IMO/University of Plymouth Symposium on maritime cyber security and resilience, 1-2 November 2023
Symposium explores ways of building cyber resilience within the international maritime supply chain
As the global shipping industry becomes increasingly digitalized cyber attackers are looking to exploit vulnerabilities in the maritime supply chain. Industry representatives, academics, and NGOs examined the types of possible cyber-attack and how to guard against them at the third annual University of Plymouth Cyber-SHIP Lab symposium, organised jointly with the International Maritime Organization (IMO).
Day one of the symposium focused on the level and variety of cyber threats. Day two looked at potential technological, policy and regulatory solutions.
One issue raised several times throughout the event was that of persuading victims of maritime cyber-attacks to share information to enable learning and build resilience across the sector.
Opening the symposium on behalf of the IMO Secretary-General, Joseph Westwood-Booth, Senior Deputy Director of the Maritime Safety Division made clear IMO’s commitment to enhancing Member States’ maritime cyber security capabilities and to promoting a culture of cybersecurity:
“IMO, in line with its role as the global regulator facilitating modern shipping, must further promote cooperation with international partners, academia and industry to address increasing cyber threats and their impacts in the maritime domain,” he said.
What might a cyber-attack look like?
Professor Kevin Jones, Principal Investigator, Cyber-SHIP Lab, and Executive Dean, Faculty of Science and Engineering, University of Plymouth, used anonymised real examples to summarise the kinds of cyber-attacks that might be mounted, their likely consequences, and how to mitigate against them:
An “insider” attack, for example, on a ship’s bridge systems, or on vulnerabilities in its engine systems. The way to guard against this is, he said, “classic cyber security”, for instance by segregating networks.
A sophisticated “cyber physical attack” on the maritime supply chain using detailed knowledge of suppliers and operations. Possible mitigations include security by design, supply chain security, and personnel training.
An “interactive” attack using novel technology such as a 5G connection between assets, for instance, an attacker with knowledge of ship locations acting in real time to exploit weaknesses. Mitigation is not easy but includes physical security, vetting and inspections, and network security.
Professor Jones said attackers’ motivations can be financial or “hacktivism” (using digital techniques to demonstrate for or against a social or political cause). Along with addressing technical and cultural issues, legislation, regulation and having the right policies and procedures can help, he said.
Issues raised from the floor included a lack of information sharing across the maritime industry, how digitalization increases the “attack surface” and different policy approaches countries are taking, for example willingness or not to pay ransoms.
The value of cyber incident reporting metrics
Captain Adam B Morrison, Detachment Chief from Coast Guard Cyber Command, US Coast Guard (USCG), described the threat of maritime cyber-attacks as a globally shared problem and called for collective vigilance across governments and the shipping industry to ensure “cyber hygiene”.
Although cyber incidents are happening every day, they are not, Captain Morrison said, generally being reported. In fact, the viability of reporting is disputed by some because it means admitting to vulnerabilities. He cited USCG figures indicating that the majority of incidents are down to weaknesses such as easily crack-able passwords.
A panel discussion followed on “Current and future directions in maritime cyber security”. Dr Gary Kessler, an independent academic, consultant and maritime security practitioner, spoke about the impact in the cyber-security sphere of artificial intelligence (AI) and the importance of developing a cyber safety culture amongst the maritime workforce that compares to that of safety.
Professor Adam Sobey of the University of Southampton and the Alan Turing Institute stated the usefulness of measuring what is going on, and highlighted the vulnerabilities present in supply chains. Nations need to work together to find trans-national solutions, he said.
Asked about the “alarmingly clear potential” for cyber-attacks as research and development increases on unmanned vessels - or Maritime Autonomous Surface Ships (MASS) - Dr Kimberly Tam, Cyber-SHIP Lab Academic Lead, said most concerns in this area centre on the need to switch a vessel’s status between manned and unmanned.
Muhammed Erbas, a second-year master's student at Tallinn University of Technology, spoke about his research into heightened cyber-security risks brought about by the increasingly interconnected navigation systems of autonomous ships, and Eva Szewczyk, Senior Policy Advisor at the UK Department for Business and Trade gave a presentation on the relationship between the marine insurance market and cyber risks. Whilst some specialist companies offer cover against cyber-attacks, availability is limited, she said.
