Very Small Aperture Terminals (VSAT) have revolutionized maritime operations. However, the security dimensions of maritime VSAT services are not well understood. Historically, high equipment costs have acted as a barrier to entry for both researchers and attackers. In this paper we demonstrate a substantial change in threat model, proving practical attacks against maritime VSAT networks with less than $400 of widely-available television equipment. This is achieved through GSExtract, a purpose-built forensic tool which enables the extraction of IPtraffic from highly corrupted VSAT data streams.

(Abstract taken from original document)

The following report offers ship owners and managers guidance covering their responsibilities under the new IMO regime and explains how the cyber security solution Fleet Secure Endpoint provides a comprehensive tool to support them towards compliance.

The purpose of this recommendation is to provide technical requirements to stakeholders which would lead to delivery of cyber resilient ships, whose resilience can be maintained throughout their service life.

(Abstract taken from original document)

The information listed in this document is based on Circular 04/2018 (ISM), has a recommendatory character and describes approaches for creating a Cyber Risk Management System for integration into the company’s existing SMS. The document also shows the in-terfaces to the BSI IT-Grundschutz, the ISPS Code and is intended to provide support for a holistic maritime Cyber Risk Management.

This DCSA implementation guideline is aimed at assisting those companies with the responsibility of implementing and ensuring compliance with the BIMCO guidelines for cyber security on-board vessels. As a guideline, it does not set out specific technical or configuration standards for vessel systems, but instead provides a management framework that can be used to reduce the risk of cyber incidents that could affect the safety or security of the vessel, the crew, or the cargo. Lastly it is aligned with the IMO Resolution MSC.428(98) compliance.

(Abstract taken from original document)

(Abstract missing)

As part of its remit to shine a spotlight on safety issues for the maritime sector, Safety At Sea (SAS) has had cyber security on its radar for a number of years, and has been conducting surveys with the assistance of its parent company IHS Markit and partner BIMCO. This white paper, supported by ABS Advanced Solutions, combines an analysis of four years (2016-2019) of survey findings and feedback from relevant experts at focused round table events and matches them to cyber behavior and investment trends observable in the wider maritime industry. Readers will gain a comprehensive overview of the key cyber security issues facing maritime, touching upon past major incidents and industry-best practice, as well as practical advice on prevention and recovery.

(Abstract taken from original document)

Developed in collaboration with several EU ports, this report intends to provide a useful foundation on which CIOs and CISOs of entities involved in the port ecosystem, especially port authorities and terminal operators, can build their cybersecurity strategy. The study lists the main threats posing risks to the port ecosystem and describes key cyber-attack scenarios that could impact them. This approach allowed the identification of security measures that ports shall put in place to better protect themselves from cyberattack. The main measures identified intend to serve as good practices for people responsible for cybersecurity implementation. The study can be useful for other stakeholders in the broader community within the port ecosystem, such shipping companies and maritime policy makers.

(Abstract taken from original document)

The document provides guidelines to establish, maintain and improve a management system for cyber security to ensure safe ship operation. The document consists of the two parts Part 1 Requirements and Part 2 Controls. The first part defines the requirements for a cyber security management system, e.g. the master´s and the operating company´s responsibility or familiarization for personnel. The second part defines controls to be implemented in the company and onboard to respond to cyber risks during operation, e.g. inventory lists of information communication devices, networks etc. or access control policy. Also in before the document begins a Cyber Security Approach is provided. This is meant to provide guidance to estimate if a certain security with respect to the threat of cyber attacks has been achieved.

Based on two business processes that are considered to be relevant, this white paper on “IT-Grundschutz profile for shipping companies - Minimum protection for shore operations” includes: A list of relevant target objects (applications, IT systems and premises) to be protected. An assignment of matching IT-Grundschutzmodules with requirements and implementation guidance and Recommendations for the implementationsequence.

(Abstract taken from original document)

This publication is the result of an ongoing collaborative effort involving industry, academia, and government. The National Institute of Standards and Technology (NIST) launched the project by convening private- and public-sector organizations and individuals in 2013. Published in 2014 and revised during 2017 and 2018, this Framework for Improving Critical Infrastructure Cybersecurity has relied upon eight public workshops, multiple Requests for Comment or Information, and thousands of direct interactions with stakeholders from across all sectors of the United States along with many sectors from around the world.

