See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/335492444

An Integrated Maritime Cyber Security Policy Proposal

Conference Paper · August 2019

CITATIONS READS

2 1,376

3 authors, including:

Alexandros Voliotis Ioannis Filippopoulos

University of Thessaly University of Nicosia
1 PUBLICATION   2 CITATIONS    20 PUBLICATIONS   15 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Internet of Things View project

Vessels' Digitization View project

All content following this page was uploaded by Ioannis Filippopoulos on 30 August 2019.

The user has requested enhancement of the downloaded file.

 An Integrated Maritime Cyber Security Policy Proposal
1
STERGIOS OIKONOMOU 2IOANNIS FILIPPOPOULOS 3ALEXANDROS VOLIOTIS
1,3
Dept. of Biochemistry and Biotechnology, University of Thessaly, Volos, Greece,
2
Department of Computer Science, University of Thessaly, Lamia, Greece & Department of Informatics and Engineering,
Hellenic American University, 436 Amherst Street, Nashua, New Hampshire 03063, USA
Email: [email protected], [email protected], [email protected]

Abstract— The security environment of the twenty-first century has changed. There is no 100% security. The maritime industry as
a part of the cyber domain is a very competitive and complex industry. Increasingly dependent on complex critical communication
and information systems make this industry one of the most susceptible to cybersecurity attacks. Cyber threats and cyber-attacks
are becoming more frequent and more sophisticated every day. As these attacks have been happening more frequency with serious
consequences, cybersecurity has become a primary focus for the maritime industry. The cyber threats cannot be eliminated
completely, but the risk can be greatly reduced to a level that allows maritime community to continue to prosper, and benefit from
the huge opportunities that digital technology brings. Therefore, appropriate Cyber Defense measures and capabilities have to be in
place to face and counter the threats from cyberspace. This will require having effective tools, a well-trained workforce and proper
processes in place to detect, analyze, counter, and mitigate cyber threats and vulnerabilities.
To help understand the risks, this paper attempts to analyze the common cyber threats, the possible actors behind a cyber-attack as
well as its anatomy. Furthermore, there is a report about the vulnerabilities in ship systems but the main purpose of this paper is to
propose a cyber-security policy and its components for the maritime sector.

Keywords: Maritime, Cyber Defense Policy, Cyber Attacks, Vessels, Information Security, Cyber Security Policy, Cyber Attack,
Integrity, Confidentiality, Availability.

computer systems built into them. Many of those systems are

I. CYBER SECURITY designed to last more than three decades. Placed in another
A. What is cyber security? context, many ships operate outdated and unsupported
operating systems. All this creates a new platform for hackers
One of the most appropriate short definition as given by
to conduct targeted cyber-attacks. Why to hack shipping
Techtarget.com is: «Cybersecurity is the body of technologies,
companies? What are the motivations? A few may be:
processes and practices designed to protect networks,
computers, programs and data from attack, damage or  stealing money;
unauthorized access».  stealing information;
In an organization, people, processes, and technology must all  causing disruption or loss.
complement one another to create an effective defense from About stealing money: An attacker could trick a company to
cyber-attacks. People can be the weakest link or the strongest transfer money directly to him using the method "man-in-the-
defence in an organization. As more than 80% of all reported middle" through which the attacker establishes communication
information security and cyber incidents at sea are related to with the victims who think that they exchange messages
human error, the human element is one of the biggest between them, when in fact the entire conversation is controlled
vulnerabilities of the industry and must be a core part of the by the attacker and direct the companies’ monies directly to
solution. Processes are crucial in defining how the him. Another way is by using ransomware (described in more
organization’s activities, roles and documentation are used to details at subparagraph III.B.2), where the victim’s computer or
mitigate the risks to the organization’s information and last IT database is encrypted by the attackers. The victim then has to
systems can be deployed to prevent or reduce the impact of pay a ransom in order to get the key to decrypt data. According
cyber risks. to a report published by the United Nations Office on Drugs and
Last but not least, cyber security is everybody’s responsibility. Crime, the World Bank and Interpol, «pirates of Somalia
managed to claim some 3-400 million USD in ransom from
B. The Importance of Cyber Security in Maritime 2005 to 2012. Out of 179 hijacked vessels in this period, ransom
The global shipping industry is undergoing a technological was paid for 152 vessels».
revolution. Crews becoming smaller, ships becoming larger, Stealing information: In shipping there is a large number and
and a growing reliance on automation all significantly worsen many different types of information with a great deal of value.
the risks from hackers. Modern maritime ships are often For example an attacker can steal information about shipping
monitored and controlled remotely from shore-based facilities containers and the type of their content and the route they will
thousands of miles away to ensure efficiency. There are many follow. Such information may be sold to a competitive
different classes of vessels which tend to have different company or for investment purposes.

