Ship classification society sets out fresh audit requirements for securing the maritime attack surface

UPDATED ClassNK, the ship classification organization, has revised its guidelines for bolstering oceangoing vessels’ cybersecurity during their design and construction.

The Tokyo-based non-profit has updated the framework for evaluating and mitigating cyber risks in line with the ISA/IEC 62443 industrial control systems standard and the latest recommendation on cyber resilience for new ships from the International Association of Classification Societies (IACS).

The second edition of the ‘Guidelines for Designing Cyber Security Onboard Ships’, which supersedes the first version published in March 2019, also introduces a ‘CybR-G’ certification and associated audit requirements, according to a press release issued earlier this month.

The guidelines are aimed at anyone responsible for implementing security controls for network-connected, on-board systems.

The recommendations reflect growing concern within the maritime industry that the increasing connectivity of seafaring systems, combined with aging, unmanaged networks, is fuelling a rise in disruptive cyber-attacks against the sector.

Cyber-attacks against the industry’s operational technology (OT) systems have soared by 900% over the last three years, with 2020 set to be another record-breaking year, according to research from Israeli security firm Naval Dome.

Security breaches have crippled operations at a US maritime facility, shipping company MSC, and Iran’s Shahid Rajee port this year.

Control measures framework

The new guidelines state that system integrators must perform a risk assessment on a ship’s on-board systems and propose and implement security controls to remediate risks.

These control measures can include fixing security vulnerabilities, network segmentation, and isolating critical systems in “essential network security zones” that block “unwanted communications”.

The observations of one leading shipping security expert suggest that initiatives to make ships secure by design are long overdue.

“Ships are highly complex OT and IT environments featuring technology from suppliers with a highly varied approach to security,” Ken Munro, founder and partner at UK security outfit Pen Test Partners, told The Daily Swig.

“Integrated bridge systems with unchangeable, simple passwords on network services are not uncommon. Unmanaged remote access by engine and other tech providers is also not uncommon.”


RELATED Maritime telecoms giant patches SQL vulnerability


Integrators are also instructed to diagrammatically map all network connections and evaluate the criticality of all on-board hardware and software.

The CybR-G notation is subject to passing an initial audit, annual audits thereafter, and additional audits when a system is damaged or modified.

First covered by The Daily Swig in 2018, the guidelines and certification scheme, along with separate advice focused on software and cybersecurity management, have emerged from ClassNK’s Cyber Security Approach (PDF), which prescribes a layered approach to cybersecurity.

The most important changes to the guidelines in terms of improving the cybersecurity posture of seafaring vessels are the cybersecurity notation, which was introduced in response to demand from shipowners, and the incorporation of IEC62443 requirements, a spokesperson for ClassNK told The Daily Swig.

“ClassNK envisages ships’ cybersecurity, at the application of information technology utilizing cyberspace on operation technology of ships, as ensuring [that] navigational safety is not hindered by [a lack of] cyber resilience of [the] onboard equipment, onboard network, and cybersecurity management system,” they added.

Skills gap

But Munro, who has previously demonstrated the pitfalls of out-of-band management in the maritime sector and how to take control of a ship’s satellite communications system, feels the guidelines will be undermined by a dearth of maritime-specific cyber skills.

“It’s great to see standards emerging around vessel cybersecurity,” he said. “However, there’s a significant lack of skills in this space, so any assessment is likely to be checklist-based.


READ MORE Spanish state railway company Adif hit by REvil ransomware attack


“We’ve tested vessels fresh out of the yard and found their security to be much better than those in service for a few years, but still not secure enough that we couldn’t compromise them. Checklists won’t find the variety of issues we keep finding – they might resolve casual attacks, but more targeted attackers are likely to succeed.”

He also thinks a checklist-based approach is too simplistic.

“Typically, a ship either meets class society rules or it doesn’t – either ‘in’ or ‘out’ of class,” he explains. “Cyber is more about shades of grey.

“This also presents issues for maritime insurance,” he adds, because “cyber security isn’t binary – a ship is never ‘secure’, so how should the underwriter assess risk meaningfully?

“I don’t think it will be long before we see a ‘cyber’ certified vessel being compromised.”

Earlier this month, ClassNK also announced that it was joining MTS-ISAC, the maritime threat intelligence sharing organization, with an eye on the fast-approaching deadline for complying with new cyber risk regulations devised by the International Maritime Organization (IMO) coming into force in January 2021.

The new guidelines are available to download on the ClassNK website.


This article was updated on September 2 with comments from ClassNK.


RECOMMENDED When the screens went black: How NotPetya taught Maersk to rely on resilience – not luck – to mitigate future cyber-attacks