Jungo Shibata from the Monohakobi Technology Institute, an R&D subsidiary of the NYK shipping company, told delegates about NYK’s development of an onboard Ship Information Management System to collect data that is monitored and analysed onshore.
Research and capabilities
Dr Kimberly Tam and Avanthika Vineetha Harish from the Cyber-SHIP Lab detailed the kind of work undertaken at their facility. The Lab’s cyber security research platform uses real hardware rather than simulations which, they said, provides unique capabilities for the testing of ships’ systems. Dr Tam said the Cyber-SHIP Lab team was keen to collaborate with industry on research and scenario development.
Allan Nganga, of the Western Norway University of Applied Sciences considered the state of play in maritime Security Operations Centres (SOCs). His research showed incident management to be the main concern. Amongst the factors that influence incident management are cyber awareness, including amongst crews, incident communication, the incident analysis process including the impact of personnel shortages, and intelligence gathering and information sharing.
He concluded with a call for better information sharing and collaboration between vessel cyber resilience stakeholders.
Adapting and developing in an interconnected world
In a recorded video message from the United Kingdom of Great Britain and Northern Ireland’s Minister for Aviation, Maritime and Security, Baroness Vere. She said the maritime sector, in a digital era, must adapt:
“We will need to maintain and develop secure approaches and ensure the workforce can operate within these systems. Included in cyber threats is a threat to global trade and economics...We [the United Kingdom government] will continue to work for maritime security.”
Joining the symposium remotely to deliver his keynote speech, Rear Admiral James Parkin, Director of the Royal Navy’s Development Directorate which oversees the Royal Navy’s future capabilities, spoke about similarities between the military and civilian maritime sectors’ digital network architecture. Cyber-security is one of the Navy’s most critical challenges, he said, and highlighted the importance that any threat to IT and OT must not risk the fleet’s combat technology.
Rear Admiral Parkin went on:
“We cannot go it alone. We are an interconnected world and are connecting with our allies and partners...The challenge is that our adversaries are unpredictable and unseen - and better resourced than us.”
A real world maritime cyber threat: the software supply chain
Thomas Scriven, Principal consultant at Mandiant, works with commercial and government clients on cyber threat intelligence and incident response, giving him sight of what attackers are doing, when they hit their targets and what he called their dwell time.
To illustrate the risk of a supply chain-centred industry-wide attack, he used a fictional geopolitical scenario entailing multiple detections of foreign intelligence of a state actor conducting cyber reconnaissance - typical of the kind of cyber threat encountered by Mandiant.
Andy Howell, Principal cyber security consultant at BMT, an engineering design consultancy that works principally with the maritime sector, underlined how growing automation, with data being shared internally and externally, increases vulnerability to a cyber-attack. BMT focuses on defining what would be an unacceptable loss of mission for a ship and building cyber resilience around its critical systems so it can continue to perform.
Developing a maritime cyber security framework
The symposium heard from Matthew Parker, the United Kingdom of Great Britain and Northern Ireland Department of Transport’s Head of Maritime Security Strategy, Threat and Risk about the United Kingdom Maritime Cyber Strategic Framework.
The Framework is divided into three areas: infrastructure and equipment; engagement and skills; and policy development. It sets out the scope of the maritime ecosystem - port infrastructure; ships’ systems; communications and information systems; maritime operational support; offshore and subsea infrastructure; safety and security systems; and people – and the work needed to address known threats and vulnerabilities. It also includes an implementation plan to support industry.
Analysis of publicly reported maritime cyber incidents
Jeroen Pijpker and Professor Stephen McCombie who, respectively, specialise in cyber and IT security at NHL Stenden University of Applied Sciences, explained their research into cyber threats to the maritime transportation system. Their work has led to the creation of the Maritime Cyber Attack Database which details maritime cyber incidents. Its data is based on British open-source intelligence and is available online and as an app to help raise awareness of the prevalence and types of attacks taking place and provide a basis for further research.
The database records the number of cyber incidents by attacker country 2001-2023 as the Russian Federation 37, China 18, the Islamic Republic of Iran 9, the Democratic People’s Republic of Korea 9, the United States of America 6, and Israel 3. The United States of America is the most common country to have fallen victim during that time with 27 known incidents, and the United Kingdom of Great Britain and Northern Ireland 13. The database records 46 attacks targeting vessels, and 37 attacks on ports.
