The International Maritime Organization is a specialized agency of the United Nations, responsible for measures to improve the safety and security of international shipping and to prevent pollution from ships. It is also involved in legal matters, including liability and compensation issues and the facilitation of international maritime traffic. It currently has 174 Member States.
According to the IMO, maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.
In 2017, the IMO adopted Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). According to the resolution, an approved SMS should take into account cyber risk management. It asked for assurance that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
The same year, IMO developed MSC-FAL.1/Circ.3 on Guidelines on maritime cyber risk management that covers maritime cyber risk management measures to safeguard shipping from current and emerging cyber threats and vulnerabilities.
According to MSC-FAL.1/Circ.3, vulnerable systems could include, but are not limited to:
1. Bridge systems;
2. Cargo handling and management systems;
3. Propulsion and machinery management and power control systems;
4. Access control systems;
5. Passenger servicing and management systems;
6. Passenger facing public networks;
7. Administrative and crew welfare systems; and
8. Communication systems.
According to MSC-FAL.1/Circ.3, the distinction between information technology (IT) and operational technology (OT) systems should be considered. Information technology systems may be thought of as focusing on the use of data as information. Operational technology systems may be thought of as focusing on the use of data to control or monitor physical processes. Furthermore, the protection of information and data exchange within these systems should also be considered.
While these technologies and systems provide significant efficiency gains for the maritime industry, they also present risks to critical systems and processes linked to the operation of systems integral to shipping. These risks may result from vulnerabilities arising from inadequate operation, integration, maintenance and design of cyber-related systems, and from intentional and unintentional cyberthreats.
Threats are presented by malicious actions (e.g. hacking or introduction of malware) or the unintended consequences of benign actions (e.g. software maintenance or user permissions). In general, these actions expose vulnerabilities (e.g. outdated software or ineffective firewalls) or exploit a vulnerability in operational or information technology. Effective cyber risk management should consider both kinds of threat.
Vulnerabilities can result from inadequacies in design, integration and/or maintenance of systems, as well as lapses in cyber discipline. In general, where vulnerabilities in operational and/or information technology are exposed or exploited, either directly (e.g. weak passwords leading to unauthorized access) or indirectly (e.g. the absence of network segregation), there can be implications for security and the confidentiality, integrity and availability of information.
Additionally, when operational and/or information technology vulnerabilities are exposed or exploited, there can be implications for safety, particularly where critical systems (e.g. bridge navigation or main propulsion systems) are compromised.
Effective cyber risk management should also consider safety and security impacts resulting from the exposure or exploitation of vulnerabilities in information technology systems. This could result from inappropriate connection to operational technology systems or from procedural lapses by operational personnel or third parties, which may compromise these systems (e.g. inappropriate use of removable media such as a memory stick).
The IMO makes clear that effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
It is clear that cybersecurity is the new challenge for the maritime industry.
A new cybersecurity culture is necessary. It refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, values, and expectations of customers regarding cybersecurity. Managers and employees must be involved in the prevention, detection, and response to deliberate malicious acts that target systems, persons, and data.
We tailor the program to meet specific requirements. You may contact us to discuss your needs.
Course synopsis, recommended training modules
- An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.
- May 2022, attack that targeted the Port of London Authority forced its website to go offline.
- October 2021, attempt to hack over 250 Office 365 accounts, with a focus on Persian Gulf ports of entry or maritime transportation companies with a presence in the Middle East.
- October 2020, UN shipping agency the International Maritime Organization (IMO) reported that its website and networks had been disrupted by a sophisticated cyber attack.
- March 2013, hackers targeted civilian and military maritime operations within the South China Sea, companies involved in maritime satellite systems, aerospace companies and defense contractors.
- June 2021, United States Naval Institute (USNI) claimed the tracking data of two NATO ships, the U.K. Royal Navy’s HMS Defender and the Royal Netherlands Navy’s HNLMS Evertsen, was falsified off the coast of a Russian controlled naval base in the Black Sea. The faked data positioned the two warships at the entrance of a major Russian naval base.
- September 2020, French shipping company CMA CGM SA saw two of its subsidiaries in Asia hit with a ransomware attack that caused significant disruptions to IT networks, though did not affect the moving of cargo.
- December 2018, U.S. Navy officials report that hackers had repeatedly stolen information from Navy contractors including ship maintenance data and missile plans.
- June 2017, NotPetya ransomware attack shut down the port terminals of Danish shipping giant Maersk for two days, causing an estimated $300 million in associated costs.
- August 2016, designs and data regarding India’s Scorpene submarines were leaked from the French shipbuilder DCNS.
- June 2015, the Chinese company Qihoo360 reports discovering “OceanLotus,” an espionage program operating since 2012 to target marine agencies, research institutions and shipping companies.
