Cyber Security in the Maritime Industry: -Legal Perspectives and Management Strategies-

Av. Cem CONGAR

Introduction
The maritime industry, as a vital component of international trade, has witnessed a growing prevalence of cyber threats. The digitization of ship and port operations has led to an increase in the number and complexity of cyber threats. 

BIMCO (Baltic and International Maritime Council) is a significant organization that establishes various standards and guidelines for the maritime industry. In recent years, BIMCO has placed significant emphasis on the issue of cyber security. BIMCO's guidelines and rules on cyber security have been established with the objective of ensuring that ship operators and interested parties are protected against cyber threats.

It is of paramount importance for the maritime industry to prioritize cybersecurity, as it directly affects operational efficiency, the prevention of financial losses, and the protection of human life. The functionality of digital systems utilized in maritime operations, including ship voyages, port operations, and supply chain management, may be compromised as a consequence of cyber-attacks. Such incidents can result in significant economic losses and operational disruptions. Moreover, attacks on the control systems of ships can potentially compromise the safety of the crew and the environment.

Cyber Security in the Maritime Industry
The key point regarding BIMCO's cyber security rules and guidelines is the Cyber Security Management Plan (CSMP). It is a regulatory requirement that every ship be equipped with a cyber security management plan. The plan should encompass the measures and procedures to be implemented for the ship's operational systems, networks, data, and information management. In addition, the CSMP should include training and awareness programs for both onshore and offshore personnel. It is recommended that regular cyber risk assessments be conducted and that appropriate security measures be taken in line with the results of these assessments. The risk assessment is employed to ascertain the susceptibility of both the ship and the company to cyber threats.

The maritime industry places a high degree of importance on cyber security, as it is directly related to the safety of ships, cargo, and personnel. In the context of maritime cybersecurity, the term "IT" (Information Technology) and "OT" (Operational Technology) systems refers to the protection of digital and operational systems, respectively, against unauthorized access, manipulation, and disruption. While information technology (IT) systems facilitate communication and data flow between the ship and shore offices, operational technology (OT) systems regulate the physical operations of the ship. Consequently, the security of both systems is of paramount importance.

The maritime industry is confronted with a plethora of cyber threats. These include malware, ransomware, social engineering attacks, denial of service (DoS) attacks, and data breaches. Malware can infect ship systems, resulting in operational disruptions and data leakage. Ransomware can render ship and port systems inoperable and demand ransom from businesses, potentially leading to operational shutdowns. Social engineering attacks can result in the compromise of critical information by misleading crew and personnel. Denial-of-service (DoS) attacks can target ship and port systems, resulting in the disruption of services and difficulties in accessing these systems. Data breaches can result in financial losses and reputational damage due to the unauthorized access of sensitive data.

BIMCO's cyber security rules provide a comprehensive framework for the protection of ship owners, operators, crew, and all interested parties. The objective of these rules is to safeguard ships and maritime operations in the context of digital transformation and the intensifying cyber threats facing the maritime industry.

Cyber Incidents and Risks
The maritime industry is susceptible to a variety of cyber incidents, which can occur in a number of ways.

Corruption of electronic chart data may occur in a number of ways. The corruption of the chart data stored in the Electronic Chart Display and Information System (ECDIS) may result in the ship navigating on the incorrect course.

Another potential avenue for infection is the use of an infected USB drive. The use of an infected USB drive during software maintenance can result in system failures and data loss.

GPS Manipulation: The loss or manipulation of Global Positioning System (GPS) data can result in significant issues with the positioning of ships.

Phishing Attempts: The use of phishing emails to deceive the crew can result in the theft of sensitive data and the infiltration of malware into ship systems.

Sabotage of Operational Systems: The impairment of critical operational technologies, such as navigation and cargo monitoring systems, may compromise the ship's navigation and cargo carrying capacity.

Existing Vulnerabilities and Management Strategies
The maritime sector is confronted with a multitude of challenges, including the utilisation of antiquated and obsolete systems, the involvement of a multitude of stakeholders, and the necessity for remote access. In light of these considerations, it is recommended that companies adopt the following management strategies:

In the context of a multi-stakeholder environment, it is necessary to consider the involvement of various stakeholders and the potential challenges that this may present. Given the multitude of stakeholders involved in the operation and chartering of a vessel, there is a risk of a lack of accountability for IT and OT system infrastructure and vessel networks.

Legacy Systems: The utilization of IT and OT systems that are no longer supported or based on legacy operating systems is a prevalent phenomenon.

Remote Access and Monitoring: The remote monitoring and access of shipboard equipment by manufacturers or support providers renders it susceptible to cyber-attacks.

Comprehensive Cyber Security Policies: Such policies should include measures to protect against cyber threats, incident response plans, and regular risk assessments.

