The Document of Compliance holder is ultimately responsible for ensuring the management of cyber risks on board. If the ship is under third party management, then the ship manager is advised to reach an agreement with the ship owner. Particular emphasis should be placed by both parties on the split of responsibilities, alignment of pragmatic expectations, agreement on specific instructions to the manager and possible participation in purchasing decisions as well as budgetary requirements. Apart from ISM requirements, such an agreement should take into consideration additional applicable legislation like the EU General Data Protection Regulation (GDPR) or specific cyber regulations in other coastal states. Managers and owners should consider using these guidelines as a base for an open discussion on how best to implement an efficient cyber risk management regime.

Agreements on cyber risk management should be formal and written.

Visits to ships by third parties requiring a connection to one or more computers on board can also result in connecting the ship to shore. It is common for technicians, vendors, port officials, marine terminal representatives, agents, pilots, and other technicians to board the ship and plug in devices, such as laptops and tablets. Some technicians may require the use of removable media to update computers, download data and/or perform other tasks. It has also been known for customs officials and port state control officers to board a ship and request the use of a computer to “print official documents” after having inserted an unknown removable media.

Sometimes there is no control as to who has access to the onboard systems, eg during drydocking, layups or when taking over a new or existing ship. In such cases, it is difficult to know if malicious software has been left in the onboard systems. It is recommended that sensitive data is removed from the ship and reinstalled on returning to the ship. Where possible, systems should be scanned for malware prior to use. OT systems should be tested to check that they are functioning correctly. Some IT and OT systems are remotely accessible and may operate with a continuous internet connection for remote monitoring, data collection, maintenance functions, safety and security.

When the lead author for this course (Mark Broster, Managing Director to the eMarimeGroup) was 18, he had his Nova GSI stolen near where he lived in Liverpool.

It was 1994 so please don’t judge the car….

He said to the Police Officer “It is not possible, I just had a Cat 1 immobiliser and state of the art alarm fitted last week!”

The Policeman said “When you had it fitted, did you tell them your address?”

He said “of course, it was in the paper work (mate)”

The Policeman said “Son…. there is a chance, they took your car”

Ken Munro, an external cyber expert stated:

“A small number of shipping insurers are starting to cover cyber related incidents. This is a very brave move in my experience. I gave numerous lectures in and around the Lloyds building in the early days of conventional cyber liability insurance. Cover was being offered with no understanding of the risks involved. Premiums were not appropriate and many underwriters were burned with sizeable losses around data breaches, particularly where punitive mandatory notification, credit monitoring and class actions occurred.”

It is strongly advised operators investigate a specific cyber liability insurance policy for their business operations. Typically, these policies address loss cases such as CEO/invoice fraud, online banking fraud, data loss and business interruption in the case of a hacking incident.

A ‘cyber’ policy is usually constructed to specifically deal with these scenarios, though you may be required to demonstrate a certain level of cyber security maturity and process in order to obtain cover at an acceptable premium.

Some of the worst vessel vulnerabilities are the easiest to find and fix.  Bear in mind that maritime security issues are often systemic: they don’t affect just one ship in your fleet, the same issue can affect them all.

Hackers are efficient. If a hacking technique won’t work on vessel operator 1, they’ll try it against operator 2. A good start is to make your organisational cyber security better than your competitors.

Above image form www.areteadvisorsinc.com

Pen Test Partners have been a good friend of the eMaritimeGroup and we would recommend their services.  In particular their blog at:

https://www.pentestpartners.com/security-blog