信德海事网-专业海事信息咨询服务平台
  >  PEOPLE

Cyber security,the future battle field of shipping industry?

Recently, Xinde Marine News has interviewed to Alex Zhang , the Cyber Security Manager of LR and CY Song, the Pre-sales Consultant Cyber Security of LR. They both highlight the necessity of cybersecurity in the shipping industry.

1. Could you give me an introduction on the IMO2021 regulation on maritime cybersecurity?
 
Alex:Sure. IMO2021 is a euphemism for IMO Resolution MSC.428(98) - Maritime Cyber Risk Management in Safety Management Systems, which was adopted by the Maritime Safety Committee, at its 98th session in June 2017. At the moment, this resolution is still a non-mandatory recommendation from the IMO as opposed to a regulation, as the resolution ENCOURGAGES Administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 2021. What does it mean for the shipping operators who are holding on to the DOC? They will have to incorporate cyber security into the company’s safety management system in a documented manner and this will be audited by the administration and the recognized organization (RO), in order to maintain their DOC status. However, Owners risk having ships detained if they have not included cyber security in the ISM Code safety management on ships by 1 January 2021.
 
On the other hand, IMO has pushed out a “guideline on maritime cyber risk management”, MSC.FAL.1/Circ.3 in 2017, give high level recommendation to the maritime community to safeguard shipping from current and emerging cyber threats and vulnerabilities. At the end of the day, IMO recommends that the respective flag administrations shall take the lead to develop flag state regulations on cyber security, and asides from that operators may look at other relevant international and industry standards, and best practices. Such standards and best practices are inclusive of the following framework,
 
1.1.1.BIMCO guidelines of cybersecurity onboard ships
1.1.2.ISO/IEC 27001 Standard of information technology
1.1.3.United States National Institute of Standard and Technology Framework on Cybersecurity (NIST Framework)
 
Therefore, a good recommendation to the vessel operators will be to start developing an organizational cyber security strategy as a proper implementation of cyber strategy requires a good amount of time and effort, so that they will not be caught ill-prepared in 2021 
 
2. Since cyber incidents are becoming more and more prevalent but why do we not hear so much about it in the maritime industry?
 
CY Song:Maritime industry is a bit behind when it comes to cyber maturity, awareness, readiness and willingness to invest. As such, it is not logical to be the case that we do not hear much about maritime cyber incidents because they are not happening. Instead, it is because maritime organizations do not share about their breaches unless they have to. At the global level, organizations are highly encouraged to talk to the wider community when incidents take place in their environments. This is because companies rely largely on their security solution vendors like Anti-Virus software to protect themselves. At the same time, these vendors need as much cyber threat information as they can get to improve their products to protect their clients better. As such, if the company who gets hit first by a new variant of malware shares the incident with the community, other companies can be more prepared by this specific malware and vendors can also make sure that their products do defend clients against this threat effectively. Unfortunately, simply to look good on themselves, maritime companies choose not to share about the breaches and do their best to minimize the impact. They still lack the mindset of engaging professionals to advise them on how they can defend themselves more systematically.
 
Additionally, due the lack of technical capability especially detection capability, it is hard for maritime organizations to even know about their breaches. Many malwares today choose to hide in victims’ environments quietly without causing any major disruptions. By doing this, information is being monitored or even stolen day in and day out. These malwares are carefully crafted so even the most advanced cyber technologies cannot guarantee a 100% detection. This is why the concept of “Defense in Layer” was introduced. Mature companies put a series of advance cyber technologies in place to increase their chance of detecting malicious activities. However, maritime companies will struggle to even detect these activities for the shortage of security budget.
 
3. Why will it be a "more prevalent" issue like "scrubber", "BWMS" of the moment? And which principal parts will cyber security be prone to the shipping industry?
 
