Short Overview

This practical and easy to understand workbook supports the owner, Master and the ship's crew with cyber security risk management.

It contains comprehensive checklists to support the day-to-day management of onboard cyber security and facilitates collaboration between ships, onshore IT departments and equipment manufacturers.

Detailed Overview

Cyber risk management should be an inherent part of safety and security and should be considered at all levels of the company, including senior management ashore and onboard personnel.

This Workbook has been designed as a practical, straightforward guide to support the Master and officers on board ship (Part I - Onboard Practical Considerations). It is designed to facilitate understanding and good collaboration between individual ships, onshore IT departments and equipment manufacturers (Part II - Shore Management Considerations). The Workbook may also be useful to the wider maritime industry.

The seventh edition has been produced by Witherbys, BIMCO and the International Chamber of Shipping (ICS).

The Workbook has been fully revised and updated and contains new guidance on:

• Industry guidelines and regulatory requirements, including IACS UR E26 and E27
• cyber security in port
• passenger ships
• ship inspections and port state control
• software updates
• malware detection and prevention
• phishing risks.

Detailed case studies and diagrams have been added to help illustrate cyber risks. The Workbook contains 13 checklists and 6 annexes, including Cyber Security Risk Assessment and Creating a Cyber Security Plan.

Introduction

Foreword

Harvesting the full potential of data gathering with the implementation of digital technologies and improved connectivity can certainly bring commercial benefits. However, in parallel, cyber criminals are refining their methods and developing techniques that cause disruptions to business and create hazardous situations for ships, their crew, the environment and the cargo.

Building on the latest 'Guidelines on Cyber Security Onboard Ships' (Version 5), the 'Cyber Security Workbook for On Board Ship Use' goes one step further and translates the high-level guidelines into operational tools and checklists for use on board ships. The Workbook is an indispensable complement to the Guidelines and is highly recommended reading for ship officers and shore staff with a cyber security risk management role.

David Loosley
Secretary General and CEO
BIMCO

---

Cyber attacks are on the rise, with criminals and State actors all setting their sights on shipping. This is a threat we cannot ignore. Our vessels have become more technologically advanced, with the growth of the internet of things and our shipboard systems increasingly connected to the internet and to systems ashore. Today?s modern ships are a target-rich environment for cyber attackers. A number of high-profile incidents on major shipping companies in recent years have demonstrated the serious potential for major disruption to operations and safety for maritime trade. It is essential that shipping remains resilient against these threats if it is to continue to carry the vast bulk of global trade safely and securely.

Awareness of the threat presented by cyber attack to shipping has increased, as have the mechanisms to reduce it. The IMO requirement to include cyber risk management in the Safety Management System from 1st January 2021 has brought cyber risk management into the statutory realm. Class and insurance requirements now also play a role in maintaining the cyber security of ships. Today, the shipping industry is better placed than ever to safeguard the vital service it provides from cyber attack. However, we should not grow complacent; regular risk assessments of your company's cyber weak spots, training and awareness campaigns for staff and plans for recovery if a cyber attack occurs are all essential to stay resilient to the ever-changing threat landscape.

Cyber security is central to the safe and secure operation of ships and shipping companies, and this guidance provides a comprehensive resource to understand the threat practically and continually mitigate against the risks it presents to maritime transport.

Guy Platten
Secretary General
International Chamber of Shipping

Contents Listing

Foreword

Abbreviations/Definitions

Introduction

Section 1: Regulations and Guidance

1.1 IMO Requirements

1.1.1 Designated Roles and Responsibilities

1.2 ‘The Guidelines on Cyber Security Onboard Ships’

1.3 Additional Industry Guidelines

1.3.1 International Association of Classification Societies (IACS)

1.3.2 Non-governmental Organizations (NGOs)

1.4 Regional Regulatory Guidance

1.4.1 UK

1.4.2 EU

1.4.3 USA

1.5 Guidance on Mitigation Strategies for IT

1.5.1 Essential Eight Maturity Model

1.5.2 Cyber Essentials

1.5.3 IMO Insider Threat Toolkit

Part One: Onboard Practical Considerations

 

Section 2: Identifying Risks

2.1 Vulnerable Ship Systems

2.2 What is a Maritime Cyber Attack?

2.3 Phases of a Cyber Attack

2.4 Threats

2.5 Types of Cyber Attack

2.6 Social Engineering

2.6.1 Tailgating

2.6.2 Email Phishing

2.6.3 Spear Phishing

2.6.4 Man-in-the-middle Attacks

2.6.5 Phone or Text Messages

2.6.6 QR Code Phishing

2.6.7 Multi-factor Authentication (MFA) Phishing

2.7 Ransomware

2.8 Use of Artificial Intelligence

Section 3: Protection and Prevention: General Principles

3.1 Prevention of Malware Attacks

3.2 Software Updates

3.2.1 Updating the Operating System (OS)

3.2.2 Updating Programs that are not Part of the Operating System

3.3 Endpoint Protection/Security Suite

3.3.1 Endpoint Protection Updates

3.3.2 Checking Whether the Endpoint Protection Suite is Up to Date

3.3.3 Other Security Tools in Windows

3.4 Passwords

3.4.1 Creating Passwords

3.4.2 Password Length

3.4.3 Managing Passwords

3.4.4 Handover of Passwords

3.4.5 Passkeys

3.4.6 Usernames

3.5 Cyber Security and the Safety Management System (SMS)

3.5.1 Cyber Security and the Ship Security Plan (SSP)

3.6 Ship Inspections and Port State Control (PSC)

3.6.1 Focus of Inspections

3.6.2 US Port State Control

3.6.3 European Union

3.6.4 Other Inspections

 

