Maritime Cybersecurity: The Old and New

By Cinthia Granados Motley and Charles Davant

Latin America has over 300 ports and with the expansion of the Panama Canal, which will double its capacity, almost complete, shipping and vessel traffic is top of mind. At the same time, the world is facing a surge of new cyberattacks across all industries. Last year alone, over 317 million new computer viruses or malicious software were created. While shipping activity has existed since prehistoric time, it is only recently that the maritime industry has been forced to confront this new threat.

BIMCO, the Baltic and International Maritime Council, one of the largest international shipping associations in the world whose membership represents approximately 65 percent of the world’s tonnage, recently promulgated guidelines on cybersecurity on board ships in conjunction with other maritime organizations. The guidelines are meant to provide assistance to shipowners and operators on how to assess their operations and are complementary to existing regulations through the International Safety Management Code (ISM Code) and the International Ship and Port Facilities Security Code (ISPS Code).
  
These Codes have been published by the IMO. The IMO makes non-binding recommendations, and its regulations are followed worldwide. The IMO’s Facility and Maritime Safety Committees are currently considering additional cyber security matters and are consulting with other United Nations bodies and relevant international organizations such as the International Telecommunication Union (ITU).
  
For its part, the U.S. Coast Guard has published its own position, entitled “Cyber Risks in the Marine Transportation System.” As the Coast Guard’s publication identifies, today’s vessels are state-of-the-art and use a wide variety of computers and cyber dependent technologies for navigation, communications, engineering, cargo, ballast, safety and environmental controls.  For example, a vessel’s Global Positioning System (GPS) can be disrupted by use of computer viruses that can impact the way the signal is interpreted, displayed and used on the vessel.  The Coast Guard approaches cyber risks from the backdrop of training, education and policies implemented to promote a culture of cyber security.

The BIMCO guidelines focus on six critical aspects of cyber security awareness:
•    Identifying threats and understanding the cyber security threats to the ship;
•    Identifying vulnerabilities within the ship’s cyber security system;
•    Assessing risk exposure and the likelihood of being exploited by external threats;
•    Developing protection and detection measures in order to minimize impact;
•    Establishing contingency plans to reduce the threat’s impacts; and
•    Responding to cyber security incidents.

Preparedness is key to a company's cybersecurity resilience. As outlined by BIMCO, a cyber risk is specific to a company and its operation. The types of cyberattacks vary by motivation and objectives, from destruction of data, ransoming data and systems, to financial gain and espionage. Thus, the extent of a breach will depend on the company's or ship's vulnerability and the method chosen to deliver an attack. 

For example, an attacker may be able to interrupt the display of chart information on ECDIS; gain access to commercially sensitive data such as cargo manifests and/or crew and passenger lists; and/or gain full control of a system, including a machinery management system.  

As a result, a company's cyber security preparedness should start with a vulnerability assessment along with a mapping of its sensitive information. This is an important step to be followed by a C-Suite level analysis, facilitated by internal and/or external experts with knowledge of the maritime industry. With better knowledge of key risks, a company should then implement a "data diet" to reduce the volume of data surrounding those key risks.  

Most data breaches are caused by authorized users: negligent or malicious insiders (employees) and third parties (service providers). Thus, it is critical for a company to also conduct a third-party risk assessment and that personnel (from the boardroom to the mailroom) are aware of the potential cyber security risks, and are trained to identify and mitigate those risks.   

Equally important, a company should develop, update and test written information security and incident response plans. These plans should be tested through simulated exercises by internal and external members of an incident response team. Lastly, with a cyber risk management program in place, a company can also evaluate transferring some risks through cyber insurance, including whether third-party consultants have adequate cyber insurance.

Cinthia Granados Motley is a member of Sedgwick LLP's cybersecurity leadership team in Chicago.
Charles Davant is a member of Sedgwick LLP’s Maritime Practice Group in Miami.