Computerized systems are revolutionizing modern ships’ bridges and maritime operations. Central components in this are Integrated Navigation Systems (INS) and Electronic Chart Display and Information Systems (ECDIS) which provide the maritime navigator with the ship’s position and displays it in electronic charts. The integrity of these systems if of great importance for the safety and security of maritime operations, but is a little studied topic. In this paper we investigate the integrity of navigation systems, though a survey of INS’s on the market (n=22), a survey of known cyber incidents and attacks targeting the integrity of navigation systems, and a discussion of cryptographical measures to ensure the integrity of navigation data in INS’s.

(Abstract taken from original document)

IEC 61162-460:2018 is also available as IEC 61162-460:2018 RLV which contains the International Standard and its Redline version, showing all changes of the technical content compared to the previous edition. IEC 61162-460:2018 is an add-on to IEC 61162-450 where higher safety and security standards are needed, for example due to higher exposure to external threats or to improve network integrity. This document provides requirements and test methods for equipment to be used in an IEC 61162-460 compliant network as well as requirements for the network itself and requirements for interconnection from the network to other networks. This document also contains requirements for a redundant IEC 61162-460 compliant network. This document does not introduce new application level protocol requirements to those that are defined in IEC 61162-450. This second edition of IEC 61162-460 cancels and replaces the first edition published in 2015. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition:

a) 460-Switches and 460-Forwarders are required to implement IGMP snooping; b) connection between secure and non-secure areas requires a 460-Forwarder as an isolation element; c) SFI collision detection added as function of network monitoring; d) 460-Gateway and 460-Wireless gateway are no longer required to report to the network monitoring; e) all alerts from network monitoring have standardized alert identifiers.

DNV GL class programmes contain procedural and technical requirements including acceptance criteria for obtaining and retaining certificates for objects and organisations related to classification.

As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are increasingly being networked together – and more frequently connected to the worldwide web. This brings the greater risk of unauthorised access or malicious attacks to ships’ systems and networks. Risks may also occur from personnel having access to the systems onboard, for example by introducing malware via removable media. Relevant personnel should have training in identifying the typical modus operandi of cyber attacks. The safety, environmental and commercial consequences of not being prepared for a cyber incident may be significant. Responding to the increased cyber threat, a group of international shipping organisations, with support from a wide range of stakeholders, have developed these guidelines, which are designed to assist companies develop resilient approaches to cyber security onboard ships. Approaches to cyber security will be company- and ship-specific, but should be guided by appropriate standards and the requirements of relevant national regulations. The Guidelines provide a risk-based approach to identifying and responding to cyber threats.

(Abstract taken from original document)

This Code of Practice should be read by board members of organisations with one or more ships, insurers, ships’ senior officers (for example, the Captain/Master, First Officer and Chief Engineer) and those responsible for the day-to-day operation of maritime information technology (IT), operational technology (OT) and communications systems. It does not set out specific technical or construction standards for ship systems, but instead provides a management framework that can be used to reduce the risk of cyber incidents that could affect the safety or security of the ship, its crew, passengers or cargo.

These Guidelines provide high-level recommendations for maritime cyber risk management. For the purpose of these Guidelines, maritime cyber risk referes to a measure of the extent to which a technology asset is threatend by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromiesed.

Autonomous marine vessels are the way forward to revolutionize maritime operations. However, the safety and success of autonomous missions depend critically on the availability of a reliable positioning system and time information generated using global positioning system (GPS) data. GPS data are further used for guidance, navigation, and control (GNC) of vehicles. At a mission planning level GPS data are commonly assumed to be reliable. From this perspective, this article aims to highlight the perils of maritime navigation attacks, showing the need for the enhancement of standards and security measures to intercept any serious threats to marine vessels emanating from cyber attacks and GPS spoofing. To this end, we consider a case where a cyber attacker blocks the real GPS signals and dupes the GPS antennas on board the marine vehicle with fake signals. Using the Nomoto model for the steering dynamics of a marine vesseland exploiting tools from linear control theory we show analytically, and verify using numerical simulations, that it is possible to influence the state variables of the marine vessel by manipulating the compromised GPS data.

