SAMI & IMCA MARITIME CYBER SECURITY WORKSHOP

Development of cyber security guidelines

Aron Sorensen, Chief Marine Technical Officer

2

BIMCO at a glance

• Founded in 1905 - 2,300 members in

around 130 countries

• Membership – includes shipowners,

operators, managers, brokers and agents

• Developing industry standards, and

providing quality technical information,

advice and education

• Advocating the oppinion of our members at

IMO, ISO, IALA, IHO etc.

WWW.BIMCO.ORG

3

Today’s Cyber presentation

• Background for industry guidelines• What to consider and what not to do • Risk based guidelines

4

BIMCO’s work

• In 2013, the BIMCO Executive Committee highlighted the importance of cyber security

• 2013 – 2014 Information gathering• with the view to deal with cyber security needs

and challenges in the maritime sector

• In March 2014, cyber security added to the agenda of the Marine Committee and the Security Committee• Decided to develop industry guidance on cyber

security for ships

5

Risks on board ships

Insiders introducing malware by storage devices etc.

Outdated software

Remote attacks by criminals

Lack of software and system monitoring

Lack of access-control for computers and networks

Unprotected or badly designed hardware and networks

6

Ships are vulnerable to cyber attacks

• Ships chartered to 3rd party operators• The Shipowner does not have control over the IT

systems required by the charterer• Historically ships have been offline

• Today cyber security cannot be “controlled” through avoidance of connectivity

• Critical data pertaining to cargo is passed through numerous land-side entities• Penetration of just one entity can result in any data

element being compromised• A high reliability on IT systems related to safety

• ECDIS and satellite receivers make a ship susceptible to either penetration or jamming

7

Attacking a ship will not stop word trade

• A ship is an independent unit and a cyber attack may compromise safety of that ship, the marine environment and to some extent, the business continuity of the owner

• To a large extent the crew will use the same contingency plans as for any other emergency if the ship is compromised

8

Agility needed

• Cyber attacks techniques develop constantly so mitigating measurers will also have to change constantly

• IMO regulation would be too slow

• Type approval of software is not the way forward, as it is a static process

• We see industry best management practice as the way to cope with cyber security

9

Special attention

• Cyber security should be carefully considered:• When taking over a new building

and buying used tonnage • In connection with on-board

software maintenance• When dealing with an always

open on-line connection

10

It starts during construction of the ship

• Producer should have a QA system for software lifecycle activities, which specifies cyber-security considerations

• Ships networks should be configured to have controlled and uncontrolled networks

11

Risk based approach needed

• Some organisations, ships and systems may be more at risk than others, depending on the type and value of data stored

• To manage risks, ships’ personnel and owners should understand the probability for an event to occur and the resulting impact

12

The Industry Guidelines on Cyber Security on board Ships

• The guidance to ship owners and operators includes how to:• minimize the risk of a cyber-attack

through user access management• protect on board systems• develop contingency plans and• manage incidents if they do occur

13

Cyber mitigatio

n

Technical

Training and awareness

Remoteness

Procedures

14

IMO process started

• At MSC 94 (November 2014), USA and Canada recommended development of voluntary guidelines for ports, ships, and other parts of maritime transportation system • BIMCO informed that we were working on guidance for

shipowners and crew on operational aspects of cyber security on-board ships

• Update paper by BIMCO, ICS, INTERTANKO and INTERCARGO submitted to MSC 95 (June 2015)• Includes the scope of the industry guidance on cyber

security for ships• Intention to present the finalized guidelines to MSC 96

15

Related work

• Working with CIRM since 2013 on a draft industry standard for Maintenance and update of programmable electronic systems

• The cyber work and the CIRM work are interrelated and coordination is essential

• Industry stakeholders should develop, manage and update computer-based systems onboard ships in a secure way

16

Conclusions

• Awareness needed in the industry • Ships are exposed to cyber-threats calling for a risk

based approach • Industry Guidance will be submitted to MSC 96• Cyber crime is developing all the time and we need

to keep up• Cyber security considerations should start at the

software production stage and cyber robustness considerations should be made when the ship is constructed

Questions?