image to EY Poland article - 5 Measures to Improve Cybersecurity in the Maritime Sector

5 Measures to Improve Cybersecurity in the Maritime Sector

Andrzej Gab
Andrzej Gab

EY Poland, Cybersecurity, Technology Consulting, Director

5 minute read 12 Mar 2024

Cybersecurity in the maritime sector requires building a comprehensive strategy comprising protection of specialized IT/OT systems, following the good practices included in industry standards, ensuring risk awareness among employees and adequate access control.

As digitalization progresses, the number of cyber threats is also increasing. This is evident in every industry, but the situation in the maritime sector is specific. Not only IT and OT systems, but also unique environments in ports and onboard of vessels need to be protected. An attack against this industry may also be much more extensive and costly. It can trigger a chain response and reach a very large number of actors, both onshore and onboard, causing huge losses. For example, the losses incurred in 2017 by the shipping giant Maersk as a result of an attack using NotPetya malware were valued at $300 million.

Incidents related to navigation and control systems may, for example, force the closure of a strategic waterway, which entails colossal problems. In order to realize the consequences of such an event, it is worth citing the history of the Suez Canal blockade in 2021. Although it was caused by weather conditions and not by criminal activities, it shows the scale of the costs that such an event may entail. At the time of the blockade, approximately 10% of total world trade flowed through that waterway. The blockade impacted 100 vessels transporting products for the IKEA chain and 80 vessels transporting tea and coffee, which resulted in raising commodity prices across Europe. The frequency of attacks in the maritime industry is constantly increasing and the threats they pose should be taken as seriously as those related to physical safety and protection of lives. It is, therefore, a matter of necessity and urgency to develop an effective security strategy in the sector. A number of good practices related to building cyberprotection can be identified, but five of them should be noted. 

How EY can Help

Protection of onboard systems

 

Cybersecurity is critical for specialized IT/OT systems used by ships, such as Automatic Identification System (AIS), Electronic Chart Display and Information System (ECDIS), Automatic Radar Plotting Aid (ARPA), Voyage Data Recorder (VDR ) and Emergency Position-Indicating Radio Beacon (EPIRB). An attack on any of these may pose significant threats to shipping.

 

Vessels must be prepared to step up their security measures due to their vulnerability to incidents. Most importantly, it is necessary to ensure that the internal network is segmented and separated from public networks. Constant monitoring is also necessary to detect any anomalies in network traffic or atypical activities. Research shows that many companies in the sector continue to secure their IT and OT environments with firewalls only. That is definitely not enough. Cybersecurity should not be based on just one solution; it must combine different tools that work together in an organized process.

 

It is preferable to create a security policy, described in a separate document, which discusses the security level that should be achieved. Based on that, implementing procedures are developed describing detailed actions for proactive threat avoidance and response in the event of an attack. The entire crew as well as the onshore teams supporting the vessels must acquaint themselves with this document.

 

Industry regulations and standards as cyber resilience enablers

 

Regulations and standards should be seen as a reference against which to build a well-functioning cybersecurity strategy. Implementation of recommendations (NIST, NIS2, E26 and E27) makes protective measures more standardized, facilitating their monitoring, maintenance and audit. 

 

NIST is a set of guidelines that must be followed to better prepare for the identification, blocking, detection of and response to attacks. On the other hand, the NIS2 Directive of the EU (the deadline for its full implementation is 17 October 2024) is a set of EU regulations aimed at increasing the overall cybersecurity level across the EU, including ensuring the security of partners in the IT supply chain. NIS2 focuses primarily on preventive measures. E26 and E27, on the other hand, refer directly to maritime transport and apply to the basic onboard systems. Both Directives will become mandatory for all new vessels as of July 2024.

 

It is advisable to implement the good practices recommended by the said regulations already, even if they are not yet mandatory. This is the right move in view of the digitalization of the sector that is now happening, which requires special care to be taken to safeguard data.