(Abstract taken from original document)

Industrial automation and control systems (IACS) in oil and gas installations are vulnerable to cyber security incidents. As a result, countermeasures must be in place, and the facility operator must be confident that these countermeasures are sufficient and correctly performed. The risk must be acceptable for all systems including existing and possibly obsolete systems. Due to the high number of packages and systems in the packages, a standard based approach is required. Such standards for industrial automation and control systems are evolving, and the IEC 62443 standard is emerging as the preferred approach for many. The challenges are that this is a generic standard for all industrial components and that it is not finalized yet. Verifying conformance to the entire set of the IEC 62443 series of standards is very costly, and some parts may be irrelevant to certain industries. The standard also refers to security levels (SL), but it may be difficult to define the correct target for the different systems. Currently the standard defines what to do, but does not fully detail how to do it. To overcome these challenges, this recommended practice for implementing IEC 62443 (3-2, 3-3 and 2-4) in the oil and gas sector was produced based on a joint industry project (JIP) with participation from ABB, DNV GL, Emerson, Honeywell, Kongsberg Maritime, Lundin Norway, Petroleum Safety Authority (PSA) Norway, Shell Norway, Siemens, Statoil and Woodside Energy. The purpose of this JIP was to define a common and practical approach on how to secure industrial automation and control systems (IACS) in the oil and gas sector. The recommended practice intends to follow the regulatory requirements defined by PSA for the Norwegian continental shelf and by Health and Safety Executive (HSE) for the UK oil Sector.

This Industry Standard was developed by a Joint Working Group (“the JWG”) comprising members of Comité International Radio-Maritime (CIRM), the international association of marine electronics companies, and BIMCO, the world’s largest shipping association. Participants in the work of the JWG included representatives of shipowners, bridge equipment manufacturers, service providers, and system integrators. A list of companies represented within the JWG can be obtained on request to the Secretariats of CIRM or BIMCO. The Industry Standard was developed between 2014 and 2017. The work encompassed a pilot project wherein a draft version of the standard was implemented on board ships on a trial basis, the results of which were used to amend the contents of the standard. The following companies participated in the pilot project: BP Shipping, Emarat Maritime, Furuno, Kongsberg Maritime, Maersk Line, MAN Diesel & Turbo, Radio Holland, and Sperry Marine. The Industry Standard was published by CIRM and BIMCO in December 2017.

(Abstract taken from original document)

Information and communications technology (ICT) is revolutionising shipping, bringing with it a new era – the ‘cyber-enabled’ ship. Today’s leading manufacturers and ship operators want to innovate using the latest ICT systems, going beyond traditional engineering to create ships with enhanced monitoring, communication and connection capabilities – ships that can be accessed by remote onshore services, anytime and anywhere. ICT systems have the potential to enhance safety, reliability and business performance, but there are numerous risks that need to be identified, understood and mitigated to make sure that technologies are safely integrated into ship design and operations. The marine industry faces complex and serious challenges in order to achieve the full benefits of using ICT. Because a cyber-enabled ship consists of multiple, interconnected systems, and because of the rapid pace of technology development, assuring that a cyber-enabled ship will be safe cannot be prescriptive, and cannot rely on knowledge gained from previous systems. Instead, it requires a ‘total systems’ approach – one that takes account of all the different systems on board and on shore, how they are designed and installed, how they connect and how they will be managed. This is the approach that Lloyd’s Register (LR) takes, applying a non-prescriptive, risk-based process from the earliest concept stage, through on board integration, to operation – one that is based on our extensive experience of system design and installation on board ships and other marine platforms. As a trusted provider of safety assurance to the marine industry, LR is ready to help all stakeholders in the cyber-enabled ship market ensure that ICT is deployed safely.

Cyber security has become a concern and should be considered as an integral part of the overall safety management in shipping and offshore operations. Our recommended practice (RP) explains the ‘how to do’ and not just the ‘what to do’. We use a structured approach to effectively assess and manage your cyber security by combining IT best practices with an in-depth understanding of maritime operations and industrial automated control systems. In addition, our RP gives guidance supporting preparations for ISO/IEC 27001 certification. Get your copy of our DNVGL-RP-0496 on cyber security resilience management for ships and mobile offshore units in operation by submitting the form above.

(Abstract taken from original document)

The marine and offshore industries are increasingly relying on computer-based control systems. Therefore, the verification of the software used in control systems and their integration into the system is an important element within the overall safety assessment. This ABS Guide for Software Systems Verification - ABS CyberSafetyTM Volume 4 (SSV Guide) provides requirements and recommendations for software verification of integrated and non-integrated control systems aboard ships or offshore assets. This Guide is applicable during the initial construction and anytime during the life of the asset. This guide may also be used for new, modifications, retrofits, replacements, or upgrades of computer based control systems.

