Cybersecurity company IASME Consortium has launched a new certification for maritime vessels in collaboration with Infosec Partners and the Royal Institution of Naval Architects (RINA).
Under the scheme, designed to provide a base level of cyber-resilience on ships, taking into account the unique considerations of vessel systems, there are two tiers: a verified self-assessment; and an audited assessment.
These generally comprise operational technology (OT) systems – rudimentary programs that primarily run machines – as opposed to IT systems, which are generally designed to be networked and update regularly to remain resilient to cyber-attacks.
Jamie Randall, IASME head of technical strategy, explained to The Loadstar there were various issues specific to ships which made them vulnerable to a cyber-attack.
“It is more complicated, particularly on the OT side – this is the biggest challenge,” he said. “This is why we partnered with INFOSEC Partners, and RINA. We have a number of cyber-experts experienced working with vessels and know how to interpret the controls and apply them to systems across ships.”
IASME is hoping to create a universal baseline for ship cyber-resilience, resulting in a certification which can be demonstrated to supply chain partners, shippers, charterers, port authorities and other interested parties.
“A cyber-essential scheme is designed to protect against commodity attacks – ransomware and malware,” explained Mr Randall. “These are around 80% of attacks.”
Ransomware is by far the most popular. In a recent interview, Intel 471 researcher Greg Otto revealed that means of access to around 50 freight and logistics companies had been traded freely by cyber-criminals over the past three months.
Ransomware and malware attacks are not targeted at ships in particular, instead designed to spread over a wide array of systems, but they can create serious damage where these systems are undefended. Shipping’s proliferation of OT systems, including machinery which has been “haphazardly” networked without ‘air gaps’ by shipbuilders, presents different weaknesses to a typical office.
“Ransomware might get onto the ship’s ‘office’ via a USB key, but if there’s poor segregation between these systems and some of the OT – navigational systems, control systems and so on – this is a situation which could result in a threat to life, something much less likely in a regular office,” explained Mr Randall.
Far greater levels of scrutiny would be needed to prevent a dedicated hacking attempt against a specific ship than is afforded by the new certification process, but, Mr Randall said, ships first needed to be on guard against the most basic forms of attack.
“The scarier threat, of course, is someone hacking into a ship, controlling it, altering the systems on board. There is anecdotal evidence to suggest this has already happened,” he said. “I think commodity attacks are something we can do most about. There are many basic controls still missing, and those are the ones we want vessels to implement.”
