In the last decade, the maritime industry has undergone a period of rapid digitisation; ship’s systems are more connected to the internet, and to each other, than ever before. However, as this rate of connectivity has grown, so too has the risk of cyber incidents and attacks; more connections means more vulnerabilities.
The industry is addressing this increased cyber threat and under IMO Resolution MSC. 428(98), administrations must ensure that cyber risks are appropriately addressed in their ships’ safety management system (SMS). There is a growing industry awareness that cyber risk management should be an inherent part of safety and security on board, and that every member of the crew has a responsibility in ensuring compliance with cyber security best practice.
Ensuring that company plans, procedures and crew training for cyber risk management are in place is a significant task. While the procedures needed to create a cyber secure ship will be the responsibility of IT professionals and the onshore office, there are several proactive and quick steps that a ship’s crew can take to manage cyber security risks on board:
1. Security: Both physical and digital security measures should be in place on board. Endpoint protection (commonly known as ’anti-virus’ software) is a key component of cyber security and should be installed as appropriate and regularly checked for updates. There are a number of different anti-virus software on the market, but a check to see if the IT systems on board your ship are protected will generally involve opening up a PC on board, opening the anti-virus app from the computer’s start menu and selecting ‘check for update’. If you cannot find an anti-virus system installed or the system has not been updated recently, contact the onshore IT department as soon as possible. Physical security is also important. Check to ensure that critical and sensitive systems are sufficiently protected by physical security measures like locks, alarms and CCTV. This check should include the ECDIS computer.
2. USBs: USB drives are extremely vulnerable to malicious software and provide potential attackers with a route to otherwise wellprotected networks. USB drives should, therefore, be used only when necessary and should be “cleaned” using a dedicated USB cleaning station before they are plugged in. A cleaning station can be a dedicated device or simply a desktop computer equipped with anti-virus software (not connected to WiFi or the ship’s network) that is solely used for scanning USBs before they are used. Check to ensure that you have a dedicated USB policy on board and consider setting up a cleaning station if one is not already in use. Check also that any unused USB ports are blocked with USB port blockers (this can be a physical device that plugs into a USB port or software that is set up to restrict access).
3. Passwords: All passwords in use on board should be long and complex, but still memorable. A good trick for creating a sufficiently secure password is to think of a sentence from which the starting letter of each word is used (uppercase/lowercase), together with some numbers and special characters. For this sentence, try to use a quote from a song, book, film or speech or a series of words that are meaningful to you, so that it is easier to remember. Check your onboard password policy: when was the last time passwords were changed? Have all passwords been changed from the manufacturer default? Are passwords only given out to relevant personnel as required? Who is in charge of this? Carry out a visual search of the bridge and check that there are no passwords written down in plain sight, or stuck to computer monitors or keyboards.
4. Updates: Software updates are regularly released by software developers and equipment manufacturers and it is essential that these are applied as soon as possible to ensure that devices are not exposed to security vulnerabilities. Scheduling updates will generally be the responsibility of a company’s IT department, but you should check to ensure that your PCs (and web browsers) are running on the most up to date version of their operating systems. Sometimes systems cannot be updated to the most recent version of an operating system (for example, when there is no modern equivalent software); make a note of any devices you have on board that this applies to, as these systems will need to have extra protective measures in place to protect them from potential vulnerabilities.
5. Personal Devices: A ship’s crew will naturally take numerous personal devices on board with them (phones, laptops, tablets, etc). Any personal device requiring USB charging (even something as innocuous as an E-cigarette) or internet connectivity can be infected with malware and so personal devices should never be plugged into a USB outlet on any OT or IT system. Dedicated chargers or ports should be used to charge personal devices. Consider using USB port blockers and displaying posters around the bridge as helpful visual reminders. Check to ensure that personal devices are connected only to crew WiFi and not the ship’s business network and that they are used in line with the company policy on internet and social media use (if applicable). On joining, new crew members should be encouraged to scan their devices. Consideration should also be given to providing crew members with free anti-virus software for their personal devices. All crew should be aware of the company policy for the use of personal devices on board.
Cyber Security Workbook for On Board Ship Use 2022 Edition, by Witherbys, BIMCO and International Chamber of Shipping is available to order here.