Could your vessel be a potential target for a cyber attack? If you’ve got equipment with network connections on board, then the short answer is yes. Here are eight clever tips you can follow to help protect your vessel and your business from hackers.
Maritime cyber security is something you need to take seriously whether you’re operating a small fishing craft with a single navigation screen or a super tanker or cruise liner with a vast array of electronics on the bridge. With maritime technology advancing at a rate of knots, the cyber security risks will only continue to grow as more and more equipment onboard ships is connected to a data network.
Here are eight clever tips that will shore up your maritime cyber security defences and protect your business.
If your vessel has been sailing for several years it’s probably had new connected equipment installed, or you might have upgraded or replaced some systems. These new or upgraded equipment or systems likely use some sort or software or data connection.
A good starting point for assessing your cyber security risk level is to make and maintain a list of what was installed on your vessel and when. This is a good starting point to build an accurate picture of where you stand and what action you might need to take to protect your vessel. For example, is there some equipment with a specific version of software that hasn’t been updated recently?
If you don’t know what software version you’re using you won’t know if you need to take action or not to address potential security vulnerabilities.
It’s essential to know how connected your vessels are because the more connections, the greater the risk. Think of a house with multiple doors and windows: the more you leave open or unlocked, the greater the chance of someone gaining entry.
You might have data connections to OEM vendors for remote monitoring or troubleshooting, or to maintenance partners for data-driven maintenance planning. Or perhaps your vessels are connected to your own shore networks for fleet management purposes.
You need to know how these connections are set up and maintained to build an accurate picture of your level of cyber security risk. You’ll then know how many doors and windows you have and how good the locks are at keeping unwanted visitors out.
The International Association of Classification Societies (IACS) has adopted two new Unified Requirements (UR) on maritime cyber security. If you contract a newbuild vessel on or after January 1, 2024, it will need to comply with these requirements. Some of the responsibility lies with you and the shipyard, and some with the equipment vendors who supply the equipment for your vessel.
UR E26 sets out maintenance requirements for vessel owners and requires yards to work with vendors to make sure they select compliant equipment and can pass the necessary inspections.
Meanwhile, UR E27 impacts component manufacturers like Wärtsilä, who must provide certification to prove that their products and solutions comply with the requirement.
It’s important to account for cyber security in the procurement phase when building vessels or purchasing equipment. This means specifying the cyber requirements for what you’re buying – essentially how secure you need it to be. You also need to know your responsibilities – simply buying the most affordable option and hoping for the best won’t suffice.
A cyber security management system (CSMS) is a set of systems and processes that tells everyone in your organisation – right down to the very last employee – what they need to do, how to do it and when they need to do it. A CSMS covers everything a vessel owner needs to do, from updating equipment to tracking what’s onboard. Having such a CSMS has been an industry requirement for a couple of years now and will help to clarify your approach and better protect your business.
No two vessels, markets or use cases are the same. Factors like the challenges of your operating environment, the age and connectivity level of your fleet and the sizes of your crews can create unique risks for your vessels. For this reason, you need to understand your own situation so that you can stay cyber secure. Perform a risk analysis for each of your vessels so you can see where you stand. You can then plan what changes you need to make to beef up your cyber security.
According to statistics from Verizon 80% of hacking incidents are caused by stolen and reused login information. The power generation industry got an unpleasant wake-up call way back in 2012 when the Stuxnet malware attack devastated Iran’s nuclear facilities. No-one in the maritime industry wants an event like that.
Adopting best practices like network monitoring and password and user account tracking and management is therefore a must. These practices have been commonplace in the IT and power generation industries for years.
When working with OEMs and yards, you need to know that they’re aware of and understand the risks and are designing their equipment and services accordingly. A great tip to help you to ensure you’re buying from reputable vendors is to look for third-party recognition in the form of certifications or awards as these demonstrate how potential suppliers measure up in terms of their cyber security credibility.
Learn why certifying information systems and products is even more important in times of economic turmoil in our article: Who do you entrust your business-critical assets to?
As a vessel owner, you bear the ultimate responsibility for following the required standards and continuously updating your vessel systems to make sure you comply with the regulations. Following these eight tips will put you on the right track towards more cyber secure operations. For full peace of mind partnering with an OEM like Wärtsilä could be the best option.
Our equipment both meets and exceeds the current regulatory requirements, and as a larger OEM our specialised team has an in-depth combination of maritime and cyber security knowledge. This means we are well placed to advise you on what you need to do to stay compliant and safe over the long term.
Looking for the best protection for your internet / network connected vessels? Learn more about Wärtsilä’s cyber security services.
This article is based on an interview with Wärtsilä’s Director of Maritime Cyber Security Matti Suominen.