Cyber Security Workbook for On Board Ship Use - 3rd Edition 2022

In recent years, the shipping industry has undergone a digital revolution: internet connectivity on board has become common and ship’s systems are increasingly digitised and integrated. With this growing level of connection, comes greater risk. Ships are now a common target for hackers and it has become crucial that the entire crew has an understanding of how and when cyber attacks can occur.

Using detailed, step by step checklists, Cyber Security Workbook for On Board Ship Use provides a ship’s Security Officer with the practical skills to identify cyber risks and to protect vulnerable onboard systems. It also gives guidance on how best to detect, respond and recover in the event of a cyber attack.

This workbook will help to ensure that cyber risks are appropriately addressed in the onboard SMS (as required by IMO Resolution MSC.428(98)). It will also benefit shipowners, ship managers, ports and their IT departments.

This publication has been produced by BIMCO, ICS (International Chamber of Shipping) and Witherby Publishing Group.

Harvesting the full potential of data gathering with the implementation of digital technologies and improved connectivity can certainly bring commercial benefits. However, in parallel, cyber criminals are refining their methods and developing techniques that cause disruptions to business and create hazardous situations for ships, their crew, the environment and the cargo.

Building on the latest Guidelines for Cyber Security On Board Ships (version 4) the Cyber Security Workbook for On Board Ship Use goes one step further and translates the high-level guidelines into operational tools and checklists for use on board ships. The workbook is an indispensable complement to the Guidelines and is highly recommended reading for ship officers and shore staff with a cyber security risk management role.

David Loosley
Secretary General & CEO

Cyber attacks are on the rise, with criminals and State actors all setting their sights on shipping. This is a threat we cannot ignore. Our vessels have become more technologically advanced, with the growth of the Internet of Things and our shipboard systems increasingly connected to the internet and to systems ashore. Today’s modern ships are a target-rich environment for cyber attackers. A number of high-profile incidents on major shipping companies in recent years have demonstrated the serious potential for major disruption to operations and safety for maritime trade. It is essential that shipping remains resilient against these threats if it is to continue to carry the vast bulk of global trade safely and securely.

Awareness of the threat presented by cyber attack to shipping has increased, as have the mechanisms to reduce it. The IMO requirement to include cyber risk management in the Safety Management System from 1 January 2021 has brought cyber risk management into the statutory realm. Class and insurance requirements now also play a role in maintaining the cyber security of ships. Today, the shipping industry is better placed than ever to safeguard the vital service It provides from cyber attack. However, we should not grow complacent; regular risk assessments of your company’s cyber weak spots, training and awareness campaigns for staff and plans for recovery if a cyber attack occurs are all essential to stay resilient to the ever-changing threat landscape.

Cyber security is central to the safe and secure operation of ships and shipping companies, and this guidance provides a comprehensive resource to understand the threat and practically and continually mitigate against the risks it presents to maritime transport.

Guy Platten
Secretary General
ICS

List of Checklists provided within this Workbook vii

Abbreviations/Definitions ix

Section 1 – Introduction 1
1.1 Cyber Security Risk Management – IMO Requirements and Guidelines 1
1.1.1 Supporting Regulatory Guidelines 1
1.2 Cyber Outlook for Shipping 1
1.3 Purpose of this Workbook 2
1.4 Checklists 2

Part I – Onboard Practical Considerations 3

Section 2 – Identifying Risks 5
2.1 Vulnerable Ship Systems 5
2.2 What is a Cyber Attack? 7
2.2.1 Attacker Profiles 7
2.2.2 Types of Cyber Attack 8

Section 3 – Protection, Prevention and Training 13
3.1 Prevention of Malware Attacks 13
3.2 Software Updates 14
3.3 Endpoint Protection 15
3.3.1 Anti-virus 15
3.4 Passwords 16
3.4.1 Creating Passwords 16
3.4.2 Managing Passwords 16
3.4.3 User names 19
3.5 Cyber Security and the SMS 20
3.5.1 Cyber Security and the Ship Security Plan (SSP) 20
3.6 Crew Considerations and Training 21
3.6.1 Key Aspects of Crew Training 21
3.6.2 Unintentional Cyber Breaches by the Crew 22
3.6.3 Evaluating crew 22
3.6.4 Training for Non-Crew Members 23
3.6.5 Designing a Training Programme 23
3.6.6 Cyber Security Drills 24
3.6.7 Cyber Security Familiarisation 26
3.6.8 Example of a Cyber Security Familiarisation Checklist for New Crew Members 27
3.6.9 Social Media 28
3.6.10 Travelling in Cyber Safe Mode 29
3.6.11 Crew Training Cyber Security Checklist 30
3.7 Ship Inspections and Port State Control 32
3.7.1 Port State Control Inspections 32

Section 4 – Detect, Respond and Recover: General Principles 33
4.1 Detecting a Cyber Incident 33
4.2 Detecting a Cyber Incident Checklist 35
4.3 Incident Response 36
4.3.1 Third Party Support 37
4.3.2 Cyber Recovery Plan 38
4.3.3 Backups 39
4.4 Responding to a Cyber Incident On Board Checklist 40