Page | 1
If we speak about the motivation causing disruption or loss we Cyber attackers first identify the target, the vulnerabilities
refer to the target to make systems and resources unavailable. included, the best ways to exploit them in order to launch a
Such attacks may be: cyber-attacks on port systems that may cyber-attack. They only need a single point of entrance to get
cause ports’ shutdown, violation or even deletion of data that started, as anyone in an organization would suffice as a target.
are used in a cargo terminal and may lead to terminal 2) Phase 2: Weaponization
suspension until all the data restored. The information that any cyber attacker gathers is used in order
to change something that he discovered causing a favorable
II. CYBER THREATS result for him.
A Cyber Threat is any unauthorized attempt to gain access in a 3) Phase 3: Delivery
computer network. Nowadays there are many different kinds of Following weaponization phase, it’s time for the attackers to
cyber threats and the most important of these are presented start their attack.
below. Common Cyber threads are Phishing and Spear 4) Phase 4: Exploitation
Phishing, Malware, Denial of Service (Dos), Inside Thread, During the exploitation phase, the attacker takes advantage of
Advance Persistent Threat (APT), Password Attacks. discovered vulnerabilities.
5) Phase 5: Installation
III. CYBER ATTACK Once the attacker gains access to the organization’s network, he
A. Actors behind a cyber-attack must ensure that he will continue to have that access as long he
There are various kinds of actors who are conducting cyber wishes.
operations directly or indirectly against the maritime 6) Phase 6: Command and control
organizations, such operations can cause disruptive effect on In this phase the attacker has unlimited access to the network.
the functioning of these organizations. He can move deeper into the network. He can exfiltrate data,
conduct DoS operations and anything malicious that he wants.
7) Phase 7: Action on objective
This is when the attacker comes to his real objectives and goes
on to act on them. The objective could be anything such as
stealing data, messing around with the operations of the
company, cause mischief with the order-taking system and get
things shipped to customers based on fake orders, shut down
equipment, disable alarms etc.
C. Vulnerabilities in Ship Systems
Till recently, there was a belief that distance and isolation of
vessels was a security barrier against cyber-attacks. However,
this is wrong. Ships nowadays are using more and more
onboard Information Technology (IT) and Operational
Technology (OT) systems which are interconnected and
connected to the internet. This interconnectivity increases the
Picture 1: Cyber-attack actors risk of exposure to internet-based and insider cyber-threats.
There should always be a distinction between IT and OT
1) Espionage systems.
2) Hacktivism IT is an often-used and fitting term to describe business
3) Criminal enterprise systems that move necessary data in order to support
4) Terrorism business-level operations including software, hardware and
5) Business competitors communication technologies.
OT is a domain complementary to IT that consists of hardware
B. Anatomy of a cyber-attack and software components and systems that directly
monitors/controls physical devices and processes. Both IT and
Phase 1: Phase 2: Phase 3:
OT might be vulnerable to cyber threats.
Reconnaissance Weaponization Delivery At maritime industry there are a number of onboard systems
which may be exposed to cyber risks. Vessels do not need to be
attacked directly because an attack can happen via the
Phase 6:
Command and
Phase 5: Phase 4: company’s shore-based IT systems and very easily penetrate
Control
Installation Exploitation the ship’s critical OT systems. Maritime companies should
make sure that they understand how shipboard systems might
be connected to uncontrolled networks.
Phase 7:
Action on IV. CYBER POLICY
Objective
A. Scope
Picture 2: Cyber-attack phases
Cyber Security Policy serves a lot of purposes. The main
purpose for a well-thought-out policy is to describe all the
1) Phase 1: Reconnaissance
procedures to be followed in order to guard all the critical
assets, equipment and data against cyber-attacks. Furthermore,

