espionage, Industrial espionage.
- Opportunists: Rewarded by the challenge.
- States, State sponsored organisations, Terrorists: Political gain, Espionage.
Cyber attacks may be untargeted or targeted, the latter being more sophisticated and directed specifically for the target victim.
Users of Information Technologies IT and Operational Technologies OT supporting the navigation and control systems onboard ships should be aware of cyber risk and trained for its identification and management.
2. Assessing the risk.
Cyber security responsibilities start at the senior management level of the company, then involve other people like Master of the ship, officers including Ship Securith Officer, IT department and crew.
Cybersecurity measures are related not only to IT but to processes and crew.
Since cybersecurity controls may have a negative impact in the efficency of business processes and operations, senior management should be responsible for evaluating and deciding on levels of acceptable risk, countermeasures and trade-offs.
Management needs to decide first on the strategy for the application of cybersecurity to business procedures and operations and then to IT systems.
Vulnerability to cyber incidents depend on several factors like existing controls, accountability for the IT and OT systems, interfaces and communications of the ship to the supply chain, sensitive information stored onboard and availability of computer controlled safety systems.
Vulnerability of systems will be influenced by its placement as a stand-alone, Internet connected system, in a controlled network or in an uncontrolled network.
Onboard systems that may be compromised by a cyber attack can include:
- Cargo management systems
- Bridge systems
- Propulsion and machinery management and power control systems
- Access control systems
- Passenger servicing and management systems
- Passenger facing public networks
- Administrative and crew welfare systems
- Communication systems
The impact of a potential cyber incident should be assessed using the information security CIA (Confidentiality, Integrity, Availability) dimensions. An example of categorization is shown in the guide using FIPS 199. (Ref.2).
Four phases are recommended for risk assessments:
- Pre-assessment activities
- Ship assessment
- Debrief and vulnerability review/reporting
- Producer debrief (Optional)
NIST cybersecurity framework (Ref. 3) can provide an indication of the maturity of the cybersecurity approach of the company.
3. Reducing the risk.
Reducing the risk to aceptable levels should be the main objective of the cybersecurity strategy of the company.
Given the variety of organizational, procedural and technical measures for managing cyber risk, the implementation of cybersecurity controls should prioritised using a cost-benefit approach.
It is considered critical how to manage and delegate cybersecurity onboard and the responsibilities of the Master, officers and other interested parties like Company Security Officer.
There are many sources for technical cybersecurity controls. The BIMCO guide refers to the Critical Cybersecurity Controls CSC from the Center for Internet Security (Ref. 4).
The technical cyber security controls mentioned in the BIMCO guide are:
- Limitation to and control of network ports, protocols and services
- Configuration of network devices such as firewalls, routers and switches
- Secure configuration for hardware and software
- Email and web browser protection
- Satellite and radio communication
- Malware defences
- Data recovery capability
- Wireless access control
- Application software security (patch management)
- Secure network design
- Physical security
- Boundary defence
The procedural cyber security controls mentioned in the BIMCO guide are:
- Training and awareness
- Upgrades and software maintenance
- Anti-virus and anti-malware tool updates
- Use of administrator privileges
- Physical and removable media controls
- Equipment disposal, including data destruction
- Obtaining support from ashore and contingency plans
When evaluating controls, either those mentioned in the BIMCO guide or control from other sources, it should be taken into account the specific requirements of ship IT and OT systems like system latency. For example, all IT systems should have anti-malware installed. However, if this impacts adversely systems operations, alternative effective controls may be needed.
Aditionally to the controls mentioned in the BIMCO guide, there are several well established references for cybersecurity controls that could be used; for example ISO 27002 (Ref. 5) or NIST SP 800-53 (ref. 6). A useful introductory guide for OT systems cyber security is the CPNI “Good practice guide for process control and scada security” (Ref. 7).
The BIMCO guide refers to defence in depth as a recommended approach for reducing risk. This is a well established concept based on the use of several layers of cyber defence with the most critical information systems and information in the inner layers. Attackers may compromise some of the outer layers but supposing we are aware of the attack we have time to react and defend from the attack.
Physical security of the ship will be probably based on the defence in depth concept. Considering that a physical breach may imply a cyber impact and a cyber attack may impair physical controls, it is recommended to align cyber security controls with the Ship Security procedures and the requirements of the ISM and ISPS codes.
4. Developing contingency plans
The company should develop, and ships should have appropriate contingency plans in order to effectively respond to cyber incidents.
According to the BIMCO guide, Contingency plans should include consideration of who has decision-making authority, when to call in external experts, as well as communication.
The most critical elements of contingency plans related to ships mentiond in the BIMCO guide are:
- Response and procedures in the case of disabling, or manipulation, of all types of electronic navigational equipment.
- Response and procedures in the case of disabling, or manipulation, of industrial control systems. for propulsion, auxiliary systems and other critical systems.
- Response and procedures to verify that data is intact in cases where cyber attacker penetration is suspected but not confirmed.
- Procedures for handling ransomware incidents.
- Operational contingencies for ships in cases where land-based data is lost.
When a cyber incident is discovered, it is important that all relevant personnel are aware of the exact procedure to follow. It is crucial that contingency plans, and related information, are available in a non-electronic form as some types of cyber incidents can include the deletion of data, compromising of systems and shutdown of communication links.
A guide that may be consulted here is the ISO 22301 standard on business continuity management (Ref.8) and the good practice guidelines of the Business Continuity Institute BCI (Ref.9).
In my opinión, the BIMCO guide presents a well structured approach to establishing a cybersecurity program onboard ships. I like the focus on risk assessment and management.
Some of the options for risk reduction and cyber controls are outlined in the BIMCO guide. However, other well established references should be consulted (e.g.: ISO 27002, ISO 22301, NIST SP 800-3, NIST SP800-53, CPNI GPG Scada).
In particular, the NIST Cyber security framework referenced in the guide provides a sensible approach for cybersecurity in critical infrastructures.
If you are interested in the application of risk assessment and management in a vessel bridge and the use of the Confidentiality-Integrity-Availability CIA model for assessing cyber security impacts, I suggest reading this blog article:
- 1: BIMCO Guidelines on cyber security onboard ships: https://www.bimco.org/News/2016/01/~/media/AEEEE215CBE3421F8F7493A6A1B0E521.ashx
- 2: Categorization of Federal Information Systems FIPS 199: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
- 3.: NIST cybersecurity framework: http://www.nist.gov/cyberframework/
- 4: CSC Critical Cybersecurity Controls: https://www.cisecurity.org/critical-controls/
- 5: ISO 27002: http://www.iso.org/iso/catalogue_detail?csnumber=54533
- 6: NIST SP 800-53: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
- 7: CPNI Good practice guide. Process control and scada security. https://www.cpni.gov.uk/documents/publications/2008/2008031-gpg_scada_security_good_practice.pdf?epslanguage=en-gb
- 8: ISO 22301: http://www.iso.org/iso/catalogue_detail?csnumber=50038
- 9: BCI Good Practice Guidelines: http://www.thebci.org