Cyber Security Analysis: Risks, Threats, and Countermeasures for Ships

Verified

Added on 2021/06/18

AI Summary

This report provides a comprehensive overview of cyber security risks and threats within the shipping industry. It highlights the increasing vulnerability of vessels and related infrastructure due to the expanded use of electronic data exchange and internet connectivity, including VSAT. The report categorizes cyber-attacks into untargeted and targeted attacks, detailing potential attack vectors such as malware and the motivations of attackers. It emphasizes the importance of proactive security measures, including internet filtering, firewalls, and security software. The report also discusses the need for increased risk awareness within the sector, the roles and responsibilities of ship officers and captains, and the importance of regular vulnerability assessments and penetration tests. It outlines several countermeasures, including IT-related hardware and software updates, removal of unapproved software, and the establishment of clear reporting procedures and consequences for security breaches. The report concludes by stressing the need for adaptability, continuous efforts, and the implementation of cyber-security standards across fleets.

Running header: CYBER SECURITY 1
Cyber Security
Name
Institution
Date

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

CYBER SECURITY 2
Risks and Threats
Very important and vulnerable targeted networks needs updates as well as support by
website technology because vessels are often linked to the global websites (like Engine
Maintenance system and ECDIS). Companies on the other hand, have created IT sectors to help
shore based exercises as well as the supervised vessels necessities that require correspondence
internet and connections (Clark and Hakim, 2017).
The expanded utilization of electronic information exchange improves the probability of
online-attacks in sophistication variety, and frequency (Peckham, 2012). These might result from
a USB stick, which presents malware targeted to acquire delicate business data, from a certain
email with definite ship data sent to obscure individuals, to the total-scale subversion of an
organization's shore-based information technology framework, or the potential compromise of
frameworks on board ship (Amin and Giacomoni, 2012). The quantity of potential hazard
situations is huge and continues developing. Crooks utilize whichever hacking innovation is the
most appropriate and frequently direct it to particular targets (Kramek, 2013).
There are two categories of Cyber-attacks that can affect ships and companies are classified into
two categories:
1. Untargeted attacks: This is where a ship or a company’s data and systems are some of
many possible targets (Fitton, Prince, Germond and Lacy, 2015). The attacks employ
common based skill to locate identified susceptibilities common for various vessels or
companies.

CYBER SECURITY 3
2. Targeted attacks: This is where a ship or a company’s data and systems are the planned
target (Ryan, Mazzuchi, Ryan, De la Cruz, and Cooke, 2012). The attacks employ more
sophisticated tools and technology specifically created to harm a particular targets (vessel
or company).
The VSAT (Very Small Aperture Terminal) broadband capacity allows vessels to have
uninterrupted linking to the Internet, hence they are exposed to the risks of being attacked
(Stone, 2013). Consequently, and due to the increase in cyber-attack cases all over the globe, this
is encouraging this business to be vigilant on this issue.
After introduction of malware into a ship system or a computer linked to the web, a common
activity that malware does is to create a secret command communications outward (Egloff,
2015). The outcome is possible exfiltration of information, network encryption, and several other
severe exploits. This kind of communication is potentially not recognized by ISP scanning or
antivirus as a risk.
Possible attackers that might execute a Cyber-attack can be a Criminal (to make profits),
Activists (to disrupt operations or damage reputation), Opportunists (aiming to challenge), or
Terrorists (to gain politically)
Almost all Cyber-crimes have similar developing steps (Yang and Wei, 2013):
o Survey - Data gathering and creating the attacking method

CYBER SECURITY 4
o Delivery- The tools to be used for the attack are delivered in vessel’s or company’s
system
o Breach – Accessing the system
o Affect - The outcomes of the attacks
Countermeasures related to the Cyber Shipping
It is important to be proactive; hence, there are few security/preventative measures that
should be put in place (Elazari, 2015). These are internet filtering (vessels already accessing
internet), firewalls, standalone Computer which have sensitive data, as well as safety software,
which locks the computer demanding password to unlock it (and antivirus) (McNicholas,
2016).The important thing is that the awareness concerning the hazard of marine cyber-attacks is
growing (Gottschalk, 2010). Nevertheless, the sector yet does not have the mostly intensified risk
awareness. Since no key incident about any vessel that has been raised to date, lots of people in
the business are aware about the danger associated, with online incidents mainly known as
onshore activities, even if the amount of cases affecting the shipping business has recently been
increasing (Rosenzewig, 2014).
The following are some of potential countermeasures associated to Cyber-Shipping
o Ships’ officers and Captains have basic information about cyber security, gotten from
experiences in the ships (Park and Bang, 2016). Many are comparatively knowledgeable
and might be of big help when need be if they are given the right responsibility and
instruction to help the shoreline person in control of cyber security (Boyes, 2015).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

CYBER SECURITY 5
Nevertheless, many officers and Captains lack this know-how and requires help to
acquire the understanding and confidence of what is expected of them.
o Many systems have only capacity of identifying and obstructing known risks (Priest, and
Arkin, 2010). Regrettably, the rate at which the innovation of the malware is happening
is growing, zero day activities are common, as well as a strategy that depend entirely on a
limit defense planned to eliminate known risks will never be effective…” 6
o Routinely perform Vessel Vulnerability Assessments and Penetration Tests across trial
vessels in the convoy, rotating the vessels being sampled in the fleet (Mathew, Al Hajj,
and Al Ruqeishi, 2010). Combining ones assessment with that by external cyber-security
specialists is a ‘good practice’ for it will deliver a more beneficial evaluation.
o Outlining procedures, policy, as well as the people responsible for the Vendor/Service
network access involved. It should be known to the vendors so that they include into their
vessel visit requisite (Fischer, Liu, Rollins, and Theohary, 2013). Vendor’s emergency
contact should be identified in advance because of very critical systems.
o IT related venture towards software and hardware apprises to the fleet and office is vital
embrace at the earliest opportunity (Deibert and Rohozinski, 2010). The ‘set and forget’
cyber safety programs based on software and hardware strengthening has been confirmed
ineffective in several international industries offering a false feeling that all is well with
the world. Cyber-attack is a developing danger that requires adaptability and continuous
efforts (Burton, 2013).
o A platform of upgrading networks onboard as well as computer systems with ‘useful life’
(hardware) is generally unavailable for ships. Vessels have extremely outdated PCs,