Page | 2
policy describes the user’s roles, responsibilities and privileges. The SCySO is responsible for all security aspects of cyber-
What is considered acceptable use? What are the security rules enabled systems on the ship, i.e. both the IT, OT and
to be applied? The policy answers these questions and describes communications systems.
the user limitations. It contains procedures for responding to The SCySO should have knowledge of, in some or all of the
incidents that threaten the security of the company computer following:
systems and network.  How to inspect ship security measures;
Ideally, a cyber security policy should be documented,  Emergency procedures contingency plan and other
reviewed, and maintained on a regular basis. security plans;
B. Cyber Security Policy Contents  Proper management of security and communication
sensitive information;
1) Roles and Responsibilities  Current cyber security threats;
a) Security Operation Centre (SOC)  Recognition and detection of dangerous devices;
A Security Operation Centre (SOC) is a centralized facility with  Different types of techniques that are likely to be used
a dedicated security team inside, that has to exist in every to bypass security measures;
maritime organization, in order to monitor, analyze and assess  The layout of the ship installed equipment;
its network and IT-services against cyber threats. The required  Monitor reports on incidents;
capabilities for SOC are: security monitoring, vulnerability  Secure communications;
analysis and pretesting, configuration test and security
 How to recognize persons who are likely to threaten
templates application, security inspection and risk analysis,
security.
malware, forensic analysis, audit and source code security
The SCySO should also be responsible for:
support, conducting mitigation and counter-measures, incident
 Ensuring that security measures are implemented,
management and coordination, systems and networks security
maintained and that all security incidents reported to the
assessment and Intruder detection. A SOC should be also able
CCySO;
to organize Incident Handling Teams capable to react to
incidents or attacks.  Implementing and supporting network defense, access
control, data protection and data transfer mechanisms;
b) Company Cyber Security Officer (CCySO)
 Taking backups from the system and implementation
Every company should designate a Company Cyber Security of the recovery plan;
Officer. A person designated as the CCySO may act as the  Training shipboard personnel and increase security
supervisor of the Incident Handling Team. awareness;
The CCySO is shore-based personnel and should have  Ensuring that ship security equipment is properly
knowledge, in some or all, of the following: operated, tested, calibrated and maintained.
 Networks and operating system;
d) Ship Security Officer (SSO)
 System evaluations;
 System security penetration testing; The SSO (master and ship duty officers with specific security
duties) is responsible to ensure ship security. The SSO should
 Security operations/network monitoring;
have knowledge of:
 Security information and event management;
 Facility security measures and operations from ships
 Network mapping;
and ports;
 Configuration of firewalls, routers and other security
 Undertaking regular security inspections of the ship;
tools;
 Backup plans in cooperation with SCySO;
 Encryption systems;
 Ways to control and manage the crew ;
The duties and responsibilities of the CCySO should also
include, but not limited to:  Techniques used to circumvent security measures;
The SSO should also be responsible for:
 Analyze existing and future systems across the
company, review security architectures, and develop solutions  Reporting all security incidents to the SCySO;
that integrate information security requirements to proactively  Ensuring that all shipboard personnel has the required
protect information; security training and awareness;
 Incident handling capability by monitoring, analyzing  Conducting security inspections with SCySO at
and responding to incidents; regular intervals;
 Conduct forensic analysis and review and assessment e) Shipboard Personnel
of security events and logs via sophisticated cyber security Shipboard personnel should have sufficient knowledge and
/event management tools; ability to:
 Conduct security risk assessments, and make  Recognizes characteristics and behavioral patterns of
recommendations of countermeasures to address risks, persons who are likely to threaten security;
vulnerabilities and threats;  Uses communications with safety;
 Review and validate security documentation;  Applies emergency procedures and contingency plans;
 Order the activation of the Contingency Plan and  Search (physical) persons, baggage, cargo, and ship's
select the appropriate recovery strategy; stores.
 Determine who should be notified if a cyber incident Finally, it should be noted that all crew members regardless of
occurs. position and responsibility should be constantly vigilant.
c) Ship Cyber Security Officer (SCySO) 2) Procedures
a) Physical Security and Access Control

