Recent cyber attacks to the US Government, the IMO, Maersk, amongst others has caused the world to pay attention to criminal cyber activities by foreign states, terrorists, and criminals. The cyber attack against CMA CGM shut down services for close on two weeks. Two days later, on October 30th the IMO was held hostage by a cyber attack. These attacks follow attacks earlier this year against MSC and COSCO.
As of January 1, 2021 all vessels that have a safety management system must address cyber security in order to maintain ISM certification. The IMO guidelines for cyber security can be found in MSC-FAL.1/Circ.3. This high-level guidance is just the foundation for a proper cyber security program for owners/operators. The circular highlights the importance of protecting vulnerable systems such as:
The thought of having cyber security responsibilities can be chilling to some and burdensome to others. Personally, whenever I think of cyber security I think of some college kid in their parent’s basement trying to get the password to my bank account, which is incidentally empty. Or Even better, Matthew Broderick in War Games. The truth is that hacking scenario, while it still exists is not the predominant cyber crime in the world today. Cyber crimes may be conducted by organized crime, nation states, terrorists, or industrial espionage. On the other side of the fence are the “white hat” hackers whose responsibility and job it is, is to find the weak links in a corporate cyber security chain. They expose weaknesses without exploiting them.
One does not need to be versed in code and hacking to be an efficient cyber security officer. Cyber security is as much about the protection of the system through the hardware as it is through the software. To demystify this field, I checked in with Cyber Security Specialist Cliff Neve, who retired from the USCG Cyber Security unit.
The maritime industry is vulnerable to attacks on both our Information Technology and our Operational Technology. If this is the first time that you are hearing this, you may be just as confused as when Mr. Neve explained this to me. Information Technology (IT) is the software that runs our computers, ECDIS, phone, etc. Operational Technology (OT) is the software and computers that are called upon to operate equipment. OT governs our engines, regulates the angle of our satellite antenna, and governs the processes of our 3D printers.
Cyber security is about protecting our access points. The traditional email from what appears to be mom’s account containing a malicious link. Many of us have recently been receiving calls about our cars’ extended warranty. Considering I no longer own a car, this was certainly a phishing attempt. And no, the Prince of Nigeria does not really have one million dollars to give me.
Our access points are not just within the Matrix. According to Dean Constantine hacking the IT network is only one concern. Cyber criminals have also developed the capability of hacking into our OT, or Operational Technology. Our hardware, like engine controls, steering gear, etc are vulnerable to outside attack from hitherto unknown vectors.
The dangers of installing software cannot be understated. Not all apps that your nerd friend recommends are safe. Or for that matter, updates from the computer manufacturer or operating system provider. According to another expert, Christopher Owen, Bios updates should always be vetted through your in house personnel prior to installing. Bios determines things such as when the fan turns on, how energy is distributed through the computer, ect. It is akin to regulating our heartbeat.
Add on to that the questionability of manufacturer updates as a state sponsored terrorism, and your head may swim. Right here, in the US, our inland waterway vessels utilize chart plotters and ECDIS type software. Not even thinking of the possibility of a problem until too late, it was discovered that the manufacturer utilized software written and updated in Russia.
The world has recently begun to accept Zoom as the dark overlord of conducting meetings. Photobombing, Zoom style, has been highlighted during the pandemic. Much like crashing a party, uninvited attendees will drop in on your meeting, or hijack it. The question has been asked, why has nothing been done about this? Simply put, because no one had to. Prior to the pandemic services such as Zoom were utilized marginally. Now they have become the standard. Simple settings such as setting up a waiting room to admit users and password protect your meetings can go a long way. Citing concerns some companies have switched to alternate meeting platforms.
Following training, it is imperative to maintain the system. Basic things on board such as updating the systems with authorized updates, conducting malware, spyware, and virus detection software, rebooting the computer frequently enough to allow updates to process.
The hiring of a cyber security expert cannot be understated. When ISPS rolled out, security experts were hired around the world to conduct vessel security assessments and assist in writing vessel security plans. If owners and operators have not yet done so, that should be done to comply with the amendments to the ISM code.
Much like our physical security, the first step in maintaining cyber security on board is education and repeated training. Not the kind that is done on a computer with a slide player that you can click through, get to the quiz, and be done in under 5 minutes. The training must be comprehensive and engaging. Educating the user in what safe practices are such as not opening suspicious email, not plugging devices into a ship computer, not allowing use by unauthorized persons,
As a society we have accepted the integration of technology into our everyday lives and businesses. Instantaneous communication and access to information at all hours of the day or night have created a near dependency on our connected technology. As much good as this technology does, simple things to preserve it’s integrity is just as important as staying hydrated in the summer and wearing a hat in the winter. When we consider the possibilities of what could go wrong should critical systems be compromised our spines should chill. At best it can be a minor nuisance, at worst life and property can be lost. Much like standing watch, we must remain alert and vigilant at all times to the possibility of what could be, while working towards keeping what we value safe.