Alex:My honest opinion is that cyber security will be an even more prevalent and critical issue than those systems. The reason is that for these environmental issues, once the solution is provided for them it is possible to eradicate the problem permanently. If the BWMS is installed and operates properly, the problem is resolved. This is not the case for cyber security where the attacks are getting more complex every single day and there is not a single solution which can successfully prevent cyber-attacks entirely and the best that we can do is to reduce the cyber risk as much as possible. Businesses need to see cyber security is an ongoing exercise that will possibly never see the ending point, as new malwares and new methods of attacks are developed daily. 
 
Since cyber security is a universal issue, I would say that all in the maritime community are equally prone to cyber attacks. We have already seen many cases of cyber security breaches within the maritime industry which involved the port operators, the ship owners, the managers, ship brokers and the shipyards, meaning to say there is really no haven for cyber attack. However, I would like to emphasize on the importance of evaluating the cyber posture of the third-party service providers since in many cases cyber incidence happened due to third parties introducing tremendous risk to business operations, data security, and even the technical integrity of products and services. Questions businesses need to ask are, has the vendor done their own organization cyber assessment? It yes, can they show the evidence of assessment? Have their products been testing for vulnerabilities and backdoors? Do they have a system in place to continuously regulate their cyber risk? 
 
The reason why managing third-party cyber risk is because shipping lines are often not the target of the cyber attack, but they are the victims of the collateral damage of cyber incidences. This can be seen from the Maersk NotPetya incidence, where a Ukraine accounting software M.E DOC was breached and Maersk Ukraine happened to be using that software. M.E.Doc Software Was Backdoored 3 Times within 3 months and their Servers Left Without Updates Since 2013. Certainly we should pay more attention to managing third party cyber risk, because this is something within the control of the principal companies. 
 
4. What could the maritime industries learn from other industry that are more matured in cyber?
 
CY Song:Organizations do not become mature in cyber overnight. They take one step after another to put more elements into their cyber security program to become more mature. What the maritime industry will go through in the next few years will be comparable to what other industries such as banking and insurance have gone through 10 years ago for example. Because of this, maritime industry can directly learn from the mistakes those industries made and avoid the same.
 
Personally, I would highly recommend all maritime companies to start with a risk assessment. It is only when the risks are properly understood and captured, one can start thinking about what kind of security measures to put into place. Through the assessment, organizations can understand their own risk appetite better. Based on that, they can then look for companies of similar risk appetite in other industries and see how much they are spending on cyber each year and what do their security programs consist of. By doing that, organizations can easily get an idea of what services/solutions they need subscribe to reach a certain level of security.
 
5. What can Lloyd’s Register offer on cybersecurity? 
 
Alex:Lloyd’s Register acquired Nettitude, a top British cyber security firm, last year, to offer comprehensive cyber security solutions on information security consultation, assurance testing, managed security services (24/7 security operation centre and incident response). We have a good reputation in providing Penetration test, red teaming and intelligence-led testing services, to help our client identify system and process vulnerabilities. Our services are CREST-accredited which means that all of us have undergone extremely vigorous certification processes and if you look around we are pretty much the only provider in the maritime industry with this accreditation. 
 
6. What other cybersecurity regulations the shipping community should take note of?
 
Alex:In fact, there are a number of maritime vetting requirements on cyber security that has already taken place, such as the OCIMF TMSA3 and VIQ cyber requirement, Rightship cyber inspection requirement and the BIMCO Cyber Security Clause. As most of oil the oil majors and commodity traders will be reluctant to charter a vessel from a company with a rating less than TMSA3 level 2, a lack of implementation of cyber security will inevitably result in a competitive disadvantage for the owner. Ultimately, the charterers in most of commodity shipping nature will want to see that their cargo is carried on a vessel that is cyber-secured and managed by a company that practices adequate cyber security. 
 
Most of these requires the operators to have a set of cyber policy and procedure, the ability to detect, response and recover from a cyber-attack and to conduct awareness training on a regular basis. These are not very prescriptive requirements, but we see that the industry is moving towards the right direction, albeit the pace is change is slow. 

The opinions expressed herein are the author's and not necessarily those of The Xinde Marine News.

Please Contact Us at:

admin@xindemarine.com


Ctrl+D 将本页面保存为书签,全面了解最新资讯,方便快捷。