EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can Help
-
Discover how EY's cybersecurity, strategy, risk, compliance & resilience teams can help your organization with its current cyber risk posture and capabilities.
Read more
Protection of onboard systems
Cybersecurity is critical for specialized IT/OT systems used by ships, such as Automatic Identification System (AIS), Electronic Chart Display and Information System (ECDIS), Automatic Radar Plotting Aid (ARPA), Voyage Data Recorder (VDR ) and Emergency Position-Indicating Radio Beacon (EPIRB). An attack on any of these may pose significant threats to shipping.
Vessels must be prepared to step up their security measures due to their vulnerability to incidents. Most importantly, it is necessary to ensure that the internal network is segmented and separated from public networks. Constant monitoring is also necessary to detect any anomalies in network traffic or atypical activities. Research shows that many companies in the sector continue to secure their IT and OT environments with firewalls only. That is definitely not enough. Cybersecurity should not be based on just one solution; it must combine different tools that work together in an organized process.
It is preferable to create a security policy, described in a separate document, which discusses the security level that should be achieved. Based on that, implementing procedures are developed describing detailed actions for proactive threat avoidance and response in the event of an attack. The entire crew as well as the onshore teams supporting the vessels must acquaint themselves with this document.
Industry regulations and standards as cyber resilience enablers
Regulations and standards should be seen as a reference against which to build a well-functioning cybersecurity strategy. Implementation of recommendations (NIST, NIS2, E26 and E27) makes protective measures more standardized, facilitating their monitoring, maintenance and audit.
NIST is a set of guidelines that must be followed to better prepare for the identification, blocking, detection of and response to attacks. On the other hand, the NIS2 Directive of the EU (the deadline for its full implementation is 17 October 2024) is a set of EU regulations aimed at increasing the overall cybersecurity level across the EU, including ensuring the security of partners in the IT supply chain. NIS2 focuses primarily on preventive measures. E26 and E27, on the other hand, refer directly to maritime transport and apply to the basic onboard systems. Both Directives will become mandatory for all new vessels as of July 2024.
It is advisable to implement the good practices recommended by the said regulations already, even if they are not yet mandatory. This is the right move in view of the digitalization of the sector that is now happening, which requires special care to be taken to safeguard data.
Cooperation with all actors in the supply chain
The maritime industry is highly dependent on various external suppliers and third parties. These include freight forwarders, customs agencies and thousands of other companies. Collaboration across the supply chain is essential to address cybersecurity in a coordinated way, as any gaps left open the door for further attacks or their intensification.
Maritime organizations should ensure that appropriate digital security practices are applied by all actors in the supply chain. It is advisable to enter into agreements with partners, contractors and clients that precisely specify cybersecurity requirements (including audit rights).
Cooperation should also include sharing expertise, which fosters proactive protection, as well as the development of standards and good practices. This is done by the industry’s Information Sharing and Analysis Center (ISAC). It is a centre for sharing information and experience on cybersecurity incidents. Collecting such data makes it possible to identify the challenges that maritime organisations are facing and to build a threat map. The knowledge collected and transferred by ISAC makes it possible to respond faster to an incident and to protect other companies from its consequences.
Training at all levels of employment
Threat awareness training is critical to safety across the organisation, from senior management to all staff members and ship crews. It has long been known that people are often the weakest link in the entire security chain and that most incidents are due to human error. Employees need to know how to use digital tools safely and what kinds of activity can be risky. They will also be able to detect anomalies on the net and identify activities that deviate from the standards set out in the security policy.
The landscape of threats continues to evolve, so knowledge about them needs to be refreshed from time to time. Regular, updated and consistent training plays an important role in creating a risk-aware workforce and cybersecurity culture in the maritime sector.
User rights management
The continuous development of IT systems necessitates the implementation of user rights management in the organisation, depending on the role of the employee and his/her competences. Special attention must be paid to privileged access and to avoiding overusing it, as very often attacks are aimed towards taking over an administrator’s role. And no wonder: the administrator’s rights allow full access to system configuration settings and all data. Users logging in this way can open the door to cybercriminals and make it easier to exploit the existing security vulnerabilities. Therefore, identity and remote access management, which is a major part of the overall cybersecurity plan, must not be neglected.
It is worth noting that in addition to obvious protection against threats and unauthorised access, the implementation of a user right management system has yet another dimension. It streamlines processes in the organisation and allows a better monitoring of users' activities and their reconstruction. This is useful information in the context of possible audits.