According to the academics’ research, recent cyber-attack trends include the increased use of technology, for instance, by pirates to locate ships, or to hide ships’ locations. The prevalence of jamming, the hacking of cargo systems and attacks that compromise navigation systems were highlighted, along with GPS and AIS spoofing, and malware that impacts a vessels’ bridge systems.
Increasing cyber resilience
To explore how the maritime sector’s resilience against cyber threats can be strengthened, Makiko Tani, Deputy Head of CyberSecurity at ClassNK, a ship classification society, outlined to delegates his organisation’s Guidelines and its Cyber Security Management System.
This was followed by DNV’s Head of Cyber Security Maritime, Svante Einarsson, who highlighted findings from DNV’s 2023 Maritime Cyber Security Research Report.
The survey of 800 people in passenger and freight transportation, industry services and offshore roles, found that 79% of respondents consider cyber security risks in the maritime industry are increasingly considered to be as important as health and safety risks. Just over half - 59% - say cyber security is a high priority for their organisation’s senior leadership, but only 32% regard their organisation as very well prepared to prevent a direct cyber-attack on its systems.
Governance and regulation
The role of regulation in ships and ports defending themselves against the threat of a cyber-attack was considered by speakers from BIMCO and IAPH.
Representing ship owners, BIMCO’s Head of Maritime Safety and Security, Jakob Larson, said that the latest guidelines are now more risk-based than earlier versions and that the industry has become better at managing cyber risk. But he warned the guidelines must evolve to guard against them becoming obsolete.
Noting that cyber security is on IMO’s agenda for discussion in spring 2024, he outlined what BIMCO hoped to see in future: goal-based standards for the industry, a safety- and risk-focused approach, and prioritisation of critical entities within the supply chain - for example, a large port rather than an individual ship. He also underlined the debate around commercial confidentiality and which information should be shared.
On behalf of ports, Frans van Zoelen of IAPH addressed the likely impact of the maritime single window for the exchange of data which becomes mandatory from January 2024. He ran through the relevant regulatory instruments on cyber security including IMO guidelines on cyber risk management, non-mandatory industry guidelines from ENISA, BIMCO and IAPH, and the mandatory ISPS Code for port facilities.
On a national level, Mr van Zoelen stressed the importance of futureproofing legislation by incorporating flexibility within it.
Scott Dickerson, Executive Director of the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC) which promotes and facilitates cybersecurity information sharing amongst private and public sector stakeholders, spoke about the challenges posed by the international nature of the shipping industry with countries having their own ways of tackling the issue, including differing approaches to law enforcement and reporting requirements.
Cyber consequences and responses
In a presentation that looked at improving cyber resilience of navy ships, Commander William van der Geest from the Royal Netherlands Navy spoke about the unique cyber security challenges faced by navy ships.
With no cyber security experts on board, there is, he said, a need to incorporate cyber as part of a navy ship’s battle damage repair response. It may, he said, have to be improvised to return the affected systems to a sufficient level of service as there is not the luxury of time for comprehensive fault-finding in a combat environment.
A key player in the event of a cyber-attack is the insurance sector. Kelly Malynn is Product Lead and Underwriter for Cyber Physical Damage at Beazley which insures 25% of the world’s maritime fleet. She specialises in the identification and quantification of complex risks and addressed the symposium on what, in the event of a cyber security breach, is technically plausible for insurers.
She outlined the types of cyber threats the maritime sector faces: vessel cyber – for example, physical damage to vessels, enterprise cyber – for instance, “bricking” (when computer hardware is rendered inoperable, perhaps as a result of being hacked), and business interruption.
The kind of cyber events for which insurance cover is available includes the targeting of power systems, generic ransomware, a vessel’s electronic chart display and information system, and email and booking systems, Ms Malynn said.
In real-world multi-system vessel testing, she did identify vulnerabilities. However, she said the complexities of vessel systems were complicated for a potential cyber-attacker to navigate. It would require a substantial investment to get through defences and compromise them - which poses the question whether the reward would be worth it.
See more about the IMO/University of Plymouth’s Cyber-SHIP Lab Symposium on "Maritime cyber security and resilience
here.