 

Cooperation with all actors in the supply chain

 

The maritime industry is highly dependent on various external suppliers and third parties. These include freight forwarders, customs agencies and thousands of other companies. Collaboration across the supply chain is essential to address cybersecurity in a coordinated way, as any gaps left open the door for further attacks or their intensification.

 

Maritime organizations should ensure that appropriate digital security practices are applied by all actors in the supply chain. It is advisable to enter into agreements with partners, contractors and clients that precisely specify cybersecurity requirements (including audit rights).

 

Cooperation should also include sharing expertise, which fosters proactive protection, as well as the development of standards and good practices. This is done by the industry’s Information Sharing and Analysis Center (ISAC). It is a centre for sharing information and experience on cybersecurity incidents. Collecting such data makes it possible to identify the challenges that maritime organisations are facing and to build a threat map. The knowledge collected and transferred by ISAC makes it possible to respond faster to an incident and to protect other companies from its consequences.

 

Training at all levels of employment

 

Threat awareness training is critical to safety across the organisation, from senior management to all staff members and ship crews. It has long been known that people are often the weakest link in the entire security chain and that most incidents are due to human error. Employees need to know how to use digital tools safely and what kinds of activity can be risky. They will also be able to detect anomalies on the net and identify activities that deviate from the standards set out in the security policy.

 

The landscape of threats continues to evolve, so knowledge about them needs to be refreshed from time to time. Regular, updated and consistent training plays an important role in creating a risk-aware workforce and cybersecurity culture in the maritime sector.

 

User rights management

 

The continuous development of IT systems necessitates the implementation of user rights management in the organisation, depending on the role of the employee and his/her competences. Special attention must be paid to privileged access and to avoiding overusing it, as very often attacks are aimed towards taking over an administrator’s role. And no wonder: the administrator’s rights allow full access to system configuration settings and all data. Users logging in this way can open the door to cybercriminals and make it easier to exploit the existing security vulnerabilities. Therefore, identity and remote access management, which is a major part of the overall cybersecurity plan, must not be neglected.

 

It is worth noting that in addition to obvious protection against threats and unauthorised access, the implementation of a user right management system has yet another dimension. It streamlines processes in the organisation and allows a better monitoring of users' activities and their reconstruction. This is useful information in the context of possible audits.

Protection of onboard systems

Cybersecurity is critical for specialized IT/OT systems used by ships, such as Automatic Identification System (AIS), Electronic Chart Display and Information System (ECDIS), Automatic Radar Plotting Aid (ARPA), Voyage Data Recorder (VDR ) and Emergency Position-Indicating Radio Beacon (EPIRB). An attack on any of these may pose significant threats to shipping.

Vessels must be prepared to step up their security measures due to their vulnerability to incidents. Most importantly, it is necessary to ensure that the internal network is segmented and separated from public networks. Constant monitoring is also necessary to detect any anomalies in network traffic or atypical activities. Research shows that many companies in the sector continue to secure their IT and OT environments with firewalls only. That is definitely not enough. Cybersecurity should not be based on just one solution; it must combine different tools that work together in an organized process.

It is preferable to create a security policy, described in a separate document, which discusses the security level that should be achieved. Based on that, implementing procedures are developed describing detailed actions for proactive threat avoidance and response in the event of an attack. The entire crew as well as the onshore teams supporting the vessels must acquaint themselves with this document.

Industry regulations and standards as cyber resilience enablers

Regulations and standards should be seen as a reference against which to build a well-functioning cybersecurity strategy. Implementation of recommendations (NIST, NIS2, E26 and E27) makes protective measures more standardized, facilitating their monitoring, maintenance and audit. 

NIST is a set of guidelines that must be followed to better prepare for the identification, blocking, detection of and response to attacks. On the other hand, the NIS2 Directive of the EU (the deadline for its full implementation is 17 October 2024) is a set of EU regulations aimed at increasing the overall cybersecurity level across the EU, including ensuring the security of partners in the IT supply chain. NIS2 focuses primarily on preventive measures. E26 and E27, on the other hand, refer directly to maritime transport and apply to the basic onboard systems. Both Directives will become mandatory for all new vessels as of July 2024.

