GSN Digital Edition April 2016
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Shipping industry’s Cyber Security<br />
guidelines to protect AIS navigation<br />
BIMCO, the world’s largest international<br />
shipping association representing<br />
almost 60% of the world’s<br />
commercial vessels, in conjunction<br />
with CLIA, ICS, INTERCARGO<br />
and INTERTANKO*, have announced<br />
security guidelines for<br />
vessels involved in global shipping.<br />
Potential cyber vulnerabilities have<br />
become a major consideration due<br />
to the growing complexities of onboard<br />
operations systems and their<br />
linking with many shoreside networks.<br />
Although vessels can control<br />
the cyber-security of their own systems,<br />
they have less cyber-control<br />
over the multiple communications<br />
necessary with outside organizations.<br />
Real-time data flowing into and<br />
from a ship or onshore company<br />
opens up any system to attack. Navigation<br />
systems including GPS, AIS<br />
and ECDIS are extremely vulnerable<br />
to hacking, according to a June 2015<br />
article in Marinelink.com. Now that<br />
AIS and ECDIS are mandatory for<br />
larger commercial and passenger<br />
vessels, there is an increased need<br />
for a focus on security measures.<br />
The same article cites an incident in<br />
2014 involving the grounding of a<br />
US naval vessel in the Pacific Ocean<br />
that may have been the result of<br />
compromised software updates to<br />
its ECDIS charts. AIS position data<br />
can be transmitted incorrectly for<br />
security or fraudulent reasons and<br />
in 2013 GPS data was “spoofed” to<br />
disorient the navigation system on a<br />
luxury yacht.<br />
As described in the guidelines, an<br />
attack can range from using information<br />
gained regarding cargo confidentiality<br />
to achieving full control<br />
of a machinery management system<br />
resulting in financial loss or loss of<br />
life. The new guidelines categorize<br />
these threats by impact: low or limited<br />
adverse effect; moderate or substantial<br />
security breach, and high or<br />
catastrophic effect.<br />
Unauthorized access or malicious<br />
attacks may have significant consequences<br />
for navigation, safety, en-<br />
29<br />
vironment, operations and trade in<br />
international shipping. The guidelines<br />
suggest approaches that will<br />
make ships more resistant to threats<br />
of any kind. The first step is an assessment<br />
of current operations and<br />
systems. A description of possible<br />
threats is included to raise awareness<br />
of the importance of cyber-security.<br />
Some of these threats include<br />
outside exploitation from activists,<br />
criminals, terrorists, espionage organizations.<br />
Inside weaknesses are<br />
also identified, such as innocent<br />
data breaches or intentional damage<br />
from disgruntled employees.<br />
The guidelines include instructions<br />
on how to reduce the risk to<br />
the shipboard IT infrastructure as<br />
well as operations equipment connected<br />
to these systems. User and<br />
data management protocols are offered<br />
as well as a way to implement<br />
different levels of access based on<br />
users’ needs. Business-critical and<br />
commercially sensitive information<br />
needs a different level of protection<br />
than routine operating data.<br />
Development of response, recovery,<br />
and contingency plans follow,<br />
along with protection and detection<br />
measures that can be taken. Configuration<br />
of network devices and<br />
satellite and radio communication<br />
is discussed.<br />
Marinelink.com emphasizes the<br />
More on page 41