CYBER SECURITY 6
containing unsupported software and operating systems (Yağdereli, Gemci, and Aktaş,
2015). Additionally, unapproved connected software is a known risk and it is a key
contributor to malware system and virus.
o All unapproved hardware and software should be removed from a vessel’s networks and
PC and perform planned time-to-time checking as a means of maintenance and defense
hardening (Shackelford, Proia, Martell, and Craig, 2015). Since it is a hard task there
should be known members of the team in charge of cyber safety onboard, which has a
clear procedure for giving reports to the cyber-security individual in charge of ashore
(Caponi and Belmont, 2015).
o Set enforceable and clear consequences for failures to follow strategy or a cruel act,
which is supposed be included in the cyber-security plan (Jensen, 2015).
o A vessel management business has many diverse business relationships, scope and types
of organization. It is recommendable to put in place cyber-security standards that are
given to every ship manager/owner across fleets (Caponi and Belmont, 2015).

CYBER SECURITY 7
Bibliography
Jensen, L., 2015. Challenges in Maritime Cyber-Resilience. Technology Innovation Management
Review, 5(4), p.35.
Deibert, R. and Rohozinski, R., 2010. Liberation vs. control: The future of cyberspace. Journal
of Democracy, 21(4), pp.43-57.
Kramek, J., 2013. The critical infrastructure gap: US port facilities and cyber vulnerabilities.
Center for 21st Century Security and Intelligence.
McNicholas, M., 2016. Maritime security: an introduction. Butterworth-Heinemann.
Rosenzewig, P., 2014. International law and private actor active cyber defensive measures. Stan.
J. Int'l L., 50, p.103.
Fischer, E.A., Liu, E.C., Rollins, J. and Theohary, C.A., 2013. The 2013 cybersecurity executive
order: Overview and considerations for congress. Congressional Research Service.
Burton, J., 2013. Small states and cyber security: The case of New Zealand. Political
Science, 65(2), pp.216-238.
Yağdereli, E., Gemci, C. and Aktaş, A.Z., 2015. A study on cyber-security of autonomous and
unmanned vehicles. The Journal of Defense Modeling and Simulation, 12(4), pp.369-381.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

CYBER SECURITY 8
Shackelford, S.J., Proia, A.A., Martell, B. and Craig, A.N., 2015. Toward a global cybersecurity
standard of care: Exploring the implications of the 2014 NIST Cybersecurity Framework on
shaping reasonable national and international cybersecurity practices. Tex. Int'l LJ, 50, p.305.
Mathew, A.R., Al Hajj, A. and Al Ruqeishi, K., 2010, June. Cyber crimes: Threats and
protection. In Networking and Information Technology (ICNIT), 2010 International Conference
on (pp. 16-18). IEEE.
Priest, D. and Arkin, W.M., 2010. Top Secret America—A Washington Post investigation. A
hidden world, growing beyond control: The government has built a national security and
intelligence system so big, so complex and so hard to manage, no one really knows if it’s
fulfilling its most important purpose: Keeping citizens safe. Washington Post, p.1.
Boyes, H., 2015. Cybersecurity and cyber-resilient supply chains. Technology Innovation
Management Review, 5(4), p.28.
Park, N. and Bang, H.C., 2016. Mobile middleware platform for secure vessel traffic system in
IoT service environment. Security and Communication Networks, 9(6), pp.500-512.
Gottschalk, P., 2010. Categories of financial crime. Journal of financial crime, 17(4), pp.441-
458.
Elazari, K., 2015. How to survive cyberwar. Scientific American, 312(4), pp.66-69.

CYBER SECURITY 9
Yang, C.C. and Wei, H.H., 2013. The effect of supply chain security management on security
performance in container shipping operations. Supply Chain Management: An International
Journal, 18(1), pp.74-85.
Egloff, F.J., 2015. Cybersecurity and the Age of Privateering: A Historical Analogy.
Stone, R., 2013. A call to cyber arms.
Ryan, J.J., Mazzuchi, T.A., Ryan, D.J., De la Cruz, J.L. and Cooke, R., 2012. Quantifying
information security risks using expert judgment elicitation. Computers & Operations
Research, 39(4), pp.774-784.
Fitton, O., Prince, D., Germond, B. and Lacy, M., 2015. The future of maritime cyber security.
Amin, S.M. and Giacomoni, A.M., 2012. Smart grid, safe grid. IEEE power and energy
magazine, 10(1), pp.33-40.
Peckham, C., 2012, November. An overview of maritime and port security. In Homeland
Security (HST), 2012 IEEE Conference on Technologies for (pp. 260-265). IEEE.
Clark, R.M. and Hakim, S., 2017. Protecting Critical Infrastructure at the State, Provincial, and
Local Level: Issues in Cyber-Physical Security. In Cyber-Physical Security (pp. 1-17). Springer,
Cham.
Caponi, S.L. and Belmont, K.B., 2015. Maritime Cybersecurity: A Growing Threat Goes
Unanswered. Intellectual Property & Technology Law Journal, 27(1), p.16.