Section 4: Crew Considerations and Training

4.1 Key Aspects of Crew Training

4.2 Cyber Security Familiarization for Crew

4.3 Training for Non-crewmembers

4.4 Designing a Training Program

4.5 Unintentional Cyber Breaches by the Crew

4.6 Planning a Crew Training Session

4.7 Cyber Security Drills

4.7.1 Generic Drill Scenario

4.8 Social Media

4.9 Travelling in Cyber Safe Mode

Section 5: Detect, Respond and Recover: General Principles

5.1 Detecting a Cyber Incident

5.1.1 Introduction

5.1.2 Useful Tools Available to Help Detect Possible Malware

5.2 Incident Response

5.2.1 Third-party Support

5.2.2 Cyber Recovery Plan

5.2.3 Backups

 

Section 6: External Communications and Cyber Security in Port

6.1 Satellite Communications (Satcom) Equipment

6.1.1 Satcom Passwords

6.1.2 Satcom Visibility on the Public Internet

 

6.1.3 Satcom Software Updates

6.1.4 Physical Security of the Satellite Terminal

6.1.5 Software Security of the Satellite System

6.2 Cyber Security Risks in Port

6.2.1 Mobile (Cellular) Data Connections

6.2.2 Connecting to Shore WiFi in Port

6.2.3 Port Cyber Attacks

Section 7: Ship’s Business Systems

7.1 Network Segregation On Board

7.1.1 Segregated Networks

7.1.2 Achieving a Segregated Network

7.1.3 Maintaining a Segregated Network

7.1.4 Benefits of Network Segregation

7.1.5 Vulnerable Systems On Board

7.1.6 Defense in Depth and Breadth

7.2 Wireless Networks On Board

7.2.1 Business WiFi

7.2.2 Crew WiFi

7.2.3 Guest Access

7.2.4 WiFi Network Security

7.2.5 Virtual Private Network (VPN)

7.3 Onboard Business Computers

7.3.1 USB Ports and Drives

7.3.2 USB Port Blockers

7.3.3 USB Cleaning Stations

7.3.4 Tablets

7.3.5 Personal Devices and USB Ports

7.3.6 Configuring Business Computers to Minimize the Risks of Cyber Attack

7.4 Passenger Ship Systems

7.4.1 Passenger Services

7.4.2 Other Considerations

Section 8: OT Systems

8.1 Understanding OT Systems

8.2 Engine Department Considerations

8.3 Cargo Management

8.4 ECDIS Security

8.4.1 Updates

8.4.2 Physical Security

8.4.3 ECDIS Recovery

8.4.4 Recognizing Genuine NAVTEX Messages

8.4.5 Digital Navigational Data System (NAVDAT)

8.5 GNSS Security

8.5.1 GNSS Input Data

8.6 Other Bridge Systems

8.6.1 Voyage Data Recorder (VDR)

8.6.2 Automatic Identification System (AIS)

Part Two: Shore Management Considerations

Section 9: Key Considerations

9.1 Cooperation Between the Office Departments and their Suppliers

9.1.1 IT Department and Technical Department: ‘Secure by Design’

9.1.2 Securing the Supply Chain

9.1.3 Company Cyber Security Working Group

9.2 Cooperation Between the Office and the Ship’s Crew

9.2.1 Maritime Cyber Security Management

9.2.2 Cyber Security and the Safety Management System (SMS)

9.2.3 Cyber Security and the Ship Security Plan (SSP)

9.2.4 Onboard Resources According to Ship Type

9.3 Ship’s Network Architecture

9.3.1 Industrial Demilitarized Zone (IDMZ)

9.3.2 Data Diodes (Unidirectional Gateways)

Section 10: OT Systems Management

10.1 OT Asset Management and Risk Assessment

10.1.1 Asset Management

10.1.2 Asset Risk Assessment

10.2 Securing OT Systems

10.3 Securing the Ethernet IP Network Used by OT Systems

10.3.1 Converter Security

10.4 Intrusion Detection Systems (IDS)

Section 11: IT Systems Management

11.1 Remote Access

11.1.1 Protection Measures

11.2 Vulnerability Scanning (Cyber Audit)

11.2.1 Performing a Vulnerability Scan

11.3 Penetration (Pen) Testing

11.3.1 Carrying out a Pen Test

11.3.2 Benefits of a Pen Test

11.4 Endpoint Detection and Response (EDR)

11.4.1 Extended Detection and Response (XDR)

11.5 Disaster Recovery from Backup

11.5.1 Backup Strategy

11.6 Uninterruptible Power Supply (UPS) for IT/OT Systems

 

 

Checklists

Checklist 1: Cyber Security Familiarisation for New Crewmembers

Checklist 2: Cyber Security Crew Training

Checklist 3: Detecting a Cyber Incident

Checklist 4: Responding to a Cyber Incident On Board

Checklist 5: Onboard Business Computer

Checklist 6: Network Segregation

Checklist 7: Networks (Wireless and Wired)

Checklist 8: Satellite Communications

Checklist 9: OT Systems Initial Inspection

Checklist 10: ECDIS Cyber Security

Checklist 11: Cyber Security Checks on the Navigation Bridge

Checklist 12: Asset Management and Risk Assessment

Checklist 13: Remote Access

Annexes

Annex 1: Cyber Security Assessment

Annex 2: Creating a Cyber Security Plan

Annex 3: Creating User Accounts

Annex 4: Checking for Segregated Networks

Annex 5: NMEA 0183

Annex 6: Further Resources

 

Additional Information