Cyber Security and Data Protection
A cyber risk is a threat to the infrastructure and communications systems, and the data within those systems, that form the framework of any business enterprise, including in the marine transportation sector. Such a threat could result in loss of life, loss of or damage to property, financial loss and reputational damage. For the most severe cyber attacks, the effect on their recipients could be catastrophic.
A cyber incident could be caused by a targeted cyber attack, or arise from an unintentional threat as a result of infection by a virus such as malware, the accidental loss of data, or the mis-operation of an operating system for various reasons including improper configuration or a conflict between software dependent systems.
The sheer number of cyber related incidents and attacks such as WannaCry and NotPetya, some of which have claimed high profile victims, and the number of phishing attempts experienced on a daily basis demonstrate the importance of having a defence to prevent a major incident. Cyber security should be taken very seriously and should form a core part of a company’s safety and security policies.
A shipboard cyber threat is two-fold, categorised broadly as a threat to Information Technology (IT) and to Operational Technology (OT). The former includes storage and sharing of data (personal, operational, and commercially sensitive) and communications systems, while the latter is concerned with, among other things, navigation systems, propulsion control systems, and cargo control and monitoring systems. Companies now have regulatory obligations with respect to both IT and OT security, which are detailed below.
In both IT and OT infrastructure the vulnerability risk increases when these systems are interfaced with the internet. Some systems are also more vulnerable depending on the underlying software platform they operate on and the availability of tools for disruption (some of which can be procured from the ‘dark web’), as are legacy systems that do not have any support available to render the systems resilient to continuously morphing cyber-attacks.
The traditional methods of anti-virus software and fire walls are not considered sufficient for an effective cyber defence and a more holistic approach is required. For new vessels this approach should be pursued from initial design through to installation, testing and operation. For existing vessels segregation of systems may need to be considered based on a risk assessment and vulnerability testing. Existing network schematic and future additions to the system such as the integration of a ballast treatment system or an exhaust gas cleaning system should be taken into consideration when carrying out risk assessment.
Air gapping systems are an effective way of segregating but there is the potential risk of introducing malware or other software corruption while routinely updating or maintaining the system or when infected portable or wireless enabled devices are plugged into it. Rigorous procedures for controls and checks in this case will therefore be necessary.
The human aspect of vulnerability cannot be underestimated as it is estimated that 80% of cyber incidents feature an element of human error. Training in privacy and security practices, control of access (through user ID and password policies) and account management, logging of events and security reviews will be required.
Cyber Security Regulatory framework
The International Maritime Organisation (IMO) has issued Resolution MSC428(98) providing, as part of the International Safety Management Code (ISM Code), guidelines for Flag administrations to enforce a cyber security policy and procedure. The deadline for the enforcement is the 1st anniversary of the ISM Document of Compliance (DoC) after 1 January 2021. MSC 428(98) further affirms that ships’ SMS should include cyber risk management that takes into consideration the various relevant elements of the ISM Code.
By linking the date to the DoC it is suggested that the Cyber Security Management (CSM) is verifiable during companies’ annual audits and that implementation should be fleet wide and requiring a strong commitment from senior management.
As per the objectives of the ISM Code all risks to ship, personnel and environment should be assessed and appropriate safeguards should be established. Cyber risks should therefore be considered as one such risk and need to be addressed within the Safety Management System.
There are elements in the ISM Code that should be applied to cyber security management, such as the requirement for a risk assessment, policies on cyber resilience, work procedures, contingencies, maintenance of systems to ensure operational reliability, record keeping, verification and audit, designation of responsibility and training of personnel.
