Five commercial carrier organisations have issued the first international guidelines aimed at reducing the risk of cyberattacks against ships.
Cargo vessel groups BIMCO, ICS, INTERCARGO, and INTERTANKO, along with cruise line association CLIA, announced on 4 January that their jointly published “Guidelines on Cyber Security Onboard Ships” will help shipowners prevent safety, environmental and commercial catastrophes that could result from a cyber incident.
“The guidelines launched today should help companies take a risk-based approach to cyber security that is specific to their business and the ships they operate,” commented BIMCO secretary general Angus Frew.
The industry groups plan to regularly update the guidelines due to the frequently changing nature of cyber threats and to ensure vessel operators have the latest information available.
Preventing cyber-attacks in the maritime sector is gaining attention as private operators become increasingly vulnerable to attacks.
The US Coast Guard in December was alerted to a “business e-mail compromise” against a port facility in which an employee received what turned out to be a fraudulent e-mail from someone posing as the facility’s CEO. The e-mail attempted to convince the employee to pay a company invoice through a wire transfer of USD15,000. An investigation revealed that the CEO’s e-mail address had been spoofed.
“When the staff at a victim business is contacted by the bank to verify the wire transfer, the staff should delay the transaction until additional verifications can be performed,” the Coast Guard advised in a maritime cyber bulletin issued on 28 December.
For shipowners, sending emails to seafarers that contain malicious files or links to malicious websites is one of the ways attackers may attempt to access ship systems and data, the new guidelines warn.
“Onboard computer networks used for administration of the ship or the welfare of the crew are particularly vulnerable when they provide internet access and email,” according to the guidelines. “They can be exploited by cyber attackers to gain access to onboard systems and data. These systems should be considered uncontrolled and should not be connected to any safety-critical system on board.”
The guidelines point out that cyberattack vulnerability increases with the increasing use of digital, networked navigation systems that connect to shoreside networks. “Bridge systems that are not connected to other networks may be equally vulnerable, as removable media are often used to update such systems from other controlled or uncontrolled networks.”
To reduce the risk, training and awareness should be tailored to the appropriate levels for both onboard personnel, including the master, officers and seafarers, as well as shoreside personnel who help manage ship operations, the guidelines recommend.
The shipowner groups plan to present the guidelines at the IMO’s Maritime Safety Committee in the spring.