Bimco, the Cruise Lines International Association, Intercargo and Intertanko have launched a set of cyber security guidelines with support from stakeholders including satellite communications providers, shipmanagers and shipowners.
The document sets out a range of potential groups that may benefit from accessing the computer systems of maritime companies, from state-sponsored organisations and terrorists through to criminals and opportunists. The possible motivations of the various groups are also given, including data destruction, sale or ransom of data, reputation damage, masking the transportation of illicit cargo, and disruption of economic infrastructure.
The possible form of attacks range from widespread untargeted attacks using phishing and social engineering, to attacks specifically targeted at a company or individual using spear-phishing or compromising software and equipment due to be delivered to the company.
The guidelines suggest that a company’s approach to cyber security be decided at a senior management level. While the temptation might be to pass the issue directly to the IT department or ships security officer, a proper defence against threats will likely involve changes outside the scope of the IT department, including staff training and business practice alterations.
In September 2015 a security workshop hosted by the International Marine Contractors Association and the Security Association for the Maritime Industry heard that best practice guidelines were the safest defence against cyber security threats to the industry.
In a list of possible technical security controls, the guidelines highlight limiting access to networks, properly managing user and administrator profiles, protection of email and web browser interactions, defences against malware, the ability to recover data and restore capabilities and securing physical access to hardware and cables.
Procedural controls to protect against internal cyber threats are described and focus on training, anti-virus and anti-malware protection, secure disposal of equipment and control of the use removable media.
The Guidelines on Cyber Security Onboard Ships is published by BIMCO and is freely available on the association’s website.
BIMCO secretary-general Angus Frew said: “The aim is to provide the shipping industry with clear and comprehensive information on cyber security risks to ships enabling shipowners to take measures to protect against attacks and to deal with the eventuality of cyber incidents.
“The guidelines launched today should help companies take a risk-based approach to cyber security that is specific to their business and the ships they operate.”
For more maritime news see Lloyd’s ListTags: cyber security InterManager