Page | 3
Every ship should have specific security areas and security consistent to the policies and procedures of federal, state, and
measures to control access. Efforts to control electronic and local agencies».
physical access of information systems are essential to ensure All the temporary staff and third-party staff not already covered
that sensitive data is retrieved or altered for legitimate and by a confidentiality agreement shall sign such a document
approved purposes only, otherwise the malicious actors could before accessing into information resource systems.
steal or alter important information, take control of the ship or c) Network Security
damage critical systems. Network security is crucial for a ship. There must be measures
Physical access of spaces containing IT/OT assets must be to secure the networks of a ship like the following:
controlled by physical barriers and devices (doors, locks) with  Unused ports from all network devices should be
security cameras (CCTV) and only accessed by authorized closed;
personnel.
 Servers and other equipment containing sensitive data
Access Control Lists (ACLs) for physical possession or contact
must be maintained in a secure location;
with system assets (devices, systems, workstations, servers,
 Several types of perimeter security appliances like
network connections, etc.) must be kept up to date.
firewalls, IDS/IPS systems, must be used with secure
Each employee must have a unique user credential. Disable
configurations on them and changing all the default passwords;
automatic saving passwords for all applications. Define clearly
all the equipment which requires remote access and disable  Access to network areas can be restricted by isolating
remote management for simple users. them or by implementing firewalls, smart switches and routers;
b) Identification and Authentication d) Satellite and Radio Communication Systems
The most secure network is self-contained, with no access to
USER LOGON IDS the outside world, but this is not possible for most maritime
Every user shall have unique logon id and password. An access transportation organizations. Communications with multiple
control system should identify each user and prevent organizations including port administrations, ships, marine
unauthorized users from entering or using information facilities, trucking companies as well as within organizations is
resources. Users shall be responsible for the proper use or necessary. The satellite link provider is responsible for
misuse of their logon ID. providing a secure satellite connection and, in cooperation with
All user login IDs must be audited at least twice yearly and the shipping company, will have to decide on the measures
should be removed when they are no longer in use. Logon IDs taken to ensure that it is safe. It must prevent illegitimate
should also not be passed on from one user to another. connections gaining access to the onboard systems. It must use
Users who desire to obtain access to workstations or networks interfaces with security control software provided from the
must have a completed and signed a Network Access Form. communication equipment. If using a VPN, the data traffic
This form must be signed by the SCySO or department head of should be encrypted. Ensure that available Wi-Fi signals do not
each user requesting access. permit access to sensitive data or functions. At last, in front of
the servers and computers connected to the network there
PASSWORDS should be deployed a firewall.
Passwords are required to gain access to networks and e) Printers and External Devices
workstations. Every user should select a unique password to Transferring data from uncontrolled to controlled systems is a
obtain access to any electronic information both at the server major risk. Nowadays the use of removable media with
and/or the workstation level. Passwords must be locked after a malicious content, is perhaps the main way to gain illegal access
maximum of three (3) unsuccessful logon attempts and SCySO to networks and devices. Companies must ensure that external
should be the only responsible person to reset passwords. When devices are not used to transfer information between
passwords are reset, the system must automatically ask for it to uncontrolled and controlled systems. The best is to prevent all
be changed. employees to use their own devices. If so authorized, the
All passwords must comply with the following restrictions in external devices should be password-protected and encrypted.
be difficult to guess and intercept them: All external devices must to be scanned in a computer that is
 Must be at least eight characters long; not connected to the ship’s controlled networks. SCySO should
 Must contain a combination of upper and lower case perform periodic scans of the system and should do real-time
alphabetic characters, numeric characters, and special scans of files derived from external sources as files are
characters. downloaded, opened, or executed. If it is not possible to scan
 Must be changed every 90 days. Compromised the removable media on board, then the scan could be done
passwords shall be changed immediately. prior to boarding.
 The previous five passwords cannot be reused. f) Social Media and Internet Usage
 Shall not be shared, or written down on paper, or Nowadays the use of social media is very popular and becoming
stored within a file or database on a workstation, and must be an integral part of business. Companies use social media as
kept confidential. means to advertise and keep in touch with clients. Personal use
of social media in the workplace must permitted, subject to
CONFIDENTIALITY AGREEMENT certain conditions, as follows:
Users of information resources shall sign, as a prerequisite for  It must not be overused but must be minimal and take
employment, an appropriate confidentiality agreement via place substantially outside of normal working hours and the
which they will declare that they «understand that any company should withdraw the use permission at any time;
unauthorized use or disclosure of information residing on the
information resource systems may result in disciplinary action,

