Cyber Risk Management in the Maritime Transportation System
USCG Lt. Kevin Kuhn February 9, 2018 https://www.hstoday.us/channels/us-coast-guard/cyber-risk-management-mar...
While unmanned ships and autonomous ports are technologically feasible, it will be quite some time before the global maritime community overcomes the fear and uncertainty associated with removing all human control of critical safety, security, and environmentally sensitive shipping operations. We do, however, stand on a precipice where technology has become an essential element of many onboard and shore-based systems that will continue to revolutionize the way shipping operations are conducted.
While the transition to increased dependence on cyber-enabled technologies occurs, the maritime industry must be proactive to maintain the outstanding safety record it has earned. The safety culture embedded in the DNA of our industry was developed over decades of carefully implementing risk management principles into all aspects of shipboard life. In the face of such rapid technological growth, it is this culture of risk management that will provide for a safe transition from the age of diesel to the age of the computer.
Cyber Vulnerabilities in the Maritime Transportation System
While cyber vulnerabilities in shipboard systems are alarming to experts, it takes an unusual skill set and precise timing to use these vulnerabilities to disrupt shipping operations or cause a serious marine casualty. TV shows like Mr. Robot and Silicon Valley introduce the realities of cyber threats to the general public, but the complexities of shipboard systems are unfamiliar to most opportunistic hackers.
GPS jamming, which is nothing new, is one such vulnerability. Jammers work by emitting a signal on the same frequency as a signal from the Global Navigation Satellite Systems (GNSS) at a close range, overpowering the authentic signal. These devices are incredibly disruptive when operated in a densely populated area or near a mass transit hub. To disrupt shipboard navigation, a GPS jammer would have to be positioned in the proximity of the GPS antennas aboard the ship and operate during navigation of a restricted area. That said, disruption of the GPS signal would likely trigger an alert on the navigation system, prompting manual override of the autopilot. It is therefore unlikely that the disruption of a GPS signal could put a ship in a dangerous position, provided the watch officer was alert and acting in accordance with his or her training and procedures.
While this example is really a radio signal manipulation, not a cyber attack, it still portrays the risks of electronic navigation in a tangible example that reveals only the tip of the iceberg.
The voyage data recorder (VDR) is another device that has shown cyber vulnerabilities. A VDR is the shipboard equivalent of an aircraft’s “black box,” and essential during casualty investigations because it records numerous inputs like bridge audio and VHF communications; ship’s position, speed, and heading; watertight and re door status; radar, ECDIS, AIS, and echo depth sounder data; and other inputs, as required by U.S. and international regulations.3
It has been shown that hackers could manipulate data captured by the VDR. For example, a malicious actor could use this vulnerability to cover up the cause of a marine casualty or to remove evidence of criminal activity aboard a vessel. Though the risks associated with VDR vulnerabilities may be minimal since VDRs don’t directly control the movement of a vessel, such vulnerabilities could be magnified when planned in alignment with other malicious activities.
Cargo system manipulation is another area that could cause significant disruptions at a port facility during loading and unloading. It has been a proven method for smuggling goods into a port. This is accomplished by introducing malware that targets the cargo management system into the shipboard network. Once embedded in the cargo management system, the malware allows remote manipulation of the cargo manifest. This technique was used in 2013 to smuggle more than 1,000 kilograms of cocaine through the port of Antwerp.5
Ransomware is yet another effective tool for disrupting the shipping industry. This is a common technique where a virus is introduced into a shipboard network either using phishing emails with attachments, drive-by downloading from the internet, or via a USB storage device. Any computer connected to the network is locked out unless a ransom is paid. There are increasing reports of shipping companies being infected. Some simply pay the ransom to maintain their operational schedule and reduce disruptions.
Sometimes required by manufacturers for warranty purposes, remote monitoring and control of cargo and propulsion systems also present vulnerabilities, and are increasingly prevalent. Legacy operating systems are seldom updated, allowing for considerable vulnerabilities in operational equipment like engine monitoring systems and fire detection systems. While targeted malicious attacks are truly concerning, inadvertent introduction of malware is just as serious—and much more likely to occur. The nature of shipping operations requires numerous users to have access to critical systems, which increases the opportunity for the introduction of malware.
Communications, engineering, cargo control, ballast water management, safety, environmental control, and other systems are similarly vulnerable to such cyber attacks.
Why haven’t we heard about these disruptions in the news? Well … we have occasionally, but perhaps we didn’t take notice because they’ve only caused minimal disruptions to the maritime transportation system and haven’t caused loss of life or significant damage to the marine environment. The risk management culture in the maritime industry has effectively reduced cyber-related risks to a manageable level—for now.
Cyber Risk Management in the Maritime Industry
Risk management addresses cyber-related risks by extending existing safety management techniques to cyber-enabled technologies. Risk management for cyber, much like any other operational risk, involves identifying risks, protecting against threats, detecting problems, responding to incidents, and recovering from an incident by implementing continuous improvement mechanisms.
Much the same as mariners would check the weather prior to departing on a voyage, they should also check cyber-dependent systems to ensure they are up-to-date and functioning properly. Similarly, one would consider safeguarding cyber systems from unauthorized access alongside other security measures, like locking exterior doors or posting a gangway watch in port. The deliberate implementation of a cyber risk management program should be decided by the shipping company and include guidance for personnel at all levels of the organization, from the CEO down to the deckplates.
Over the last five years, many organizations have sought to define how cyber risk management should be implemented on ships, and the overwhelming consensus has been to follow the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). Developed in 2014, the NIST framework defines five functional elements that create the backbone of a sound cyber risk management program. The framework was designed to be generic so it could be employed by any sector, ranging from financial or medical to transportation or security. Groups within the maritime industry have worked from this framework to develop additional guidelines and best practices.
