Is this a Maritime Hoax?

13003752263?profile=RESIZE_400xWith new rules on Cyber Security coming down from the US Coast Guard, Angeliki Zisimatou, Director Cybersecurity, ABS, is uniquely positioned to discuss maritime cyber security in the round, with insights on what she’s seen and heard from the draft rules, with advice on what it could mean for vessel owners.  Cyber security and all that it entails is quickly climbing the priority ladder in maritime, as increasing dependance on connectivity is a double edge sword of promise and peril.  While the level of cyber security preparedness varies widely across all industries, perhaps the biggest concern is that some don’t even acknowledge the risk.  “Many times, over the last eight years I’ve heard ‘Cybersecurity is a hoax’; I’ve heard that again and again from crews, from operators, from owners,” said Angeliki Zisimatou, Director Cybersecurity, ABS, as they believe that their onboard systems are ‘air-gapped’ from onboard connectivity, leading to a false sense of security.[1]

Step one for ABS is to inform, educate and illustrate that yes, the threat is real.  Just ask A.P. Moller-Maersk Group, one of the world’s largest shipping companies which in 2017 was hit by the NotPetya attack, disrupting operations for 10 days and costing hundreds of millions in revenue. 

While maritime collectively has been slow on the cyber security uptake, Zisimatou said large fleet owners and operators are taking the risk seriously, investing heavily in their own secure operation centers, and she is starting to see attitudes change across the industry, particularly when high profile events like NotPetya grab headlines and illustrate the potential scope of the problem.  Drivers too, as usual, are emerging rules from the International Maritime Organization and the US Coast Guard.  “For the smaller and the medium-size operators and owners, I think that regulation is what is driving their actions, so they try to stick to the bare minimum, doing what is mandated or recommended,” said Zisimatou.  As new, connected vessels increasingly come on line, and a newer generation of seafarers, online natives, increasingly take command of the maritime space, cyber security awareness and action will follow in step. Until then, much work remains.  “Lack of knowledge on the topic, [plus] the lack of training and awareness; that applies to the crews and to onshore personnel,” is arguably the biggest gap today, said Zisimatou.  “Even shipping companies that know they need to act, they might assign the task to their IT department, and typically, IT personnel have [little or no] knowledge of onboard systems,” presenting a challenge on where to start.

The antiquity of legacy systems running onboard existing tonnage, including Windows NT and other outdated software, poses an equally big challenge in terms of vulnerability.  Another potential problem throughout the whole of the maritime supply chain possessing adequate visibility on maintenance and upgrade of onboard systems, as typically vessel owners and managers have vendors physically come onboard to access and upgrade systems, providing little if any visibility on what has actually been updated and installed on the ships.  Getting complete control and visibility on critical system updates and maintenance is yet another priority item on an vessel owner/manager’s ‘to do’ list.  But while the gaps and problems are potentially large, the solutions can be easy, at least to start.  “I would start with the obvious,” said Zisimatou.  “First of all, take it seriously. Consider it an actual risk to your operations and to your business.  Follow what is mandated, or what is recommended by IMO, what is recommended by NIST, cybersecurity framework. Follow the steps.  Start with a very robust risk assessment, and put the right people in the room; people from operations and people from the IT side.  Brainstorm; really think of the risks and how to mitigate them.  If your identification of risk is poor, the controls that are going to be implemented are poor as well.”

“There are other items as well, like cybersecurity drills every three months required within the regulation, which we think is a little too frequent. Then there are no specifics; what does it mean, what needs to be tested?”  Angeliki Zisimatou, Director Cybersecurity, ABS

New Coast Guard Rules - Earlier this year, the US Coast Guard published a proposed rule in the Federal Register proposing to update maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for US - flagged vessels, facilities on the Outer Continental Shelf, and U.S. facilities subject to regulations under the Maritime Transportation Security Act of 2002.  The new rules are expected to be finalized later this year, and many questions remain on what they will mandate, and how it will ultimately impact vessel owner/operator procedure and cost.  “We provided some feedback to the Coast Guard as far as to what is potentially missing, or potentially is going to be challenging for the operators,” said Zisimatou.  “[At this time] we don't really know whether the new regulation is going to apply to new construction vessels, or to existing vessels, too. That would have a huge impact to US flag vessels.”  She said there are some requirements within the proposed rule which talk about segmentation of networks, for example, and especially in existing vessels, where the networks are typically flat, “that would require some extra effort.”  But it doesn’t end there.  “There are other items as well, like cybersecurity drills every three months required within the regulation, which we think is a little too frequent,” said Zisimatou. “Then there are no specifics; what does it mean, what needs to be tested?”

She said the classification society has recommended that the US Coast Guard take into consideration what IACS has proposed as far as new construction vessels, how to address the whole supply chain, from the design, commissioning, construction, and operational life of a vessel, but also how it has approached the specific controls, providing a bit more clarity on what class needs to do, what owner needs to do, what a shipyard needs to do.  “I'm waiting to see the regulation coming out, and I'm sure that the Coast Guard has received plenty of comments that they're working on right now,” said Zisimatou.  “I'm eager to see that, and then I think it's going to have a huge impact, especially [later on when] more regulation come out from other flag administrations, based on what the Coast Guard has set out.”

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://www.marinelink.com/news/cybersecurity-a-hoax-maritime-517915

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!