BIMCO, the world's largest international shipping association representing almost 60% of the world's commercial vessels, in conjunction with CLIA, ICS, INTERCARGO and INTERTANKO*, have announced security guidelines for vessels involved in global shipping.Potential cyber vulnerabilities have become a major consideration due to the growing complexities of onboard operations systems and their linking with many shoreside networks. Although vessels can control the cyber-security of their own systems, they have less cyber-control over the multiple communications necessary with outside organizations.
Real-time data flowing into and from a ship or onshore company opens up any system to attack. Navigation systems including GPS, AIS and ECDIS are extremely vulnerable to hacking, according to a June 2015 article in Marinelink.com. Now that AIS and ECDIS are mandatory for larger commercial and passenger vessels, there is an increased need for a focus on security measures. The same article cites an incident in 2014 involving the grounding of a US naval vessel in the Pacific Ocean that may have been the result of compromised software updates to its ECDIS charts. AIS position data can be transmitted incorrectly for security or fraudulent reasons and in 2013 GPS data was “spoofed” to disorient the navigation system on a luxury yacht.
As described in the guidelines, an attack can range from using information gained regarding cargo confidentiality to achieving full control of a machinery management system resulting in financial loss or loss of life. The new guidelines categorize these threats by impact: low or limited adverse effect; moderate or substantial security breach, and high or catastrophic effect.
Unauthorized access or malicious attacks may have significant consequences for navigation, safety, environment, operations and trade in international shipping. The guidelines suggest approaches that will make ships more resistant to threats of any kind. The first step is an assessment of current operations and systems. A description of possible threats is included to raise awareness of the importance of cyber-security. Some of these threats include outside exploitation from activists, criminals, terrorists, espionage organizations. Inside weaknesses are also identified, such as innocent data breaches or intentional damage from disgruntled employees.
The guidelines include instructions on how to reduce the risk to the shipboard IT infrastructure as well as operations equipment connected to these systems. User and data management protocols are offered as well as a way to implement different levels of access based on users' needs. Business-critical and commercially sensitive information needs a different level of protection than routine operating data.
Development of response, recovery, and contingency plans follow, along with protection and detection measures that can be taken. Configuration of network devices and satellite and radio communication is discussed.
Marinelink.com emphasizes the importance of the maritime industry, a complicated web of oil tankers, container ships and other vessels that transport 90% of worldwide cargo, and the importance of keeping this industry cyber-safe and secure. As ships get smarter and drone ships become commonplace, one can see the inherent risks a vessel which is totally monitored and directed from shore could face. Secure AIS navigation tools will gain in importance in these scenarios and the new guidelines are an intelligent step in that direction.
The January 2016 32-page guidelines (The Guidelines for Cybersecurity Onboard Ships) are available for download from the BIMCO site.
*BIMCO: Baltic and International Maritime Council
CLIA: Cruise Lines International Association
ICS: International Chamber of Shipping
INTERCARGO: International Association of Dry Cargo Shipowners
INTERTANKO: International Association of Independent Tankers