Complementing these efforts, the United States participated with 43 countries in the Inter- national Maritime Organization (IMO)’s Maritime Safety Committee (MSC) to develop IMO guidelines that would provide high-level recommendations to safeguard shipping from current and emerging cyber-related threats and vulnerabilities. The IMO guidelines were finalized in July 2017 as MSC-FAL.1/Circ.3 Guidelines on Maritime Cyber Risk Management. They implement the five functional elements detailed in the NIST framework, with the ultimate goal of embedding these elements into all aspects of company operations and personnel management in the same way industry has embraced safety culture with the adoption and implementation of safety management systems.
The establishment of the IMO guidelines was a significant milestone in the management of cyber risks in the maritime industry. These foundational guidelines, which provide organizations with the key elements for incorporating cyber risk management into existing safety management systems, also empower organizations to further develop best practices and additional implementation recommendations.
In June 2017, the IMO’s Maritime Safety Committee published resolution 428(98) Cyber Risk Management in Safety Management Systems. This resolution affirms that cyber risks are required to be addressed by safety management systems and establishes a deadline of the first annual review of the company’s Document of Compliance after January 1, 2021. This was the first compulsory deadline established in the maritime industry for cyber-related risks, and it is a critical step in protecting the maritime transportation system and the industry as a whole from the ever-growing array of cyber threats.
One industry publication highlighting foundational elements is The Guidelines on Cyber Safety and Security Onboard Ships. Other guidance has been, and is still being, developed by classification societies and other industry associations. The industry as a whole is taking a proactive approach to embed cyber risk management into the existing safety culture before a significant incident occurs, prompting a costly regulatory approach.
Coast Guard Cyber Risk Management Awareness
Signed in June 2015, the Coast Guard Cyber Strategy identified three strategic priorities:
• defending cyberspace
• enabling operations
• protecting infrastructure
Under the Assistant Commandant for Prevention Policy (CG-5P), the focus is on the “protecting infrastructure” priority. Offices within the Coast Guard Headquarters Prevention Directorate (CG-5P), in collaboration with other headquarters directorates and Coast Guard field units and the staffs for the area and district commanders, have made great strides in support of this priority.
These efforts employ two simultaneous lines of effort to implement a CRM regime in the maritime domain through the development of appropriate standards predicated on operational risk management. Vessel-focused CRM is approached from an international perspective through IMO, with an explicit association to the International Safety Management Code paralleling safety management requirements for physical shipboard systems. This includes the use of cyber standards, rules, and guidelines from classification societies. Facility-based CRM is approached from a domestic perspective, employing existing authorities under the Maritime Transportation Security Act, which requires operational risk management.
Shipboard CRM efforts at IMO emphasize the connection between CRM and existing safety management system structures. Following the Maritime Safety Committee’s recommendations published in MSC-FAL.1/Circ.3, efforts now focus on implementation of the guidelines into safety management systems industrywide. Additional work will also be done to encourage industry organizations to further develop their programs and guidance based on best practices. Training for Coast Guard personnel will be necessary to ensure uniform enforcement and outreach efforts throughout the marine safety community.
Facility-based CRM is being advanced through industry outreach, a Navigation and Vessel Inspection Circular, and collaboration with industry and government partners. The Coast Guard’s Office of Port and Facility Compliance is making great progress collaborating with area maritime security committees to leverage industry partnerships. Collaboration with other government agencies has also helped to advance progress toward the protecting infrastructure strategic priority.
Collaboration with the National Institute of Standards and Technology has focused on developing customized profiles of the cybersecurity framework. Such profiles provide tools that allow organizations to apply the NIST cybersecurity framework to their specific operational needs.
The first profile, published in 2016, centered on bulk liquid transfer operations and provides a guide for operators and owners of bulk liquid enterprises to develop a cyber risk management program based on the NIST cybersecurity framework.
Two additional profiles—mobile offshore drilling units and passenger vessel/terminal operations—are nearly complete. The next profile scheduled for early 2018 is for Electronic Navigation and Automation Systems on Vessels and Facilities. The profile development is a very successful means for establishing an open dialogue between industry experts and government representatives in order to advance the cyber posture of all participants.
The Future of Cyber-Dependent Shipping Operations
The future of cyber risk management depends on its effectiveness and ability to gain the trust of the maritime community and the public.
While in recent years we have seen the development of the smart home and self-driving cars, the shipping industry is similarly poised to take the technological leap to the “intelligent ship.” Rolls-Royce has shown in concept, through their Advanced Autonomous Waterborne Applications Initiative, that the future of a minimally manned or even remote-controlled maritime transportation system will be feasible in the near future.9
Though it’s unlikely an unmanned commercial ship will transit under the Verrazano Bridge any time in the next decade, it isn’t the technology preventing it from happening. Rather, it’s the need to ensure the technology is safe, operators are trained to use it properly, and stakeholders are con dent it can be deployed with a minimum risk of incident.
The stakes are great, since a cyber incident at sea involving a remotely operated ship could potentially lead to a serious marine casualty. However, relying on the safety and risk management culture embedded in the maritime industry, cyber risks for systems on these types of ships can be minimized, allowing for the safe transition to occur in the not-so-distant future.
This article was originally published in Coast Guard Proceedings, published in the interest of safety at sea under the auspices of the Marine Safety & Security Council. The views expressed by the authors do not necessarily represent those of the U.S. Coast Guard or the Department of Homeland Security or represent official policy.