Maritime Cyber Rules Coming in 2021 Are Outdated, Critics Say
Date: Thursday, July 18, 2019
Source: The Wall Street Journal
Tensions between the U.S. and Iran, introduction of automated vessels put shipping industry at greater risk
Hackers are finding the international shipping industry easy prey, experts say, owing to a combination of lax cybersecurity practices and ineffective regulation.
New cybersecurity rules are set to come into force in 2021 as an update to a maritime treaty, but the guidance is patchy and experts say that shipowners tend to apply cybersecurity standards unevenly. This can leave them exposed to attacks.
This problem is expected to become more acute as the maritime sector continues to explore artificial intelligence, automation and other emerging technologies, with the goal of deploying vessels that can roam the world’s oceans without human crews.
The first such vessel, the Yara Birkeland, operated by Norway-based chemical producer Yara International ASA, is scheduled to operate autonomously in 2020.
“The shipping industry is moving very rapidly toward an autonomous model,” said Michael Murray, general manager of cyber physical systems at BlackRidge Technology International Inc., which develops security software for the U.S. military and supply chain sectors. “It’s very possible this will lead to cyber pirates at some point taking over an autonomous shipping vessel in the middle of the ocean.”
The security of cargo ships is vital to the global economy. The world’s roughly 59,000 cargo vessels carried around 90% of global trade by the end of 2018, according to IHS Markit Ltd.and the International Chamber of Shipping.
But defenses remain weak, according to Andrew Kinsey, a former captain who is now a senior marine risk consultant at insurer Allianz SE’s global corporate and specialty business.
“There are companies that are being proactive, but there are many that are not,” said Mr. Kinsey, who spent 23 years in the U.S. Merchant Marine and Naval Reserve.
In February, hackers attempted to take over a cargo ship headed for the Port of New York and New Jersey, according to the U.S. Coast Guard. An investigation found the vessel’s cybersecurity defenses were practically nonexistent, raising questions about practices on other ships, the Coast Guard said in an alert last week.
The shipping industry has also been caught in the middle of tensions between Iran and the U.S. That has raised concerns about possible cyberattacks in addition to physical confrontations, which have included a U.K. warship training its guns on Iranian vessels last week in the Strait of Hormuz.
The International Maritime Organization’s new cybersecurity guidelines are scheduled to come into force in January 2021, aiming to protect ships from attacks.
While the guidelines are an important step, they already need to be updated, said Tom Kellermann, chief cybersecurity officer at security firm Carbon Black Inc.
“They don’t address the modern cybersecurity exposures created by mobility, applications and the cloud. There’s still more work to be done,” said Mr. Kellermann, a former chief information security officer at the World Bank.
The guidelines, drafted in 2016, single out the use of “memory sticks,” for instance, and don’t mention the cloud or artificial-intelligence systems prevalent today.
The International Maritime Organization guidelines are additions to the Safety of Life at Sea treaty, which counts 164 countries as signatories, covering 99% of the commercial shipping industry. The IMO has no enforcement powers; making sure the shipping industry follows the rules is up to individual countries, meaning that enforcement varies.
A spokeswoman for the International Maritime Organization said its recommendations are designed to be complementary to existing IMO guidance, rather than comprehensive instructions in their own right.
More detailed cybersecurity measures do exist, such as the Guidelines on Cyber Security Onboard Ships, produced by a consortium of industry trade associations, but these aren’t mandatory.
The issue of cybersecurity on ships has taken on new urgency in recent weeks. The incident described in the Coast Guard alert prompted it to scold shipowners over security practices and recommend a list of security measures.
Part of the problem is educational. Allianz’s Mr. Kinsey said that many ship crew members don’t understand basic cybersecurity requirements or how to manage threats.
“Without this rudimentary understanding, it is impossible to train crews or take actions to protect assets,” he said.