Page | 4
  Do not post material in breach of companies specialized ability which require a cyber security analyst in
copyrights; order to be most effective. Companies must create and
 Employees must never disclose commercially implement a log retention policy that specifies how long log
sensitive or confidential information because social media data should be maintained. This will be extremely helpful for
activity of the employees in the target company will be the analysis, because older log entries may show
monitored to extract information about the systems and any reconnaissance activity or previous instances of similar attacks
technology vulnerabilities assessed; because incidents may not be discovered until days, weeks, or
 Employees should avoid social media even months later. Every hardware system in the company's
communications that might be misconstrued in a way that could network generates some type of log file. All the systems using
damage the business reputation, even indirectly; either Microsoft or Unix software produce logs. Event Log
 Employees online profiles must not contain the Management is a key component of compliance initiatives,
company name; since it can be monitored, audited, and reported on file access,
 If employees see social media content that disparages unauthorized activity by users, and policy changes. The best
or reflects poorly on company, they should contact SCySO options is to place an IDS or IPS sensor behind the firewall, to
immediately; monitor and filter traffic between the internet and the internal
 Be aware though that even if you make it clear that network and alert SCySO for any cyber incident.
your views on some topics do not represent those of the h) Antivirus Updates and Software Patches
organization, comments could still damage the company's Many maritime organizations don't apply patches often and
reputation; timely, to fix vulnerabilities and protect their systems. Patching
 All users personally are responsible for what they is one of the most important steps that a maritime organization
communicate on social media sites outside the workplace, for can take to reduce exploitations from cyber threats in software
example at home, using their own equipment. Users must and computer-based systems.
always be mindful of contributions and what disclose about the First, companies should only use authorized software on their
company; systems. For this purpose, it’s better for the company to have a
Limited personal use of the internet or email at work is list (whitelist) with all the software which is permitted to be
acceptable if it doesn’t interfere with users’ normal duties. Such used. Then, it is important for antivirus updates and software
use should take place substantially outside of normal working patches to be distributed to ships on a timely basis.
hours, for example, breaks, lunchtime. Users can access non- In each software, application or operating system, there are
business related sites, but are personally responsible for what potential vulnerabilities which could be exploited by malicious
they view. They must not use company’s equipment to access cyber actors. Patching is the process of adding software code to
the internet either from within or from outside the company eliminate a vulnerability and ensure the integrity of data
network and they may not upload, download, use, any images, residing on an IT/OT system. However, patch management can
text, or software which: be a tough process. Vulnerabilities and fixes must be identified,
 Are not permitted from the SCySO through the analyzed, and tested before patches can be deployed and
«whitelist»; implemented. A tool that scans automatically all the systems for
 Make employees not to work productively (like vulnerabilities is essential. Assigning a person to be responsible
games); for the updates and reporting completion to the CCySO.
 Encourage or promote activities which would, if Functional systems which are essential for the operation of the
conducted, be illegal or unlawful; vessel may be updated on company’s ashore facilities.
 Involve activities outside the scope of user’s i) Intrusion Detection and Response
responsibilities - for example, unauthorized selling/advertising Having (and practicing) an incident response plan is probably
of goods and services; one of the most crucial steps that any company must take. Every
 Might affect or have the potential to affect the company should have systems like IDSs in place, to detect
performance of, damage or overload the system, network and/or intrusions and respond to them. A clear and concise plan of
external communications in any way; action will help neutralize any intrusion into a network and
 Might be defamatory or adversely impact on the image mitigate potential damage. This plan should be tested
of company. continuously with exercises, examining its effectiveness in
Additionally, users must not include anything in an email which dealing with the cyber incidents. The incident response and the
they cannot or are not prepared to account for. Care should be damages assessment should be also considered.
taken when adding attachments to emails. It is better not to use j) User Awareness and Training
attachments, but if this is necessary, no attachment should Continuous training and awareness of both crew members and
exceed 20Mb in size. The auto-forwarding facility within the simple workers of a shipping company are essential elements to
company’s email system should not be used to forward work mitigate and effectively address cyber risks. Training should be
emails to private accounts (e.g. Gmail or Yahoo). Large files tailored for all the staff, onboard and onshore, according to each
should be compressed. Users must not download through their one's duties. SCySO is responsible for training the shipboard
email, any software, executable files or image files (GIFs and personnel and increasing their security awareness and SSO
JPGs) unless they have obtained prior permission from SCySO. must ensure that every one of them has the required security
g) Monitoring of Log Files and Alerts training and cyber awareness. Continuous exercises should be
If a maritime company wants to identify early and successfully carried out to simulate possible incidents and their outcomes
address cyber-attacks, must have a good log files monitoring must to be considered for future exercises, but also to all
policy. Reviewing security reports, log files and alerts is a participants, in order to see how their actions could affect the

