The ship classification society, Nippon Kaiji Kyokai, also known as ClassNK, is advising the ship building industry to incorporate the IEC 62443 series into their cyber security strategies. As the operational technologies on ships grow increasingly sophisticated, they are also becoming more vulnerable to cyber attacks.
Nowadays, malware regularly hits operational environments, including those in the maritime sector. For example, the 2017 NotPetya malware attack crippled ports, terminals and cargo handling operations.
Since then ransomware attacks have targeted ports and shipping companies. Seanews reports that cyber attacks on the maritime industry’s operational technology (OT) systems have increased by 900% over the last three years.
Like many other industries, shipping is increasingly dependent on digitalization. With the convergence of OT and information technology (IT), modern shipboard systems, such as those used for navigation, monitoring engines and cargo management, are connected to shore-based infrastructure.
From a cyber security perspective, the challenge is that unlike business systems, IACS are actually designed to facilitate ease of access from different networks.
That is because industrial environments have to cope with different kinds of risk. Where IT security focuses in equal measure on protecting the confidentiality, integrity and availability of data — the so-called “C-I-A triad” — in the world of OT, availability is of foremost importance. Priorities for OT environments focus on health and safety and protecting the environment.
In the event of an emergency in order to be able to protect personnel or to minimize the impacts of natural disasters, it is therefore vital that operators can receive accurate and timely information and can quickly take appropriate actions, such as shutting off power or shifting to backup equipment.
A key challenge, according to a recent IEC Technology Report, is that cyber security is too often understood only in terms of IT (information technology). Those responsible for security often overlook the operational constraints.
IEC 62443, is designed to keep OT systems running. It can be applied to any ICS environment
The industrial cyber security programme of the IECEE — the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components — tests and certifies cyber security in the industrial automation sector. The IECEE Conformity Assessment Scheme includes a programme that provides certification to standards within the IEC 62443 series.
ClassNK describes its new guidelines as “a compilation of current best practices for newbuilding designs by shipyards and shipbuilding owners from the perspective of identifying computer systems that should be protected from cyber incidents and of building networks to protect them”. You can download Guidelines for Designing Cyber Security Onboard Ships here.
ClassNK is a not-for-profit non-governmental organization dedicated to ensuring the safety of life and property at sea, and the prevention of pollution of the marine environment.