MSR is delighted to bring you a piece on maritime cyber security.
I, Pirate – A Cyber Story in the Maritime Industry
Written by Aybars Oruc
I, Robot – 2004 film adapted from short-story of American author Isaac Asimov has an interesting scene. Two detectives are talking, and we are hearing this dialogue:
• I guess we’re gonna miss the good old days.
• What good old days?
– When people were killed by other people.
In this story, the theme is about robots that start to take place of humans. Well, in the future, are we, seamen be replaced by technology?
Even though we cannot talk about unmanned ships, it is possible to talk about unmanned ship projects. For instance, MUNIN (Maritime Unmanned Navigation through Intelligence in Networks) project is a significant one that influenced marine sector, and bothered every seaman who heard this project. For some, this is all imaginary project. However, others believe that this project cannot be stopped and will entirely change the maritime sector. Today, people who are developing this project where navigational areas for testing are determined have only one question in hand: Cyber attack
In general sense, cyber attack is known as damaging or steeling information by infiltrating to computer systems by expert individuals or institutions on computers and internet. Generally, cyber attacks happen for entertainment, information theft, to achieve economic gain, to attracted attention, or to get ready for larger attacks.
Despite warnings of major maritime authorities and class institutions such as IMO, BIMCO, ICS, INTERTANKO, it is almost impossible to say that this attack type was considered in the maritime industry until few months ago. However, as Danish centred giant maritime company Maersk experienced cyber attack in June 2017 and lost nearly $300 million, cyber attack become an important topic.
Close your eyes and image your ECDIS, GPS, and even AIS devices are hacked. Imagine that your main engine stopped running during navigation in narrow waters. Now open your eyes, because this is all happening in the maritime industry.
After a cyber attack on your vessel, you may notice that you are on a different location than you should be, and you may suddenly run ashore. Your vessel may collide with another one. The type of vessel may be aframax, chemical tanker or even LPG. In such cases, try to imagine possible effect on you, vessel, cargo or marine environment. How many people would die?
Main systems that could be affected from cyber attack in a merchant vessel can be listed as follows:
• Bridge Navigation Systems (GPS, ECDIS, AIS etc.)
• Communication Systems (V-SAT, FBB etc.)
• Mechanical Systems (Main Engine, Auxiliary Engine, Steering Gear etc.)
• Ship Monitoring and Security Systems (CCTV, SSAS, Access Control Systems etc.)
• Cargo Handling Systems (V/V Remote Control Systems, Level/Pressure Monitoring Systems etc.
Well, is it possible to protect these systems above and prevent any damages from the attack? Let’s take a look. Now around the world, many people are trying to find an answer to this question. But, it is hard to give concrete answer. Although it is impossible to escape the attack, risks can be mitigated. Risks can be minimised by keeping the software updated, using antivirus software, developing redundancy methods, changing default passwords after installing the devices, restricting file sharing, constantly monitoring network configurations (see also Penetration Test), eliminating all problematic areas, and increasing awareness and knowledge level of office staff and ship crew.
Also, we should consider some international developments about this subject. Here at this point, under IMO-ISM Code, all shipping companies are mandatory to add “Guidelines on Maritime Cyber Risk Management” manual to their SMS manuals until 01 January 2021. Additionally, TMSA regulations where the 3rd version will be become valid on 01 January 2018, are also putting challenges on company managers like IMO-ISM Code rules. Staring with flag states and class institutions, various reputable organisations or institutions around the world are organising training programs and publishing circulars regarding cyber attack to raise awareness in the maritime industry. DNV-GL, one of the reputable class institutions, started to offer type verification certificate for cyber security for the first time in November 2017. Insurance companies also started to add cyber security related subjects and clauses on the policies. Designation compulsory of a Cyber Security Officer (CySO) for the maritime companies has been already discussed. These are only some part of the bigger picture.
– I guess we’re gonna miss the good old days.
– What good old days?
– Somalian pirates instead of cyber-pirates. At least, we could notice them before they are done with us.