The maritime industry serves a critical role in the global supply chain. But the industry also relies on its own supply chain. In the part-3 of our cyber risk management series, we will take a look at how the maritime supply chain works and how cyber risks can arise from the imbalance of responsibilities, the ship operator’s lack of control and the disconnect in regulation.
The maritime industry serves a critical role in the global supply chain. But the industry also relies on its own supply chain. Everything from fuel for the engines to food for the crew needs to be delivered to ships around the world for the industry to function. This supply chain extends to the supply and maintenance of onboard computing equipment and applications that support vessel operations. The ship owner and operator frequently relies on the supply chain to ensure such equipment and applications are always up to date, well maintained and secure. Every software component onboard a vessel creates some cyber risk, but this research has identified specific areas of concern including the imbalance of responsibilities, the ship operator’s lack of control and the disconnect in regulation.
Every software component onboard a vessel creates some cyber risk, but this research has identified specific areas of concern including the imbalance of responsibilities, the ship operator’s lack of control and the disconnect in regulation.
Under a charterparty, the ship owner has an express obligation to ensure the ship is seaworthy before, at the beginning of and throughout the voyage. The owner must demonstrate that they have exercised due diligence to ensure seaworthiness of the vessel.
The obligation on seaworthiness cannot be delegated to third parties. This means that the ship owner must demonstrate they have exercised the due diligence to ensure that any onboard systems must be secure enough not impact the seaworthiness of the vessel, even if the system is supplied, installed or maintained by a third party.
According to our industry survey, conducted as part of this research, 78% of shoreside employees at shipping companies have cyber risk management procedures in place for dealing with third parties such as suppliers. However, the same survey found that just 55% of industry suppliers are asked by customers to prove they have cyber risk management procedures in place. This statistic demonstrates a clear gap in the industry’s due diligence of managing supply cyber risk.
Cyber experts interviewed in compiling this report repeatedly pointed to significant risks that exist across the maritime supply chain caused by suppliers not working to an acceptable standard of security. This spans everything from developing systems that are vulnerable even to basic cyber intrusions in the first place, poor practices during installation to insecure practices when visiting the vessel for system maintenance.
The responsibility of the supply chain in relation to cyber risk management of vessel operations is not clear. Equipment or service supply contracts generally clarify responsibilities and obligations in relation to defects in the supplied equipment or deficiencies in the service. However, responsibilities requiring the supplier to ensure a reasonable level of cyber risk management are not explicitly stated in most cases. To make matters worse, shipping cyber emergency response plans are not often developed in cooperation with key suppliers. Where they are, it is rare that exercises or drills are performed involving the supply chain, so lessons on the critical actions that ship owners need their suppliers to perform during a cyber incident are never uncovered, tested and improved.
Though a ship’s hull and machinery may remain the same throughout its life, the average commercial vessel has at least 50 distinct systems that contain computing and software components. To the ship operator and their crew, these components are often “black boxes” and there is very little technical knowledge beyond the minimum necessary to operate them, identify a fault or make minor fixes. Certainly, the ship operator is not able to integrate any cybersecurity controls, such as deploying antivirus software or test for any existing defenses, without explicit permission from the equipment manufacturer. Any attempt to do so is generally considered to violate conditions for warranty.
Operators are not entirely powerless. There are actions they can take to regain some control of securing the supply chain of onboard systems.
Of those maritime organisations that reported being the subject of a cyber attack in the last three years, 3% said the attack resulted in them paying a ransom. The average ransom paid was US$3.1 million.
While a small number of system manufacturers have proactively taken steps to shore up the cyber protection of the equipment they manufacture and the applications that are provided alongside these, the vast majority of shipping equipment manufacturers have done very little to provide ship operators assurance around this.
This problem is exacerbated by integrators that are not sufficiently knowledgeable in cybersecurity, making decisions leading to insecure configurations and integrations that may undo the security designed into the equipment in the first place. The nature of shipping operations means that when equipment breaks down and needs replacing or repair, it must be dealt with quickly and efficiently as delays can be incredibly costly. Replacements are frequently bought on short order, and purchases are determined by convenience, not security.
This results in a major disconnect between the exposure for the ship operator and their ability to control the risks. However, operators are not entirely powerless. There are actions they can take to regain some control of securing the supply chain of onboard systems. Getting a clear understanding of the inventory of these computing systems and how they are connected is an excellent starting point.
According to data from CyberOwl, 54% of the ships monitored by CyberOwl have between 40 and 180 connected devices onboard. This includes expected devices such as business workstations, PCs, printers and company phones. Most alarming is that on many vessels monitored by the company, systems that were thought to be isolated, such as cargo computers and engine monitoring systems, were found to be connected to the onboard business IT network somehow.
The main regulation for cyber risk management in shipping relates to the IMO resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The resolution gives effect to a requirement for an approved SMS to incorporate cyber risk management. Shipping administrations must ensure that cyber risks are appropriately addressed in the SMS no later than the first annual verification of the company’s Document of Compliance (DoC) after 1 January 2021.
Though a ship’s hull and machinery may remain the same throughout its life, the average commercial vessel has at least 50 distinct systems that contain computing and software components.
As this regulatory instrument is implemented via the DoC, it places the burden of regulatory compliance solely on the ship owner. This also follows in the majority of maritime cyber risk management guidelines, that are mainly focused on the actions ship owners can take to cyber secure their ships. For the manufacturer of onboard systems and provider of software based services for shipping systems, the requirements are a lot less clear.
Several Classification Societies have developed some type approvals specifically relating to incorporating minimum cyber security standards within the design of ship equipment and systems. However, unlike for equipment such as voyage or safety critical apparatus, these are voluntary and do not affect the certification of the ship. At the time of writing, based on a search of the public databases of the type approvals granted, there is minimal uptake of these voluntary type approvals.
Interviews conducted during this research suggest the lack of clarity and some level of prescription is creating confusion and frustration. It results in a level of subjectivity for the ship owner who is now required to ensure their SMS incorporates appropriate cyber risk management of their supply chain in order to be granted their DoC, but cannot point to any minimum standards that their supplier must comply with.
Download the full report here
CYBER SECURITY MANAGEMENT SERIES
In the last few years, the maritime industry has made great progress in improving its approach to cyber risk management, but significant gaps remain. This report developed in collaboration with CyberOwl and HFW explores the gaps that exist between the industry’s perceptions of cyber security and reality, taking into account the views of more than 200 stakeholders from across the industry, including cyber security experts, seafarers, shoreside managers, industry suppliers, and C-suite leaders.
Over the coming weeks, we will be sharing a series of articles on the state of cyber risk management in the maritime industry, and we will also uncover the great disconnects that exist across the industry where expectations and reality don’t match up, cyber risk management efforts are lacking, or risks that are unique to maritime exist.
Download your copy for free @ THE GREAT DISCONNECT