Section 5 – Detect, Respond and Recover: Ship’s Business Systems 41
5.1 Onboard Business Computers 41
5.1.1 USB Ports and Drives 41
5.1.2 USB Port Blockers 41
5.1.3 USB Cleaning Stations 42
5.1.4 Personal Devices and USB Ports 43
5.1.5 Onboard Business Computer Checklist 45
5.2 Network Segregation On Board 47
5.2.1 Existing/Simple Networks 47
5.2.2 Segregated Networks 47
5.2.3 Achieving a Segregated Network 47
5.2.4 Maintaining a Segregated Network 48
5.2.5 Benefits of Network Segregation 48
5.2.6 Vulnerable Systems On Board 48
5.3 Network Segregation Checklist 49
5.4 Wireless Networks 50
5.4.1 Business WiFi 50
5.4.2 Crew WiFi 50
5.4.3 Guest Access 51
5.4.4 WiFi Network Security 51
5.4.5 Virtual Private Network (VPN) 51
5.4.6 Networks (Wireless and Wired) 52
5.5 Satellite Communications Equipment 53
5.5.1 Satcom Passwords 53
5.5.2 Admin Password Security 53
5.5.3 Confirming that the Satcom System is Not Available from the Public Internet 53
5.5.4 Is the Software Running on the Satcom System Kept Up to Date? 54
5.5.5 Applying Updates to Satellite Terminals 54
5.5.6 Physical Security of the Satellite Terminal 55
5.5.7 Software Security of the Satellite System 55
5.5.8 Satellite Communications Checklist 57
5.6 Mobile (Cellular) Data Connections 58
5.7 Connecting to Shore WiFi in Port 59
5.7.1 Crew Connecting to WiFi Ashore 59
5.7.2 Shore WiFi in Port/Shore Cellular Data Checklist 60

Section 6 – Detect, Respond and Recover: OT Systems 61
6.1 Understanding OT Systems 61
6.2 Engine Department Considerations 63
6.3 OT Systems Checklist for Crew 65
6.4 ECDIS Security 66
6.4.1 Updates 66
6.4.2 Physical Security 66
6.4.3 ECDIS Recovery 67
6.4.4 Recognising Genuine NAVTEX Messages 67
6.4.5 ECDIS Cyber Security Checklist 68
6.5 GNSS Security 69
6.5.1 GNSS Input Data 69
6.6 Cyber Security Checks on the Navigation Bridge during Watchkeeping 70

Part II – IT Department and Shoreside Management 71

Section 7 – Key Considerations 73
7.1 Cooperation between the office IT department and the technical department 73
7.1.1 New build or retrofit project 73
7.1.2 Securing the supply-chain 73
7.1.3 Cyber-security Working Group 75
7.2 Cooperation between the office and the ship crew 77
7.2.1 Maritime Cyber Security Management 77
7.2.2 Cyber Security and the Safety Management System (SMS) 78
7.2.3 Cyber Security and the Ship Security Plan (SSP) 81
7.2.4 Onboard resources according to the ship types 82
7.3 Ship’s Network Architecture 83
7.3.1 IDMZ 83
7.3.2 Data Diodes (unidirectional gateways) 87

Section 8 – OT Systems Management 89
8.1 OT Asset Management and Risk Assessment 89
8.1.1 Asset Management 89
8.1.2 Asset Risk Assessment 90
8.1.3 Asset Management and Risk Assessment Checklist 93
8.2 Securing OT Systems 94
8.3 Securing the Ethernet IP Network Used by OT Systems 96
8.3.1 Converter Security 96
8.4 Intrusion Detection Systems (IDS) 98
8.5 OT Systems Checklist for IT Department 99

Section 9 – IT Systems Management 101
9.1 Remote Access 101
9.1.1 Remote Access Checklist 103
9.2 Vulnerability Scanning 104
9.3 Disaster Recovery/Backup 106
9.4 Uninterruptible Power Supply (UPS) for IT/OT systems 107

Annexes 109
Annex 1 – Cyber Security Assessment 111
Annex 2 – Model Cyber Security Plan 117
Annex 3 – Checking for Windows Updates 137
Annex 4 – Creating User Accounts 141
Annex 5 – Checking for Segregated Networks 149
Annex 6 – How to Check that Anti-virus Software Updates are Applied 153
Annex 7 – Planning a Crew Training Session 155
Annex 8 – NMEA 0183 157
Annex 9 – Regional Regulatory Guidance 163
Annex 10 – Further Resources 167

BIMCO

BIMCO is the world’s largest direct-membership organisation for shipowners, charterers, shipbrokers and agents. In total, around 60% of the world’s merchant fleet is a BIMCO member, measured by tonnage (weight of the unloaded ships).

The organisation has NGO status and is based in Copenhagen, Denmark, with offices in Athens, Singapore and Shanghai.

With around 1900 member companies across 120 countries, from the largest shipowners in the world to small local port agents and law firms, BIMCO represents a wide range of maritime companies and organisations.

BIMCO’s goal is to secure a level playing field for the global shipping industry. BIMCO therefore works to promote and secure global standards and regulations for the maritime sector. The organisation’s century long effort into creating standard contracts and clauses is an expression of that aim.

ICS

The International Chamber of Shipping (ICS) is the principal international trade association for the shipping industry, representing shipowners and operators in all sectors and trades.

ICS membership comprises national shipowners' associations in Asia, Europe and the Americas whose member shipping companies operate over 80% of the world's merchant tonnage.

Established in 1921, ICS is concerned with all technical, legal, employment affairs and policy issues that may affect international shipping.

ICS represents shipowners with the various intergovernmental regulatory bodies that impact on shipping, including the International Maritime Organization.

ICS also develops best practices and guidance, including a wide range of publications and free resources that are used by ship operators globally.

https://www.ics-shipping.org/about-ics/about-ics

Witherbys

Witherbys titles are developed using scripts developed by technical experts that are peer reviewed within work groups. Typically, they seek to improve understanding of the regulations, recommendations and guidelines issued by Industry.

Witherbys staff have significant expertise in the fields of navigation and hazardous cargoes as well as in the presentation of complex subjects in a graphic and easy to understand manner.