The IMO has provided high level guidelines for the implementation of cyber security management based on a risk assessment methodology. There are more detailed guidelines and publications that companies are encouraged to make reference to for the implementation of the CSM within their organisation. Some of these standards and publications are listed below:
- BIMCO - The Guidelines on Cyber Security Onboard Ships Ver. 4
- BIMCO - Cyber Security Workbook for On Board Ship Use 2nd Edition 2021
- NIST Framework
- ISO/IEC Standards 27001
- IEC 62443 Security Levels in Industrial Control Applications
- IACS recommendations on Cyber Resilience – no. 166
- European Network and Information Security Agency (ENISA) Good Practice Guide for cooperation in the form of Public Private Partnerships
- Code of practice: Cyber Security for Ships - IET, DoT and Dstl
- It is also important to take due note of various local rules, regulations and reporting obligations that may be applicable such as the Network and Information System Directive of the European Union for essential services which includes the marine transport sector
- Specific industry sector practices and threats will also need to be taken into consideration for the risk assessment and development of the safety procedures
- The OCIMF SIRE VIQ 7.0 now includes Section 7.0 the verification of the implementation of a Cyber Security Policy and Procedures as part of the ships’ SMS and verification that the company is actively promoting cyber security awareness
- The Tanker Management Self-Assessment 3 has included implementation of cyber security policies and procedures as a key performance indicator under Element 13 and a further software management procedure under Element 7
Elements of Cyber Security and Industry Support
Some of the elements of cyber security management that need to be taken into consideration as per the various guidance provided are:
- Risk assessment – Safety, legal and financial based on known incidents, motives and threats
- Company policy – portable devices, software management, data privacy, access, vendor
- Vessel infrastructure interface and connectivity to internet
- Vulnerability testing – Penetration testing
- Vessel specific implementation
- Operational procedures
- Change Management
- Logging events and detection
- Data Protection
- Contingency planning – System and data recovery
- Training and awareness of personnel
Cyber vulnerabilities are continuously evolving and therefore information on risk events and the threats to cyber security is crucial. Sharing information on risk events is important for appropriate counter measures and encourages companies to take corrective action.
Reporting incidents such as navigational interference, jamming or the spoofing of GPS and AIS to local authorities and service providers will help the agencies taking appropriate corrective action and cascade information to others. Such efforts to collate data are important for assessing the impact on the maritime industry and making a realistic threat assessment.
A private public partnership for the sharing of such information is encouraged but except for some regions and countries such frameworks are few and far between.
Due to the complexity of cyber security management it is encouraged that expert assistance is sought, but it is important that the agencies offering such assistance are evaluated and their expertise and experience are verified before providing access to systems for vulnerability testing or installation of any hardening tools.
There are various hardware and software solutions on offer, some based on the principles of machine learning capable of autonomous safeguarding action or alerts for manual intervention.
There are other agencies providing critical support in case of a cyber event based on a subscription and general advisory services for effective implementation of CSM. The suitability of any particular agency or technology should be carefully assessed for the extent of support required based on a risk assessment of the threats, i.e., risk to asset, life and reputation, the regulatory and legal implications, and the financial risk.
P&I Club cover does not exclude claims arising from cyber risks. It is however expected that owners, charterers, managers or operators of ships will consider appropriate steps to identify and safeguard against cyber threats and vulnerabilities as required, including having a cyber risk policy and systems.
In the case of an incident that arises from a cyber event a Member may need to demonstrate that they took all reasonable steps to prevent foreseeable loss or liability.
BIMCO has issued Cyber Security Clause 2019 reportedly ‘to raise awareness of cyber risks among owners, charterers and brokers. The second is to provide a mechanism for ensuring that the parties to the contract have procedures and systems in place, in order to help minimize the risk of an incident occurring in the first place and, if it does occur, to mitigate and resolve the effects of such an incident, while also cooperating to assist each other’.
Early implementation of cyber security management is therefore encouraged.
As not all cyber vulnerabilities are industry specific, lessons learnt from other industry sectors also have relevance and must be taken into consideration. Information on the threats to the marine industry needs to be widely shared in order to gain clarity on the extent of threat and a more realistic risk assessment. Reporting and sharing of cyber incidents with the relevant authorities and agencies therefore is vital.
In addition to the threats to a company’s operational systems, companies should also consider how best to look after the data they hold within those systems. There is now a raft of data protection legislation across the world for companies to comply with. Notably in May 2018 the European Union brought into force the General Data Protection Regulation (GDPR). Following the UK’s exit from the EU at the end of the transition period after 31st December 2020, the UK has enacted legislation to effectively bring the GDPR into UK law, meaning the provisions of the GDPR will continue to apply to the UK.