(Abstract taken from original document)

ABS recognizes that automation methods - and increasingly, autonomy - have penetrated nearly all aspects of shipboard and platform systems. Because these systems control multiple aspects of asset, ship or platform operations, they become integral parts of system and operational safety. ABS supports our community by compiling best practices, deriving new methods, and developing the standard for marine and offshore cybersecurity in a commitment to safety and security of life and property and preservation of the environment. This document is Volume 1 of the ABS CyberSafety series. It provides best practices for cybersecurity, as a foundational element of overall safety and security within and across the marine and offshore communities. The best practices are meant to provide insights for operations, maintenance and support of cyber-enabled systems, to better assure safety and security in those systems.

(Abstract taken from original document)

The intended outcome of applying the American Bureau of Shipping (ABS) ISQM program to software development include improving the quality of software in the marine and offshore industries; expedited reviews and approvals; and providing a level of confidence that products available from the System Providers (SP) are developed so as to meet the minimum quality requirements set forth in the ABS Guide for Integrated Software Quality Management (ISQM) (ISQM Guide).

(Abstract taken from original document)

The marine and offshore industries are integrating connected sensors, communications, storage and processing capabilities into vessels, offshore units and facilities as networking and computational power penetrates all aspects of industry operations. The “Big Data” phenomenon has emerged as a direct result of this growth, enabling development of tremendous new sources of data and information. But challenges have also emerged. Sensors and data must be trustworthy in order to support the new analytic and decision methods available for maritime industry use. These Guidance Notes are intended to clarify the basic principles and concepts of Data Integrity for marine and offshore assets. The document is intended to help the industry realize the new benefits from data sources and data analytics systems via implementation of Data Integrity concepts. It also supports owners who are increasingly required to provide data reporting to regulatory agencies. The intended users for these Guidance Notes are cybersecurity specialists, data specialists, owners, shipyards, operators, designers, suppliers, review engineers and Surveyors. These Guidance Notes are Volume 3 of the ABS CyberSafetyTM series, and are intended to be used in conjunction with other volumes.

(Abstract taken from original document)

The marine and offshore industries are integrating connected sensors, communications, storage and processing capabilities into vessels, offshore units and facilities as networking and computational power penetrates all aspects of industry operations. The ‘Big Data’ phenomenon has emerged as a direct result of this growth, enabling development of tremendous new sources of data and information. But challenges have also emerged. Sensors and data must be trustworthy in order to support the new analytic and decision methods available for maritime industry use. These Guidance Notes are intended to clarify the basic principles and concepts of Data Integrity for marine and offshore assets. The document is intended to help the industry realize the new benefits from data sources and data analytics systems via implementation of Data Integrity concepts. It also supports owners who are increasingly required to provide data reporting to regulatory agencies. The intended users for these Guidance Notes are cybersecurity specialists, data specialists, owners, shipyards, operators, designers, suppliers, review engineers and Surveyors.

These Guidance Notes provide cybersecurity best practices and recommendations to marine and offshore organizations, and they are intended to enable members of the marine and offshore communities to take verifiable steps to protect an asset, its cyber-connected systems, its personnel, and its information from cyber intrusions. The overarching ABS cybersecurity guidance program provides these Guidance Notes as ‘Volume 1: Cybersecurity’.

(Abstract taken from original document)

In the maritime world, safety and security are closely linked. The mission of ABS is to serve the public interest as well as the needs of our members and clients by promoting the security of life and property, and preserving the natural environment. For over 150 years, ABS has devoted its energies to promoting safe and efficient commerce by sea through the development and application of industry consensus standards. Initially, the emphasis was on safety, and ABS applied its technology and knowledge to maintain safety through prevention of accidents caused by the forces of nature and human error. While the science of those causes is very complex and is continually being improved, they are amenable to analysis, understanding and prediction. Through the dedication and diligence of everyone in the maritime industries, the safety record of shipping has steadily improved through the years. Cybersecurity introduces an additional element into the safety equation: security against deliberate actions intended to cause harm. Security has always been a concern with naval ships, and the military routinely exercise precautions to maintain the security of their ships and offshore assets. Commercial vessels routinely employ special security measures under certain circumstances to prevent theft, piracy, smuggling or stowaways. Those crimes are usually economically motivated, where destruction is not the goal. Acts of terror are usually politically motivated, and ships and offshore assets are prime targets because of their mobility and high potential for causing extensive damage to life, property, the environment, and the transportation and economic infrastructure. The maritime community has come to the realization that ships and offshore assets must be made less vulnerable to security threats, both at sea and while in port. Perpetrators of such acts have moved toward cyber-attacks for similar purposes. Exposure to these threats has become pervasive due to the exponential growth of automation methods - and increasingly, autonomy - that has penetrated nearly all aspects of shipboard and offshore asset systems. Because these systems control multiple aspects of asset, ship or platform operations, they become integral parts of system and operational safety. ABS supports the marine and offshore communities by developing the standard for marine and offshore cybersecurity, developing new methods and leading industry with best practices in a commitment to safety and security of life and property and preservation of the environment. Cybersecurity refers to the security of information networks and control systems and the equipment and systems that communicate, store and act on data. Cybersecurity encompasses systems, ships and offshore assets, but includes third parties - subcontractors, technicians, suppliers - and external components such as sensors and analytic systems that interface with networks and data systems. This includes human interaction of crews and other Company personnel, customers and potential threat players. In such a dynamic system, cybersecurity is an evolving set of capabilities inside the Company, developing and adapting as technology and threats evolve.

