Legacy technology inadvertently affecting security
Legacy technology connection – as businesses connect assets – carries significant cyber risk in the maritime industry, writes Craig Wooldridge, maritime cyber baseline certification manager for the IASME Consortium.
The international shipping sector carries around 90 per cent of all world trade and with, at any given time, approximately 50,000 ships at sea or in port, the maritime industry is the world’s largest and most important supply chain.
The industry’s currently undergoing a significant digital transformation, driven largely by decarbonisation targets. At the same time, advances in connected technologies are also putting significant pressure on maritime organisations to connect their assets and infrastructure, in order to stay efficient in a competitive market.
These assets may have legacy technology that were never designed with cyber security in mind, yet are being connected up to world-wide onshore businesses across the supply chain.
Cyber security is needed not just to secure a vessel’s IT and data, but also to protect the operational technology onboard (like embedded computers to control physical devices or hardware and enable smart maritime systems).
This growing digital threat increases the overall vulnerability, and therefore risk of a cyber-attack occurring onboard a vessel.
The maritime industry is historically a conservative market that does not easily recognise new challenges to its way of operation. Much of the cyber security advice is far too complex to act upon, and IASME believes there is a lack of regular, relevant training.
That being said, cyber security regulations are becoming more stringent.
The International Maritime Organisation now states ship owners and managers have to incorporate cyber risk management into ship safety. A lack of compliance with these requirements may lead to increased threats of ransomware attacks and terrorism attacks, but also increased insurance premiums, port access denial and detention of ships. The outcome could be high financial losses for the owners and operators.
Cyber risk management within the maritime sector demands an active approach and has to work alongside IMO regulations.
IASME believes (based on its experience with assuring cyber security in other sectors) that the current situation can be addressed with an affordable and understandable certification scheme to support organisations understanding of the most important controls to put in place for an acceptable level of cyber security.
If all organisations within the maritime sector achieved a baseline assurance certification, this would counter the variability associated with how cyber risk management is addressed within a safety management system under the current IMO guidance.
Currently, there are varying degrees of cyber readiness and security, which in turn prevents the establishment of a commonly understood baseline level of protection.
To take this forward, IASME has developed a Maritime Cyber Baseline certification scheme.
This scheme aims to educate and support maritime organisations implement an achievable level of cyber security within the vessel itself. The organisation completes an online verified assessment, which gives a basic level of assurance, but can be followed by an audited version, which gives a higher level of assurance. Both versions will help organisations align to the requirements of the IMO guidelines.
The ideal is that the Maritime Cyber Baseline certification scheme can become a recognised standard that shows that owners operators and builders of all vessels have taken their cyber security seriously and have put controls and processes in place to help reduce the risk of a cyber-attack occurring onboard the vessel itself.
