With the introduction of MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems at the start of 2021, IMO mandated that member states should take into account cyber protection and safeguards for every vessel over 500 gt, consistent with the requirements of the ISM Code and reflective of the reality that most modern ships are, to or greater or lesser extent, connected. But what does this actually require of shipowners and operators?
Conscious of the ongoing uncertainty within the industry, and in collaboration with the IASME Consortium, cyber security experts Infosec Partners recently launched the Maritime Cyber Baseline scheme. As the name suggests, the objective of the scheme is to establish an affordable and certified baseline level of cyber control for maritime, applicable for all ship types.
Infosec Partners has a long involvement with maritime, in addition to a wealth of cyber security expertise across many other industry sectors. Mark Oakton, the company’s security director, says that MSC.428 follows a typical pattern for cyber security regulations, in that it avoids being too prescriptive, and that shipowners could benefit from a more defined support framework.
He comments: “In my experience, as we have seen in other sectors, there was likely to be several years of confusion , with consultants taking as much money as possible while trying to help vessel owners but in reality not actually demonstrating alignment or compliance. Therefore we worked with IASME to create and introduce the Maritime Cyber Baseline scheme, to give owners a quick and affordable route to demonstrate IMO compliance .”
Basic level of control
The Maritime Cyber Baseline is broadly similar to the longrunning Cyber Essentials scheme developed by the UK’s National Cyber Security Centre (NCFC) and used by thousands of organisations. Oakton explains: “There’s a specific list of controls that need to be present and implemented. We’ve looked at what the threats are, the things that are having an impact on vessels, and then make sure there’s a very basic level of control in place for those vessels.”
While this encompassess more elementary aspects of cyber protection, such as ensuring people change their passwords, and that organisations and vessels have firewall antivirus software, it also addresses more ship-specific vulnerabilities. “One of the key parts of the scheme standard is to document your assets, determining which ones are IT and which are OT [operational technology], then making sure there are specific controls in place for both sides and that there’s an owner for the security of each of those,” says Oakton.
He adds that very often IT systems are well controlled but OT systems, which may run the operation of the vessel, have either been forgotten about entirely or outsourced to a third party with little oversight or control. To address this there is an asset management component to the scheme, including a self-assessment questionnaire, which delineates the IT and OT assets and which of these are deemed critical systems, with a series of checks to ensure that crew have a basic level of control across these systems.
The process ends with a series of 10 short technical tests, conducted by an accredited assessor and typically taking around two to four hours, that validates the specified controllers are in place and consistent with what has been attested. Upon completion the operating company is issued with a certificate stating it is deemed to be compliant with MSC.428(98).
Oakton points out that unlike some more generalist IT companies, Infosec Partners has cyber experience gained through many years of working with the maritime industry with, critically, a strong understanding of OT environments. This has earned the scheme the approval of the notoriously cyber-wary insurers. “It's a very select group of very accredited assessors that are allowed to run these audits across vessels in the industry,” he says.
Moreover, he believes that there’s a pressing need for the shipping industry to start getting its cyber affairs in order. “The rationale for doing this is ultimately that cyber in maritime is 30-40 years behind every other industry we work in. The level of control and protection across very sensitive marine vessels is very, very low and the reason for creating this scheme is to bring the general level of security up to a good baseline level.”
Although precise figures are hard to come by, given the reluctance of companies to admit to falling victim, US-based security firm Naval Dome reported in 2020 that cyber attacks on maritime OT systems had increased by 900% in the previous three years, a figure that Oakton thinks is a conservative estimate and likely to be much higher.
“The number of vessels openly talking about having had an actual cyber breach where something significant has happened has grown enormously,” he comments. Moreover, the inherent transparency within the industry, and the availability of tracking platforms such as AIS, makes it particularly vulnerable. A number of outlets have suggested that a cyber attack may have been responsible for the container ship Ever Given losing power and grounding in the Suez Canal last year which, if correct, serves as a stark reminder of the potential impact.
Cargo shipping tends to be a particular target for cyber criminals and Oakton cites one incident in which the temperature controls for a shipment of bananas were tampered with and the goods spoiled by the time they reached their destination. However, even similar vessels can have very different threat profiles depending on the owner or management company and whether they are likely to be targeted.
Despite this, with existing cyber compliance standards there has been a tendency to put the cart before the horse and gauge the required level of security control on the basis of ship type without factoring in the specific risk of malefactors. “It's an important part of risk management, which is ultimately what IMO are enforcing,” he remarks.
A simpler solution
At the moment, the strongest interest in the scheme is coming from management companies and fleet owners that are seeking to demonstrate a reasonable level of control across multiple vessels simultaneously. In many cases Oakton says they have been looking for a cyber security solution for some time where the only options were either ad hoc consultancy, a formal security standard such as ISO 27001 (which can be difficult to achieve), or a class specific cyber notation.
Of the latter, Oakton says that the feedback Infosec Partners receives from owners suggests the number actually seeking a class cyber notation is actually quite low. “Owners are concerned t because they think it’s too complicated, too expensive, and they may not be able to achieve a pass. From an insurance perspective it doesn’t really fit because across each class society the cyber notations are wildly different; some are very complex and difficult to attain, others are really easy and not very valuable”.
“Because this baseline is common across all vessels, across all parts of the industry, it should help people as a first step to a cyber notation as then they know they’ve got the basics covered and can progress onto the next level.”
Reception to the scheme has been overwhelmingly positive, with many questioning why such an initiative wasn’t put in place sooner. “We’ve got a lot of our competitors in the industry saying ‘What did you do that for? It’s going to stop us from receiving consulting fees from clients we’d counted on for the next three years!’”
“We see that as a positive. There are a lot of third party service providers, who look after specific parts of the vessel under remote service contracts, feeling concerned because it’s shining the spotlight on them.”
More than 50 different companies and organisations were consulted during the development of the Cyber Maritime Baseline, including departments of NATO. But one of the strongest supporters has been the Royal Institution of Naval Architects itself.
“Infosec Partners have been working with RINA for nearly two years now, helping with internal systems and some educational meetings for members globally,” explains Oakton. “Ultimately RINA has a desire to help the industry improve and was keen to back it. Some of the resources that RINA have are far reaching and we can help spread the word to the membership.”
Commenting on the benefits of the scheme to members, RINA chief executive Chris Boyd adds: “The cyber baseline provides an accessible and affordable platform for many companies to understand the gaps and potential risk within their own vessel safety management system, moreover, to understand the pathway to compliance working within the IMO Maritime Cyber Risk Management guidelines. The Institution drives innovation, and we take cyber safety and security extremely seriously so it’s imperative that we champion leading initiatives that support the community and get ahead of the threat actors and the cyber criminals.
“Like many I was caught up in the mystique and noise surrounding cyber, so I wanted to cut straight to the point and understand what can be done to improve security for everyone, and the baseline offers a starting point. I look forward to receiving your feedback on the baseline and areas of support you’ve needed to achieve IMO MSC428 (98) cyber risk management compliance.”