Page | 5
ship or the entire company. Finally, all crew members in  Determination of the risks. Here assesses the level of
accordance to the cyber security policy should at least be aware risks to the system associated with vulnerabilities mentioned
of: above;
 How to use the secure personal and other external  Documentation. Any findings should be documented
devices (removable media, etc.) before connecting them to for further and future use.
vessel’s systems; 4) Cyber Security Contingency Plan
 The risks related to emails and how to utilize email in a) What is Cyber Contingency Plan?
a safe manner; A cyber security contingency plan helps a maritime company
 How to use social media and internet with safety; to respond effectively to cyber incidents. Contingency planning
 How to install and maintain software on vessel is a necessary component for the business continuity and
hardware with safety; disaster recovery. It should be based on a cyber security policy
 How to safeguard user information, passwords, etc.; that describes the actions and the steps to be taken when a cyber
 Recognize cyber risks in relation to the physical incident has occurred or is likely to occur.
presence of non-authorized personnel; According to the NIST Special Publication 800-34, there are
 How to detect suspicious activity and how to report a some steps for a cyber security contingency plan:
possible cyber incident;  Develop the cyber security contingency planning
 The consequences of cyber-attacks on the safety of the policy statement;
vessel;  Conduct the business impact analysis (BIA);
k) Recovery  Identify preventive controls;
Taking steps to put backups in place, allows the organization to  Develop recovery strategies;
continue its operations despite a successful cyber-attack.  Develop a contingency plan;
The frequency of backups depends on the frequency that new  Testing, training and exercises;
data was introduced and how critical these are. SCySO should  Plan maintenance.
take backups regularly, using different storage media and he is b) Develop the Cyber Security Contingency Planning
responsible to do periodic recovery tests from backup site. Policy Statement
External media such as dedicated external drives, recordable
Cyber Security Contingency Policy Statement should give all
CD or DVD, should be available to the crew for data backup.
necessary elements to achieve the policy purpose and should
Ensure that hardware is up-to-date and capable of recovering
assign specific responsibilities to specific staff. For a maritime
data. Since the portable backup drive can potentially contain
organization, the contingency policy should be developed not
sensitive information it should be protected by encryption and
only for the ships but also for offshore installations and should
kept in designated secure locked location. Recovery plan should
evaluate the IT/OT equipment and systems, mention the kinds
be implemented from the SCySO.
of disasters, operations of the systems, staff training
Another good practice is to store backed-up data offsite. In this
requirements and estimated time to restore the IT/OT systems.
case, data is backed up at the company’s facility and then
The basic elements of the policy should be known to all
labeled, packed, and transported to the storage facility. If the
employees onboard and onshore, according to each one's duties.
data is required for recovery or testing purposes, the company
The responsible person to start the activation of the
contacts the storage facility requesting specific data to be
Contingency Plan is the CCySO.
transported to the organization or to an alternate facility.
3) Cyber Security Risk Assessment c) Conduct the Business Impact Analysis (BIA)
Risk assessment is the process which collects information and BIA is the process by which a maritime organization collects
assigns values to risks for informing priorities, defining the information and identifies the critical components about its
needs for critical system protection, and developing courses of system, as well as the threats that the system may face, the risks
action. It doesn’t provide permanent information and it needs to that these threats can cause and how they can affect the
be updated on a regular basis. organization. According to the NIST Special Publication 800-
Risk assessment includes the following: 34 the BIA has the following phases:
 Mapping all the system assets (hardware, connections)  Identify Critical IT Resources.
that are at risk. This can be done for example with an automated In this phase, CCySO finds all the critical system components,
discovery tool; identifies the required resources to operate them, and finds all
 Identification of the cyber threats in the systems. As the persons that use the system network in any way
mentioned above, these threats could be malware, phishing,  Identify Disruption Impacts and Allowable Outage
spear phishing, social engineering, DoS, inside threats, APTs, Times
or actors like espionages, hacktivists, criminals, terrorists, In this phase, CCySO analyzes the previous critical resources
business competitors etc.; and determines the impacts on IT operations if a given resource
 Identification of the vulnerabilities in the systems. is disrupted or damaged. Allowable outage times indicates the
Here are mentioned specific vulnerabilities that exist and could maximum time that an IT system can be unavailable before it
compromise the IT and OT equipment and ship network; causes a significant impact on the system.
 Analyze the impacts of the vulnerabilities. The  Develop Recovery Priorities
analysis of the impacts resulting from each vulnerability The impact and allowable outage times from the previous step
determines to which degree the security state of the system enables the CCySO to develop recovery priorities that will be
affects; implemented during cyber contingency plan activation that will