It is advisable to implement the good practices recommended by the said regulations already, even if they are not yet mandatory. This is the right move in view of the digitalization of the sector that is now happening, which requires special care to be taken to safeguard data.

Cooperation with all actors in the supply chain

The maritime industry is highly dependent on various external suppliers and third parties. These include freight forwarders, customs agencies and thousands of other companies. Collaboration across the supply chain is essential to address cybersecurity in a coordinated way, as any gaps left open the door for further attacks or their intensification.

Maritime organizations should ensure that appropriate digital security practices are applied by all actors in the supply chain. It is advisable to enter into agreements with partners, contractors and clients that precisely specify cybersecurity requirements (including audit rights).

Cooperation should also include sharing expertise, which fosters proactive protection, as well as the development of standards and good practices. This is done by the industry’s Information Sharing and Analysis Center (ISAC). It is a centre for sharing information and experience on cybersecurity incidents. Collecting such data makes it possible to identify the challenges that maritime organisations are facing and to build a threat map. The knowledge collected and transferred by ISAC makes it possible to respond faster to an incident and to protect other companies from its consequences.

Training at all levels of employment

Threat awareness training is critical to safety across the organisation, from senior management to all staff members and ship crews. It has long been known that people are often the weakest link in the entire security chain and that most incidents are due to human error. Employees need to know how to use digital tools safely and what kinds of activity can be risky. They will also be able to detect anomalies on the net and identify activities that deviate from the standards set out in the security policy.

The landscape of threats continues to evolve, so knowledge about them needs to be refreshed from time to time. Regular, updated and consistent training plays an important role in creating a risk-aware workforce and cybersecurity culture in the maritime sector.

User rights management

The continuous development of IT systems necessitates the implementation of user rights management in the organisation, depending on the role of the employee and his/her competences. Special attention must be paid to privileged access and to avoiding overusing it, as very often attacks are aimed towards taking over an administrator’s role. And no wonder: the administrator’s rights allow full access to system configuration settings and all data. Users logging in this way can open the door to cybercriminals and make it easier to exploit the existing security vulnerabilities. Therefore, identity and remote access management, which is a major part of the overall cybersecurity plan, must not be neglected.

It is worth noting that in addition to obvious protection against threats and unauthorised access, the implementation of a user right management system has yet another dimension. It streamlines processes in the organisation and allows a better monitoring of users' activities and their reconstruction. This is useful information in the context of possible audits.

Summary

Cybersecurity is an increasingly important aspect of maritime operations. In the face of growing threats, it is worth noting the key measures: detailed risk assessment, regular training, implementation of modern technologies, wider cooperation and regular procedure updates. Proper implementation and adaptation of these aspects can increase our security. Let us remember that an investment in security is an investment in the future.

The article was previously published on the gospodarkamorska.pl portal (20 January 2024).

Contact

About this article

Andrzej Gab
Andrzej Gab
EY Poland, Cybersecurity, Technology Consulting, Director
Highly qualified in cybersecurity and networking, now developing cybersecurity business, including Maritime. Understanding business goals and technology. Well-organized, independent, consistent.
Related topics
Cybersecurity
Consulting

Related articles

ICT Supply Chain Toolbox Whitepaper

Ensuring a secure Information and Communication Technology (ICT) supply chain is one of the crucial aspects of the European economy. Therefore, we are proposing the ICT Supply Chain Toolbox presented in this Whitepaper as an inspiration and useful benchmark for organizations as they meet supply chain security challenges.

EY Poland

Is your greatest risk the complexity of your cyber strategy?

Organizations face mounting cybersecurity challenges. The EY 2023 Global Cybersecurity Leadership Insights Study reveals how leaders respond. Read more.

Richard Watson + 1

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.