Recent cyber attacks to the US Government, the IMO, Maersk, amongst others has caused the world to pay attention to criminal cyber activities by foreign states, terrorists, and criminals. The cyber attack against CMA CGM shut down services for close on two weeks. Two days later, on October 30th the IMO was held hostage by a cyber attack. These attacks follow attacks earlier this year against MSC and COSCO.
As of January 1, 2021 all vessels that have a safety management system must address cyber security in order to maintain ISM certification. The IMO guidelines for cyber security can be found in MSC-FAL.1/Circ.3. This high-level guidance is just the foundation for a proper cyber security program for owners/operators. The circular highlights the importance of protecting vulnerable systems such as:
- Bridge systems;
- Cargo handling and management systems;
- Propulsion and machinery management and power control systems;
- Access control systems;
- Passenger servicing and management systems;
- Passenger facing public networks;
- Administrative and crew welfare systems; and
- Communication systems.
The thought of having cyber security responsibilities can be chilling to some and burdensome to others. Personally, whenever I think of cyber security I think of some college kid in their parent’s basement trying to get the password to my bank account, which is incidentally empty. Or Even better, Matthew Broderick in War Games. The truth is that hacking scenario, while it still exists is not the predominant cyber crime in the world today. Cyber crimes may be conducted by organized crime, nation states, terrorists, or industrial espionage. On the other side of the fence are the “white hat” hackers whose responsibility and job it is, is to find the weak links in a corporate cyber security chain. They expose weaknesses without exploiting them.
One does not need to be versed in code and hacking to be an efficient cyber security officer. Cyber security is as much about the protection of the system through the hardware as it is through the software. To demystify this field, I checked in with Cyber Security Specialist Cliff Neve, who retired from the USCG Cyber Security unit.