Release of the 3rd edition of the cybersecurity best practices guide for the maritime industry
There are many recommendation guides for implementing cybersecurity measures in the maritime sector. Perhaps too many, and of uneven quality, which can sometimes make things difficult to navigate (put yourself in the shoes of the seafarer or the shipowner who must understand and apply them).
Among these guides, one nevertheless stands out as a reference, both because of the number of associations and major industry stakeholders involved in its development (21 in total) and because it addresses the maritime world in its own terms, adapting cyber threats to the specific characteristics of this sector. This guide, “The Guidelines on Cyber Security Onboard Ships,” has just been released in its third edition.
It is the result of long-term collaboration between shipowner associations and industry groups, including BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF, and the WORLD SHIPPING COUNCIL.
Beyond the usual recommendations found in such publications, two aspects deserve particular attention: the inclusion of new incidents affecting the maritime sector, and a better recognition of the sector’s specific characteristics.
Regarding incidents, the guide lists several events that have affected the maritime sector, mainly as examples. In addition to publicly known incidents for which I had already compiled an initial list, a few particularly illustrative ones stand out.
Two incidents are directly related to USB devices, which are frequently used to update systems, perform maintenance operations, or transfer files to and from maritime information systems that are not connected to networks:
Ships infected by one—or even two (!)—ransomware strains, with the source of infection coming from external partners (industrial or commercial) rather than negligence by the crew. This highlights the importance of bilateral protection measures with all external stakeholders interacting with the company and the vessel. Interestingly, in one case the shipowner paid the ransom. The report notes that weak or absent passwords on remote maintenance tools, and even undocumented accounts, contributed to the infections.
Another case involved a bunker supplier who requested access to the engine room to print documents for signature. His infected USB drive compromised part of the vessel’s office network, although it did not affect the control systems, which were probably isolated at the network level (fortunately). In another case discovered during a penetration test, malware was found on a system not connected to the Internet but designed to be. The malicious code, introduced via a USB device, had been present in the system for… 875 days (infection occurred during software installation). Penetration testers: the maritime sector clearly offers opportunities.
The guide also lists several incidents involving ECDIS (Electronic Chart Display and Information System). These fall within the feared events previously mentioned on this site, so the findings are not surprising. What is striking, however, is how excessive reliance on digital systems (ECDIS) without reliable fallback solutions (paper charts) can undermine the resilience and availability of the vessel:
A virus infection of an ECDIS system delayed the launch of a new vessel (which had no backup paper charts). The guide notes that neither the captain nor the crew initially identified the issue as having a cyber origin. It took considerable time for a technician sent on site to determine that both ECDIS networks on board had been compromised. The cost of the incident was estimated at several hundred thousand U.S. dollars.
In a particularly congested maritime area, a vessel lost all of its navigation systems at sea, in poor weather conditions and limited visibility. The crew had to rely solely on radar and paper charts for two days before reaching port. The ECDIS failure was caused by a very outdated operating system. During the next port call, a technician attempted to update the ECDIS navigation system, but the new software could not run due to the extreme obsolescence of the OS. The ship had to remain alongside until new ECDIS consoles were installed, resulting in delays and significant financial losses.
Another ECDIS incident occurred while a pilot was on board: both the ECDIS and the VDR (Voyage Data Recorder, the vessel’s “black box”) malfunctioned, causing confusion on the bridge. Fortunately, the captain and pilot, both experienced, reverted to degraded navigation methods (radar and visual watch). When the computers eventually restarted—again clearly obsolete—the captain informed the pilot that such problems were frequent and that previous requests for intervention had been rejected by the shipowner.
The rest of the document demonstrates a much higher level of maturity than previous editions, particularly regarding risk management, coordination between stakeholders (owners, operators, crews, subcontractors, and logistics services during port calls), BYOD policies, and the separation between IT and OT systems.
Only two minor disappointments remain:
- a somewhat simplistic “just do it” approach: installing firewalls and NIDS on board is useful, but only if someone is able to operate and manage them;
- consequently—or perhaps as a cause—the sector still lacks sufficient ambition when it comes to maritime cyber monitoring (a topic I admittedly tend to emphasize).
In short, a definite must-read.