Maritime certification scheme has been welcomed by experts, but satcom security must not be an afterthought

Ship classification organization ClassNK has partnered with TÜV Rheinland to develop a new cybersecurity certification scheme for the maritime industry.

The collaboration, outlined earlier this month, aims to address the current and future cybersecurity requirements of the industry, which is currently experiencing a rapid digital transformation.

Tokyo-based ClassNK said it will initially team up with TÜV Rheinland to work on cybersecurity guidelines that target onboard software currently being developed by the organization.

The partnership will then be widened to bring “efficient and pragmatic” cybersecurity certification services for ship operators, ship owners, ship managers, equipment manufacturers, and maritime software suppliers.

Providing more detail in a joint statement to The Daily Swig this week, TÜV and ClassNK said: “During the last few years, a number of developments in the area of ICS, operational technology, and software have dramatically changed the way ships, harbors, rigs, and navigation systems operate and communicate.”

According to the organizations, the certification scheme is intended to help the maritime ecosystem move towards “a degree of cyber assurance and resilience” ahead of new maritime cyber risk regulations, which come into force in 2021.

Although the certification program is still under development, ClassNK and TÜV said they will take into consideration the following cybersecurity best practices that were recently published by the International Association of Classification Societies:

1. Recommended procedures for software maintenance of shipboard equipment and systems
2. Recommendation concerning control capabilities for software dependent machinery systems
3. Contingency plan for onboard computer based systems
4. Network Architecture
5. Data Assurance
6. Physical Security of onboard computer based systems
7. Network Security of onboard computer based systems
8. Vessel System Design
9. Inventory List of computer based systems
10. Integration
11. Remote Update/Access
12. Communication and Interfaces

“All of the above areas have a critical role to play when it comes to assessing and reviewing cybersecurity posture of a ship,” the companies stated.

Navigating troubled waters

The maritime cybersecurity certification scheme comes at the tail end of another troublesome year for the seafaring industry.

Aside from the data breaches and ransomware attacks that are now an all-too common occurrence, impacting shipping operations globally, researchers have highlighted the many inherent weaknesses within vessels’ onboard communication systems.

In February, Navarino Telecom issued a hotfix to its network of maritime bandwidth optimization devices, after a security researcher discovered a vulnerability that could lead to a “total compromise” of a ship’s VSAT system.

Elsewhere, UK-based Pen Test Partners has continued to highlight numerous shortcomings found within critical maritime systems.

This year alone, the company demonstrated how it was possible to hijack admin rights on a ship’s satellite communications (satcom) terminal, intercept and modify serial data on ship networks, and take control of AIS messages.

‘Basic’ satcom issues need resolving

Ken Munro, partner and founder of Pen Test Partners, said the new maritime cybersecurity certification is a step in the right direction, but he said the program’s authors must place satcom security at the top of their list of priorities.

“The problems with maritime cyber are very, very basic,” he told The Daily Swig. “Satellite communications have been ‘bolted’ on to vessels with little thought for their security.

“As a result, rather like utilities and industrial control systems 10 years ago, physically isolated systems have been exposed to the public internet without considering the consequences.”

Munro added: “Creating a cybersecurity standard, in my mind, is ‘running before we can walk’. Basic issues need to be addressed first, such as satcom terminals on the public internet with default or simple passwords, satcom terminals on the public internet running really old software versions with trivial exploits, and satcom terminals on the public internet that allow compromise of entire fleets of vessels.

“Once the satcom issue is resolved, then and only then should one move to addressing the myriad of security issues on board.”

ClassNK and TÜV Rheinland will be taking feedback from the different stakeholders within the maritime ecosystem as the certification program matures.

“Through the new partnership, we will do everything possible to overcome the cybersecurity challenges of the industry,” said ClassNK president and CEO Koichi Fujiwara.