Cyber Pirates on Board

I, Robot – 2004 film adapted from short-story of American author Isaac Asimov has an interesting scene. Two detectives are talking in front of the interrogation room, and we are hearing this dialogue among them:

– I guess we’re gonna miss the good old days.
– What good old days?
– When people were killed by other people.

In this story, the theme is about robots which start to take place of humans. Well, in the future, will seafarers be replaced by technology?

Although we can’t talk about the autonomous ship for today, it is possible to talk about autonomous ship projects. One of which is Yara Birkeland. On the one hand, it makes many people excited. On the other hand, each seaman who heards this project is disturbed. Given that seafarers might lose their jobs onboard, they are opponents of autonomous ships as well as autonomous ship projects. Of course, several concerns are existing for autonomous ships. I strongly believe that one of them keeps developers up, as well: Cyber Attacks!

Close your eyes and imagine: You are in a forest. You don’t have a phone, compass, computer, and such. You cannot call anybody. You cannot know your location. What would you feel? The seafarers could face similar feelings as a result of a cyber attack. But the environment is different. Not in a forest, in the middle of an ocean! In the middle of high waves!

Cyber attacks not only for autonomous ships but also for conventional vessels are crucial. Cyber security has climbed to the top of the priority list in the maritime industry, owing to both academic research and targeted or untargeted attacks. Several scientific studies published have unveiled the vulnerabilities of different navigational equipment. There are also cyber attacks, which are reported in the international press. As a result of the virus infection, Maersk, a Danish shipping company, has incurred an estimated economic loss of around 300 million dollars. GPS systems of 20 vessels showed inaccurate locations off the coast of Novorossiysk, Russia. South Korea has reported a GPS attack, in which around 280 ships were affected. They lost their position. The attackers controlled the navigation systems of a very large container ship on a route from Cyprus to Djibouti for 10 hours. These are only a few examples of cyber attacks that have been carried out and reported in the media.

International Maritime Organization (IMO) is the major organization in the maritime industry and serves under the United Nations. The rules and requirements published by the IMO are in force all around the world. Advancing technology, autonomous ship plans, academic studies performed, and experienced attacks have put IMO into action. A detailed circular was published including cyber risk, mitigation measures, recommended guidelines, and so on. According to this circular, The essential systems which may be affected from a potential cyber attack in a ship can be listed, as follows:

• Navigation systems
• Engine and power systems
• Cargo system
• Passengers systems
• Communication systems
• Security system
• Crew system

The IMO didn’t stop and decided to be mandated shipping companies to make a risk assessment against cyber threats onboard ships. Therefore, the shipping companies started to be inspected for stated risk assessment requirement by responsible parties as of 02 January 2021.

The IMO is not alone to take serious cyber risks in the maritime industry. The OCIMF (Oil Companies International Marine Forum) and the CDI (Chemical Distribution Institute), both of which are crucial to the commercial life of tanker operators. They offer accreditation for tankers. A similar accreditation mechanism is available for dry cargo vessels, as well. The Rightship provides a remarkable vetting service. Rightship is a privately held corporation, whereas OCIMF and CDI are non-profit organizations. In the background, however, are giant corporations known as Major Oil Companies, such as BP and Shell, and Chevron, and these corporations desire to put an effective tanker control mechanism in place. In addition, OCIMF has the title of “Consultative Status” granted with IMO. Unless a ship operator is accreditated by such organizations, finding cargo to carry could be hard. Accreditation relies on inspection performance in the company office and onboard ship. Yes! Other than international requirements, these organizations have their own requirements, and you must be successful in order to get accreditation.

OCIMF, CDI, and Rightship introduced cybersecurity-related criteria in the latest questionaries. When questions are viewed of such organizations, it becomes clear that a risk assessment for cyberattacks, ship crew training, preparation of an emergency response plan, and service reports related to software or hardware are all critical factors. Moreover, the blockage of ports in the computers (e.g., USB) are asked against unauthorized access.

States started to get precautions against cyber threats in the maritime industry. Maritime Cybersecurity Operations Centre was founded by Singapore in 2017 to respond to cyber incidents in Singaporean waters. Moreover Singaporean fleet may get assistance regarding cyber threats all around the world. Therefore training and research activities have been performed in the center. In addition to Singapore, Denmark established Danish Maritime Cybersecurity Unit in 2019. The main objective is to ensure that cyber safety on board Danish fleet and cyber safety in Danish waters.

Class societies inspect the vessels as per international requirements. Moreover, they issue specific certificates other than international requirements according to their own criteria. These certificates are called class notations and may offer tax deduction and reputation. Moreover, charterers who rent vessels, might request a specific notation. Several class societies, such as DNV (Norwegian), ClassNK (Korean), and ABS (American) started to offer class notations for cyber security.

Companies in the maritime industry have already taken seriously cyber risks because of faced cyber incidents. That’s why they also started to take their own precautions. For instance, Royal Caribbean which is a well-known cruise company, established a maritime cyber security department to reduce cyber risks onboard. ABB Marine is another well-known company that offers marine products and maintenance services to ship owners. A cyber security laboratory was opened to answer the necessities of their customers. Norma Cyber was founded in 2020 by the Norwegian Shipowners’ Association and Norwegian Shipowners’ Mutual War Risk Insurance Association. Norma Cyber targets to be a leading center for cyber security in the Norwegian maritime sector.

Universities in the world don’t sleep, too! Research groups are existing. Several research projects have been conducted at the universities consisting of NTNU, TalTech, Plymouth University, Rijeka University, World Maritime University, California State University, and so on.

As it is seen, the maritime industry with all stakeholders including intergovernmental organizations, class societies, universities, shipping companies, maritime associations, vetting societies, and so on work against cyber risks. Because every partner in the maritime industry has the concern of such a potential dialog.

– I guess we’re gonna miss the good old days.
– What good old days?
– Somalian pirates instead of cyber-pirates. At least, we could notice them before joining onboard.

19 December 2021

0 responses on "Cyber Pirates on Board"

Leave a Message

About Cyber Onboard

The subject focus is cyber security in the maritime industry. It publishes latest news and cyber incidents in the shipping sector. Moreover, it provides various trainings via distance learning.

A platform in shipping for Cyber Security.

Certificate Code

All rights reserved.