- February 2022, multiple oil terminals in some of Europe’s biggest ports across Belgium and Germany fell victim to a cyberattack, rendering them unable to process incoming barges. A ransomware strain associated with a Russian-speaking hacking group was used to disrupt the ability of energy companies to process payments.
Understanding the guidelines on cyber security onboard ships, produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and WORLD SHIPPING COUNCIL.
- Understanding the challenges,
- Threats and vulnerabilities,
- Ship to shore interface,
- Risk exposure,
- Risk assessment made by the company and by third-parties,
- Protection and detection measures,
- Defence in depth and in breadth,
- Procedural protection measures,
- Respond to and recover from cyber security incidents,
- Losses arising from a cyber incident,
- Best practices, what to remember at all times.
Who is the “attacker”?
- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.
- Cyber Pirates.
- Hacktivists and the maritime industry.
- Professional criminals and information warriors.
- Cyber-attacks against passengers, baggage, cargo, catering, systems, staff, and all persons having authorized access to systems and data.
How do the adversaries plan and execute the attack?
- Step 1 – Collecting information about persons and systems.
- Step 2 – Identifying possible targets and victims.
- Step 3 – Evaluation, recruitment, and testing.
- Step 4 - Privilege escalation.
- Step 5 – Identifying important clients and VIPs.
- Step 6 – Critical infrastructure.
Employees and their weaknesses and vulnerabilities.
- Employee collusion with external parties.
- Blackmailing employees: The art and the science.
- Romance fraudsters and webcam blackmail: Which is the risk for the maritime industry?
What must be protected?
- Best practices for all employees that provide services and have authorized access to systems and data.
- What to do, what to avoid.
- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.
- Reverse Social Engineering.
- Common social engineering techniques
- 1. Pretexting.
- 2. Baiting.
- 3. Something for something.
- 4. Tailgating.
- Clone phishing.
- Whaling – phishing for executives.
- Smishing and Vishing Attacks.
The online analogue of personal hygiene.
- Preparing and maintaining records.
- Entering and retrieving data into computer systems and devices.
- Researching and compiling reports from outside sources.
- Maintaining and updating files.
- Responding to emails and questions by telephone and in person.
- Ensuring that sensitive files, reports, and other data are properly tracked.
- Dealing with personnel throughout the company as well as external parties, customers, suppliers, service providers.
We will discuss the mistakes and the consequences in one or more of the following case studies:
- May 2022, attack that targeted the Port of London Authority.
- October 2021, attempt to hack over 250 Office 365 accounts.
- October 2020, International Maritime Organization (IMO) report.
- March 2013, South China Sea.
- June 2021, United States Naval Institute (USNI) report.
- September 2020, shipping company CMA CGM SA, ransomware attack.
- December 2018, U.S. Navy report.
- June 2017, NotPetya ransomware attack, Danish shipping giant Maersk.
- August 2016, India’s Scorpene submarines.
- June 2015, Qihoo360.
- February 2022, multiple oil terminals in some of Europe’s biggest ports across Belgium and Germany.
- What has happened?
- Why has it happened?
- Which were the consequences?
- How could it be avoided?
Closing remarks and questions.
The program has been designed for all persons in the maritime industry that have authorized access to systems and data. This includes ship managers, port managers, harbour masters, ship superintendents, security officers, IT managers, port authorities, and entities operating within ports.
The program is beneficial to suppliers and service providers of the maritime industry.
One hour to one day, depending on the needs, the content of the program, and the case studies. We always tailor the program to the needs of each client.
Delivery format of the training program
a. In-House Instructor-Led Training program - designed and tailored for persons working for a specific company or organization (Board members, executive management, risk managers and employees etc.). In all In-House Instructor-Led Training programs an instructor from Cyber Risk GmbH that is approved by the Client travels to the location chosen by the Client and leads the class according to the needs of the Client and the Contract.
b. Online Live Training program - synchronous (real time, not pre-recorded) training program that takes place in a live virtual meeting room using platforms like Zoom, Webex, Microsoft Teams etc. In all Online Live Training programs, instructors from Cyber Risk GmbH that are approved by the Client tailor the method of delivery (interactive, non-interactive, etc.) to the needs of the Client, lead the virtual class, and answer questions according to the needs of the Client and the Contract.
c. Video-Recorded Training program - professional, pre-recorded training program. Instructors from Cyber Risk GmbH that are approved by the Client tailor the training content according to the needs of the Client and the Contract, and they record the training content in a professional studio. The training material (including any subsequent updates) is licensed by Cyber Risk GmbH to the Client for training purposes. Clients can incorporate the recorded videos to their internal learning system. Video-Recorded Training programs include Orientation Video Training and Compliance Video Training programs.
Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.
George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf
Terms and conditions
You may visit: https://www.cyber-risk-gmbh.com/Terms.html
Cyber Risk GmbH
Tel: +41 79 505 89 60
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.