By Akanimo Sampson
The seeming out of control cyber criminals are currently taking their unwholesome craft to the maritime industry, and in the process, exposing vessels to cyber risks. In a frantic bid to beat them in their nasty enterprise, the existing safety management systems in ships are being broadened to appropriately address cyber attacks.
To this end, ship operators have been advised to adhere to their ISM Code, till the first annual ISM audit in January 1, 2021.
Initiated by the International Maritime Organisation (IMO), ISM code means International Safety Management code for safe operation ships and for pollution prevention. Industry insiders say Solas chapter 9 clearly outlines ISM procedures.
Majority of accidents and injury are said to be caused by human error and poor management. ISM which is organised mainly to reduce this error, is meant for standard of safety and operation of ships and for pollution prevention. It became mandatory for all vessels after July 1, 2002
It consists of 13 clauses: General objective, application, functional requirement, Safety & environmental policy & SMS, Company responsibility, Designated person, Masters responsibility, Resources & personnel, Developments of plans for shipboard operation, Emergency preparedness, Report & analysis on non conformities, accidents & hazardous occurrence, Maintenance of ship equipment, Documentation, Company verification, review & evaluation, and Certification, verification & control.
While its benefits include safety consciousness, safety culture, greater confidence, favourable insurance premium, and cost saving, the purpose of ISM code is to provide an international standard for the safe management and operation of ships and for prevention of pollution. Main objectives are to ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment.
Chapter IX of the International Convention for the Safety of Life at Sea (SOLAS) requires compliance with the ISM Code. In 1998, the ISM Code became mandatory for three types of vessels, regardless of the date of construction: Passenger ships including passenger high-speed craft on international voyages, not later than July 1, 1998. Oil tankers, chemical tankers, gas carriers, bulk carriers and cargo high-speed craft of 500 gross tonnage and upwards on international voyages, not later than July 1, 1998, and other cargo ships and mobile offshore drilling units of 500 gross tonnage and upwards on international voyages, not later than July 1, 2002.
The ISM Code requires that safeguards be established against the safety and pollution risks involved in shipboard operations, while giving the flexibility to develop and tailor a safety system to an owner’s/ship manager’s specific operation while complying with regulatory requirements. Responsibility for this is placed firmly on the companies charged with the ship’s management.
In a recent information letter to the maritime sector, the Norwegian National Security Authority (NNS) advises of an increase in the number of cyber campaigns targeting several different sectors since June 2019 and states that both the maritime sector and the oil and gas sector have been victims of such targeted attacks.
The campaigns have used social engineering techniques in e-mails and in personal messages through social media, primarily LinkedIn, but also WhatsApp and Facebook Messenger to: install malware on the user’s computer; gather information about the user, their employer or other users connected to them; and further spread the campaigns.
While the scope of these campaigns and the subsequent incidents are reportedly global, “companies in the United States of America, Europe, and the Middle East have been the main targets”, the NNS said. It also establishes that the threat actors have demonstrated high ability and capacity to conduct their operations.
Based on the current situation and the risks found, the NNS advises companies and organisations to be prepared for attempts of cyber activity with malicious intent in the short to medium term. It also states that both obvious and less obvious companies may be affected, which means all types of ships as well as shipowners’ land-based infrastructure can be vulnerable to cyber incidents.
In a statement of August 19, the Norwegian Maritime Authority (NMA) further emphasizes that: “Especially shipowners that operate in ISPS/MARSEC level two areas or higher should be aware of the situation.”
Although the NNS’ information letter is directed at Norwegian companies, it advised all ship operators and companies with responsibility for infrastructure onboard ships to continuously monitor and review digital security and to follow the recommendations made, including: Make sure networks are segmented. There should be no physical connection between administrative and operative parts of the network; Log activity at all endpoints and in the network. The NNS recommends keeping logs for at least six months; Use encrypted communication where possible, also between ships and land-based infrastructure. Manipulation of communication can easily be done if it is not encrypted; and Restrict access to information and systems in accordance with people’s position and role. Restriction of access will in most cases limit the consequences after an incident.
Among the recommended counter-measures, the importance of carrying out cyber security awareness training is highlighted. All ‘users’, including seafarers, shore staff and other relevant personnel, should: Be aware of, and be critical to, emails with links or attachments; if there are any doubts whether an attachment or a link is safe to open – assess whether it is necessary to open it at all. Report suspicious emails or messages that relate to the company to your employer; be careful with documents that suggest enabling macros in Word, Excel or PowerPoint; and in social media:
Furthermore, report suspicious messages received through social media, in particular if they can be connected to your employment or the company in general; establish and maintain contact only with people whose identity can be verified; be very critical to messages with links and attachments in social media, this is the new target arena; expect that everyone can see all information shared on social media about work and your private life; do not publish work-related information without the consent of your employer; do not publish information about other individuals without their consent; enable available security settings in products and applications; do not reuse the same password across services; and become a Security STAR: Every time you suspect an attack or are unsure of what to do, Stop – Think – Ask – Report
Ship operators are also enjoined to pay close attention to any cyber security advice provided by their national security authorities. As an example, Norwegian companies are advised to follow the NNS’ “Fundamental principles for information and communications technology (ICT) security” as well as its “Measures and recommendations concerning social media” (both are in Norwegian only). We also recommend ship operators and seafarers to report all suspicious activity and breaches of security to their flag administrations and/or national security authorities, as this will support their work to monitor ongoing cyber threats and risks.
