Gothenberg Port Authority and Stena Line are opening a new terminal in the port (source: Port of Gothenberg)
In just two months time, new class requirements for the cyber resilience of newbuild ships and integrated systems on them will be introduced
A panel of industry experts highlighted the need to be prepared during Riviera Maritime Media’s New mandatory cyber security requirements in 2024: How to keep your ship compliant webinar. This was held with sponsorship from Speedcast, on 26 April during Riveria’s Maritime Cyber Security Webinar Week.
Shipyards, designers, owners and vendors need to be ready for unified requirements (URs) from the International Association of Classification Societies (IACS), which enter into force in July 2024.
This is among the growing number of mandatory cyber resilience needs from international, regional and national authorities, experts from class, shipowners, satellite communications and cyber security explained.
On the webinar panel were Stena Rederi OT security officer and manager of cyber security, risk and compliance Fredrik Pihl, Speedcast product director Sandro Delucia, RINA cyber security expert Michael Vrettos and Cydome co-founder and chief operating officer Avital Sincai.
In their presentations, the experts covered the latest developments in maritime cyber-security regulations from bodies such as IMO, IACS, European Union (EU) and US authorities and how they will have profound implications and challenges for shipowners, operators, shipyards and the wider industry.
“It is important to start doing assessments of valuable assets running operations and business on a vessel”
Mr Vrettos said IACS UR E26 covering the cyber resilience of ships, and UR E27 for cyber resilience of systems and equipment, are coming into force in July 2024. Both relate mainly to newbuilds where construction started in, or after, July for commercial ships of more than 500 gt designed for international voyages, for passenger vessels carrying more than 12 people and offshore drilling rigs and self-propelled units involved in offshore installations, accommodation and cable laying, etc.
Mr Vrettos said there are requirements for ship design, construction, commissioning and operations, meaning shipowners will need to keep documentation updated, especially if ships undergo retrofits and upgrades.
“There are requirements for designers, vendors, shipyards, owners and class,” he said. “Vendors need to develop systems in a secure way and provide documentation. Shipyards will be responsible for keeping diagrams and documentation in place.”
After the commissioning phase, documentation will be provided to owners “and have to be kept for the life of ship operations,” said Mr Vrettos. “Documents need to be kept on board and maintained.”
Mr Pihl agreed IACS UR E26 and UR E27 will impact ship design, construction and vessel operations, while other mandatory rules also affect ship operations and related infrastructure, such as ports and terminals.
Stena Group has multiple layers of cyber security, threat modelling, intelligence and prevention, vulnerability identification and management and risk assessments on its ships, ports and terminals.
It has encountered phishing attacks, attempted intrusions on its office IT and human errors resulting in cyber incidents. There has also been spoofing and jamming of the Global Navigation Satellite System (GNSS) and cyber attacks on booking and cargo management systems.
“It is important to have a holistic view on whole operations on the shore side,” said Mr Pihl. “And an understanding on what are the most valuable assets, then do risk assessments, show this evidence, work within regulations, and have an integrated IT and OT programme to visualise gaps in awareness and architecture.”
Shipowners and operators also need to undertake drills and exercises to practice reacting to cyber attacks and train people to close knowledge gaps.
“It is important to start doing assessments of valuable assets running operations and business on vessels and the shore side; to keep up to date with the threat landscape,” said Mr Pihl.
He said on vessels, greater levels of connectivity and investment in crew wifi has led to seafarers bringing their own devices on board and opened IT systems to more online threats, increasing vulnerability and attack surfaces.
Mr Delucia said connectivity and digitalisation have become critical to ship operations with greater dependence on co-ordinated digital systems and applications. “The flow of data is the lifeblood,” he said.
Reliance on connectivity enables route optimisation, data-based decisions, increasing use of artificial intelligence, real-time monitoring, video conferences and cloud-based applications.
Communications come through hybrid networks and multi constellations, including low earth orbit (LEO) and geostationary satellites, mobile phone networks and port wifi networks. “There is a myriad of nodes and interconnected threads,” said Mr Delucia. “There are opportunities and challenges.”
This includes cyber attacks resulting in denial of service, or flood infrastructure with false data, clogged up networks, ransomware attacks, encryption of data, blocked networks and no guarantee of resolution.
“The EU is harshening restrictions and the White House order emphasising cyber security is a gamechanger in the US”
Human errors can lead to misconfigured APIs and files, incorrect file names, phishing and social engineering, while spoofing and blocking GNSS could cause accidents, said Mr Delucia.
“The response to these threats is legislation that can be challenging,” he said. Speedcast’s Sigma ecosystem involves remote edge devices at critical junctions in securing onboard IT networks with enterprise-grade security and virtual networks. Speedcast partnered with Cydome for security features to minimise cyber risk through satellite communications.
Ms Sincai said shipowners, operators and managers need a “360º approach” and to “be proactive in cyber security” due to evolving regulations.
In addition of IACS new URs, there are new requirements coming from the European Union and US authorities. “The EU is harshening restrictions and the White House order emphasising cyber security is a gamechanger in the US,” said Ms Sincai.
The EU agency for cyber security, ENISA’s NIS 2 directive, requires owners and operators of critical infrastructure, including ports, to create the necessary cyber crisis management structure, increase security and reporting, introduce vulnerability management and cyber hygiene and increase their level of cyber security.
Under NIS2, maritime is classed as essential to EU member states, so there is a need “to establish and implement new procedures and demonstrate vulnerabilities,” said Ms Sincai.
If there is an incident, reporting is very important. There needs to be a preliminary report within 24 hours and a fuller report in 72 hours, otherwise “penalties will be strict; there would potentially be fines,” she added.
In the US, new executive orders increased mandatory restrictions in February 2024, enabling the “US Coast Guard to do searches, surveys, inspections, or take control and arrest ships if there is evidence of cyber incidents,” Ms Sincai continued.
Owners need to improve their reporting and prepare for potential inspections. They should automatically log anomalies and prepare to present these and evidence of visible monitoring of IT monitoring and operational technology (OT) on board ships.
With all these changes to regulations, owners, operators and managers “need to show they can detect and manage anomalies, protect IT and OT and respond and recover” from cyber incidents and security breaches.