(Abstract taken from original document)

Cyber technology has fueled great progress and efficiency in our modern world. Coast Guard operations are more effective because of the rapid evolution in cyber technology, and advanced technologies have also led to an unprecedented era of efficiency of the maritime Transportation System (mTS). however, with these benefits come serious risks. information and its supporting systems are continually attacked and exploited by hostile actors. foreign governments, criminal organizations, and other illicit actors attempt to infiltrate critical government and private sector information systems, representing one of the most serious threats we face as a nation.

This document presents a framework for the Committee to consider in the development of cyber risk management (CRM) guidelines for the protection of trade-related information. Further, this document also proposes that the Committee consider coordination with the Maritime Safety Committee for the joint FAL-MSC development of a single set of non-mandatory CRM guidelines.

The vulnerabilities to cyber attacks of today’s marine transportation system have not been well studied. This paper explores vulnerabilities of shipboard systems, oil rigs, cargo, and port operations.

(Abstract taken from original document)

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

This report is the first EU report ever on cyber security challenges in the Maritime Sector. This principal analysis highlights essential key insights, as well as existing initiatives, as a baseline for cyber security. Finally, high-level recommendations are given for addressing these risks, Cyber threats are a growing menace, spreading to all industry sectors that relying on ICT systems. Recent deliberate disruptions of critical automation systems, such as Stuxnet, prove that cyber-attacks have a significant impact on critical infrastructures. Disruption of these ICT capabilities may have disastrous consequences for the EU Member States’ governments and social wellbeing. The need to ensure ICT robustness against cyber-attacks is thus a key challenge at national and pan-European level.

(Abstract taken from original document)

IEC 62443-2-1:2010 defines the elements necessary to establish a cyber security management system (CSMS) for industrial automation and control systems (IACS) and provides guidance on how to develop those elements. This standard uses the broad definition and scope of what constitutes an IACS described in IEC/TS 62443-1-1. The elements of a CSMS described in this standard are mostly policy, procedure, practice and personnel related, describing what shall or should be included in the final CSMS for the organization. This bilingual version (2012-04) corresponds to the monolingual English version, published in 2010-11.

IEC/TR 62443-3-1:2009(E) provides a current assessment of various cybersecurity tools, mitigation counter-measures, and technologies that may effectively apply to the modern electronically based IACSs regulating and monitoring numerous industries and critical infrastructures. It describes several categories of control system-centric cybersecurity technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most important, the preliminary recommendations and guidance for using these cybersecurity technology products and/or countermeasures.

IEC 62443-1-1: IEC/TS 62443-1-1:2009(E) is a technical specification which defines the terminology, concepts and models for Industrial Automation and Control Systems (IACS) security. It establishes the basis for the remaining standards in the IEC 62443 series.

Specifies minimum performance requirements, methods of testing and required test results for general requirements which can be applied to those characteristics common to the following equipment: shipborne radio equipment, shipborne navigational equipment, and, for EMC only, all other bridge-mounted equipment, equipment in close proximity to receiving antennas, and equipment capable of interfering with safe navigation of the ship and with radiocommunications The contents of the corrigendum of April 2008 have been included in this copy. The corrigendum updates some of the normative references, particularly those to CISPR 16 which has been republished in multiple parts. The technical content of the revised references has not however changed and there are no changes to the text of standard.