During London International Shipping Week Transport Minister Lord Callanan described how the NotPetya cyber attack in June (2017) which hit the shipping sector among others, demonstrated the sector's vulnerability to these type of attacks, leading to the Department for Transport launching its new Cyber Security code of practice for ships.
It covers all the main issues affecting any organisation's approach to awareness, defence and recovery, while also addressing the specific issues of a physical asset with data elements.
It aims to help organisations:
· develop a cyber-security assessment and plan
· devise the most appropriate mitigation measures
· ensure they have the correct structures, roles, responsibilities and processes in place
· and manage security breaches and incidents.
It also highlights the key national and international standards and regulations that should be reviewed and followed.
Callanan observed that, “Cyber-security is an increasing concern [and] anything that threatens the reliability and performance of a shipping sector that carries 95 percent of our trade has to be taken seriously.”
He noted how, in some areas, maritime continues to rely on legacy systems using old software and aging operational technology – though he didn't refer to recent reports of a new warship claimed to be using Windows XP.
He did, however, refer to the growing dependence on information systems with the development of new technologies — such as autonomous or partially-autonomous vessels potentially being more vulnerable to cyber attacks.
Callanan continued, “Poor cyber security undermines customer confidence and industry reputation, and could potentially result in severe financial losses or penalties, and litigation affecting the companies involved. The disruption caused by a cyber attack – or a compromised system — could be significant too.”
Areas that could be hit by a compromised ship system include:
· physical harm to the system or the shipboard personnel or cargo — potentially endangering lives or the loss of the ship
· the loss of sensitive information, including commercially sensitive or personal data
· criminal activity, including kidnap, piracy, fraud, theft of cargo, or imposition of ransomware
The aim of cyber-defence is thus not just preventing hackers gaining access to systems and information but also protecting digital assets and information, ensuring business continuity, and making sure the maritime industry is resilient to outside threats.
Consequently, in the event of an incident, appropriate practices and technologies need to be in place to limit any damage. As a result ship owners and operators need to understand cybersecurity and promote awareness of the subject to their staff and business partners.
From a government perspective it was noted that the 2015 National Security Strategy reaffirmed cyber as a Tier One risk to UK interests and that dedicated cyber security teams in a range of departments include a team that works with shipping industry partners, port operators and vessels traffic services (VTS) organisations.
Their aims are to: understand the cyber threat and the vulnerabilities for the transport sector; mitigate cyber risks and take appropriate action to protect key assets; respond to cyberincidents effectively and ensure that lessons are learnt; and to promote cultural change, raise awareness and build cyber capability.
The government also established the National Cyber Security Centre in 2016— again to work with the industry on this increasingly complex subject.
The Department for Transport commissioned the Institution of Engineering and Technology (IET) to produce the new code of practice.
It has also received input from experts at the Maritime Coastguard Agency, Maritime Accident and Investigation Branch, the MoD's Defence Science and Technology Laboratory, and the National Cyber Security Centre.
The guidance will complement the work being done by the International Maritime Organisation (IMO) to raise awareness of cyber threats and vulnerabilities.
This code of practice explains why it is essential that cyber security be considered as part of a holistic approach throughout a ship's lifecycle.
The code of practice is intended to be used as an integral part of a risk management system to ensure that cyber security is delivered cost effectively as part of mainstream business.
This latest code of practice follows on from last year's publication of the Cyber security code of practice for ports and port systems, which is also available on GOV.UK.