Like many other industries, shipping is increasingly dependent upon digitalisation and automation. With the convergence of operational technology (OT) and information technology (IT), more systems are being connecting to the Internet.
A recent study commissioned by Inmarsat earlier this year showed that the maritime industry has one of the most favourable attitudes towards the adoption of analytic, management and operational tools based on the internet of things (IoT).
A number of reasons have been given for the implementing, or planned implementation, of IoT solutions. They include:
- reducing costs,
- optimising shipping routes,
- monitoring fuel consumption to comply with fuel efficiency regulations, and,
- cutting insurance premiums
While the advantages provided by IoT solutions are evident, there is a downside: the risk of unauthorized access or malicious attacks to the ship and its system. Strong cyber security is required.
A recent presentation by Pen Test Partners (PTP) at the Infosecurity Europe conference demonstrated multiple methods for attacking shipping vessels due to weak default passwords, failure to apply software updates and lack of encryption. PTP was able to do so using Shodan, the IoT search engine which also publishes a ship tracker.
Putting in place safeguards
In July 2017, the International Maritime Organization (IMO) published its Guidelines on maritime cyber risk management. These Guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from cyber threats.
The Guidelines provide a cyber risk management framework that includes:
- Identify: Define roles and responsibilities for cyber risk management and identify the systems that can pose risks to ship operations when disrupted.
- Protect: Implement risk control processes and measures, and contingency planning.
- Detect: Implement actions to detect a cyber-event.
- Respond: Implement activities and plans to restore systems necessary for operations.
- Recover: Identify measures to back-up and restore cyber impacted by a cyber-event.
The Guidelines also recommend the adoption of ISO/IEC 27001 which specifies the requirements for establishing and maintaining an information security management system (ISMS). The Standard has been developed by ISO/IEC JTC 1/SC 27 on IT security techniques.
IEC TC 80 developed IEC 61162-450:2018 which specifies interface requirements for communication between shipboard navigation and radiocommunication equipment. An addition to the Standard, IEC 61162-460:2018, is also available should higher safety and security be necessary due to, for example, higher exposure to external threats or to improve network integrity. Both of these Standards have been published in 2018.
Cyber security is the focus of the IEC Conformity Assessment Board (CAB) Working Group 17 and IEC Conformity Assessment for Electrotechnical Equipment and Components (IECEE) Certification Management Committee Working Group 31.