The maritime industry is undoubtedly behind other transportation sectors, such as aerospace, in cybersecurity terms. There also seems to be a lack of urgency to get the house in order. After all, the cyber-specific amendments to the ISM and ISPS don’t come into force until January 1 2021, and they only represent the beginning of a journey. So the maritime industry seems particularly ill-equipped to deal with future challenges, such as the cybersecurity of fully autonomous vessels.
Cybersecurity experts recently displayed how easy it was to break into a ship’s navigational equipment. This comes only a few years after researchers showed that they could fool the GPS of a superyacht into altering course.
The International Maritime Organisation (IMO), the UN body charged with regulating maritime space, has been late and somewhat slow in considering appropriate regulation when it comes to cybersecurity.
In 2014, the IMO consulted their membership on what maritime cybersecurity guidelines should look like. Two years later they issued their interim cybersecurity risk management guidelines, which are broad and not particularly maritime specific. And now, unsurprisingly, ships are being hacked.
Confusing ship variants
The maritime industry particularly has several challenging to address on core issues that make up cybersecurity.
First, there are many different classes of vessel, all of which operate in very different environments. Significantly, many of these systems are built to last over 30 years and are least compatible to the present systems, which makes them more prone to cyber-attacks.
Second, the users of these maritime computer systems are constantly changing at short notice. As a result, crew members are often using systems they are unfamiliar with, increasing the potential for cybersecurity incidents relating to human error. Also, the maintenance of onboard systems, including navigational ones, is often contracted to a variety of third parties.
A third complexity is the linkage between onboard and terrestrial systems. Many maritime companies stay in constant communication with their vessels. The cybersecurity of the ship is also dependent on the cybersecurity of the land-based infrastructure. The implications of such dependencies was made clear in 2017 when a cyber-attack on the systems of A.P. Moller-Maersk resulted in cargo delays across their entire fleet.
This is particularly challenging for the IMO who can govern the likes of port regulations, but have very little control over the wider systems and processes of maritime operators.
Steps in the right direction
In 2017, the IMO amended two of their general security management codes to explicitly include cybersecurity. The International Ship and Port Facility Security Code (ISPS) and International Security Management Code (ISM) detail how port and ship operators should conduct risk management processes.
Hopefully, this is the start of a more holistic approach to maritime cybersecurity regulation. The knowledge gained from these new cyber-risk assessments may enable the IMO to develop a broader set of cybersecurity regulations.
Development of robust maritime cybersecurity regulations is going to be a very slow, and possibly painful, process. But, the ship has started turning.
Did you subscribe for our daily newsletter?
It’s Free! Click here to Subscribe!
Source: The Conversation