The GDPR is concerned with the handling of personal data – any data that identifies an individual or relates to an identifiable individual. Its purpose is to give data subjects greater rights with respect to their personal data, and requires those handling personal data to be able to justify using and keeping them, and to have in place appropriate security to protect the personal data they hold.
Vessel owners and operators will process a wide variety of personal data, with respect to crew, passengers, and staff in particular. This may include medical information, passport details, or salary and job data.
The GDPR applies not only to European individuals and entities (wherever in the world they process data) but also to the processing of personal data:
- of data subjects who are in the EU by an entity or individual based outside the EU, where the processing activities relate to:
(a) the offering of goods or services to data subjects in the EU; or
(b) monitoring their behaviour as far as their behaviour takes place within the EU;
- by an entity or individual not based in the EU, but in a place where Member State law applies by virtue of public international law.
There are very significant penalties for breaching the GDPR. For the most serious breaches, companies could face fines of up to (the greater of) 20 million Euros or 4% of worldwide group turnover. As well as this, the reputational damage to companies that suffer data leaks can be very substantial. In recent years companies including Facebook, Google, Uber and British Airways have lost customer data and have suffered negative press in addition, in some cases, to regulatory fines.
Where this hasn’t already been done, it is suggested that companies carry out a detailed audit of their data processing. This should, among other things, assess the types of data received, what they are used for, where and how they are stored, how long they are kept for and who they may be sent to. Policies, procedures, and practices that cover the use of personal data should be reviewed in light of the requirements of the GDPR and other applicable data protection legislation, and where appropriate combined with a company’s cyber security measures.
Companies always have an obligation to minimise the data they collect, and to hold them only for as long as necessary. It is expected that companies will embed the principles of privacy by design (putting in place appropriate technical and organisational measures to implement the data protection principles and safeguard individuals’ right) and privacy by default (only processing personal data necessary for each specific processing purpose) into their procedures.
Protection of data is a key concern, and companies should ensure they have suitable electronic and physical security measures in place to look after the data in their own systems, and to make sure data is sent and received in a secure way. Although the GDPR is only concerned with personal data, the imposition of appropriate security measures will ensure that operational and commercially sensitive data is also more secure. These measures may include using appropriate security software, passwords and other user authentication measures, the anonymising of data, and the use of secure or encrypted email servers when transferring emails and attachments containing personal data.
Where personal data are held on devices that leave company premises (such as laptops, tablets, mobile phones or mass storage devices), or such devices are used by staff to remotely access company systems, it may be necessary to use encrypted and password protected devices, and to put in place robust guidelines covering the use and security of such devices.
Physical security considerations may include appropriate entry systems and locks for premises and internal storage facilities such as filing cabinets, and measures to ensure hard copy documents containing personal information are not left lying around.
Companies that process personal data should have in place suitable privacy notices, detailing the types of data they hold and how and why they process them. For companies subject to the GDPR whose core activities require the large scale, regular and systematic monitoring of individuals, a Data Protection Officer (DPO) must be appointed. Where the appointment of a DPO isn’t mandatory, having a DPO may nonetheless make it easier to properly manage one’s data protection obligations.
With the increase in data protection and cyber security obligations, it is good practice to ensure that staff are given the necessary training with respect to their own and the company’s responsibilities. If staff are trained to handle personal data in an appropriate way and to be aware of cyber security threats such as phishing emails and malware, companies will minimise the human error risk inherent in all security procedures and ensure their data are protected and their OT and IT systems free from unwanted interference.
Steamship has published two Circulars ( L312 and L314) which give further background on the GDPR and consider various best practice ideas. These can be found on our website, along with a video: ‘Data? Let’s Get Personal!!’.
Members are also encouraged to view our other video on the topic:
- Cyber Security: Smart, Safe Shipping
The Club’s new Cyber Insurance product is aimed at assisting Members to respond to a cyber-attack on their vessels and insuring them for any loss of income the vessel incurs as a result. This product is available to all vessels operated by Members, including those not entered for P&I, and non-Members. Initially this product will not be available for yachts or passenger vessels. Further information is available in this L.372 Cyber Cover .