Training and awareness programs are essential for ensuring the security of shipboard IT and OT systems. It is imperative that all personnel on board the vessel receive regular training and information on the subject of cyber security.

Technical and procedural security measures are essential for the protection of shipboard equipment. It is imperative that advanced technological solutions and security protocols be implemented in order to minimise the potential for security vulnerabilities.

Maritime Cyber Security and Legal Obligations
The maritime industry is characterized by a multitude of technological and operational systems, which necessitates the implementation of cybersecurity measures to safeguard these systems from unauthorized access, manipulation, and disruption. The International Maritime Organization (IMO) is a pivotal organization in the establishment of maritime security standards, and the IMO has mandated that all ship operators incorporate cyber risk management into their security management systems by 2021.

The IMO requires the maritime industry to integrate cyber risk management into security management systems. These regulations require ship owners and operators to assess and manage cyber security risks.

EU General Data Protection Regulation (GDPR): In addition, cybersecurity should be considered in the context of the EU General Data Protection Regulation (GDPR) and similar international regulations. Such legislation increases maritime companies' obligations to report data breaches and notify affected individuals.

Implementation Strategies and Recommendations:
In order to ensure cyber security in the maritime industry, a number of measures should be taken. Firstly, training crew and personnel on cyber security and increasing their awareness can help prevent social engineering attacks. Secondly, regularly updating the software of ship and port systems ensures that security gaps are closed. Thirdly, strong firewalls and up-to-date anti-virus software can prevent malicious software from infiltrating systems. Finally, encryption of sensitive data can reduce the impact of data breaches. Furthermore, the preparation and regular testing of emergency plans to be implemented in the event of a cyber-attack ensures that operational disruptions are minimised. In the future, various trends in the field of cyber security in the maritime industry stand out. One such trend is the increasing use of artificial intelligence and machine learning-based systems, which can offer more effective solutions for detecting and preventing cyber threats. Another trend is the growing use of blockchain technology, which can provide more secure and transparent solutions in the field of supply chain and data security. The advent of quantum encryption techniques promises to elevate data security to a new level, potentially rendering existing encryption methods obsolete. As the use of autonomous ships proliferates, the cyber security needs of these vessels will become increasingly complex.

To ensure the cyber security of the maritime sector, it is imperative that companies implement the following strategies:

It is of the utmost importance to create emergency plans to detect and respond to cyber incidents. These plans ensure a fast and effective response to cyber attacks.

Regular risk assessments should be conducted by companies to identify and assess their cyber security risks. In turn, these assessments should inform the updating of security policies in line with the identified risks. Security protocols such as data encryption, multi-factor authentication, and network segmentation should be employed to enhance the security of systems.

Regular Audits and Updates: Regular audits and updates of IT and OT systems play a pivotal role in mitigating cyber security risks. Regular updates of software and hardware systems play a crucial role in protecting against cyber threats.

Case Studies and Analyses
Some important cyber incidents encountered in the maritime sector and the responses to these incidents emphasise the importance of cyber security measures:

•    Worm Incident: A ship was equipped with a power management system that could connect to the internet during software updates and patching. During security scans by the company's IT department, a dormant worm was detected. The worm could have been activated when connected to the internet, leading to serious consequences. This incident highlights that even air-gapped systems can be compromised and the importance of proactive cyber risk management.

•    Ransomware Attack: Ransomware infected a ship's main application server, causing a complete disruption of the IT infrastructure. The ransomware encrypted every critical file on the server, leading to the loss of sensitive data. The root cause of the infection was a weak password policy. To rectify the incident, the company implemented a strong password policy and disabled undocumented users.

For the maritime industry, the necessity of cyber security extends beyond the technical realm to encompass a comprehensive risk management process. An efficacious cyber security strategy must be accompanied by technological investments, as well as legal and operational arrangements. This approach will enable the maritime industry to become more resilient to cyber threats and enhance the security of international trade. BIMCO rules and other international regulations provide guidance to ship owners and operators on the management of cyber security risks. An effective cyber security strategy should be supported by technological investments, as well as legal and operational arrangements. This approach will enable the maritime industry to become more resilient to cyber threats and enhance the security of international trade.

In conclusion, the issue of cyber security in the maritime industry is becoming increasingly important with the advent of digitalization. The maritime industry can enhance operational efficiency and mitigate economic losses by implementing proactive measures to address cyber threats. Training, technology utilization, and continuous improvement are essential for the maritime industry's success in cyber security. In the absence of cyber security measures, the maritime industry will inevitably face significant risks and losses. Consequently, the effective implementation of cyber security strategies is of paramount importance for the sustainability and security of the maritime industry.