Page | 6
allow the maritime organization to determine the order that operational, and personnel changes, to ensure that it is
systems should be restored or recovered. consistent with the risks the organization is facing. Every
d) Identify Preventive Controls modification of the plan should be coordinated through the
Armed with the results of the BIA, a maritime organization can CCySO and should be recorded. The contingency plan contains
begin to take preventive measures to reduce the effects of sensitive operational and personnel information, therefore its
system disruptions, increase system availability and to reduce distribution should be marked accordingly and controlled.
contingency life cycle costs. Some common measures are 5) Cyber Incident Handling Process in the Maritime
firewalls, UPS, antivirus software, frequent backups, offsite Cyber defence requires mechanisms and procedures on the base
storage of backup media, least-privilege access controls etc. of ongoing preparation in order to prevent, detect, respond,
mitigate and recover from attacks affecting the confidentiality,
e) Develop Recovery Strategies
integrity and availability of information and of supporting
Recovery strategies help the οrganization to recover from an system services and resources. Having an established and
incident. The strategies should always prioritize critical rehearsed plan of action which a maritime organization
functions, address the impacts identified in the BIA, take into executes after identifying a cybersecurity attack is crucial to
account factors like allowable outage time and security. limiting the damages. An effective plan should be
Furthermore, these strategies should include a combination of comprehensive, covering every aspect of the incident.
methods as mentioned in subparagraph V.B.2.k. Mechanisms may be seen in a circle with four phases, as below:
f) Develop a Contingency Plan  Preparation
The development of the contingency plan is the main phase in  Detection & Analysis
implementing a comprehensive contingency planning program.  Containment Eradication & Recovery
The contingency plan should contain detailed guidance and  Post-Incident Activity
procedures for restoring a damaged system unique to the a) Preparation
system’s security impact level and recovery requirements.
Contains detailed roles, responsibilities, teams, and procedures The main aim of this phase is to prevent incidents by building
and includes technical information designed to support up resilience and by using security controls measures. A good
contingency operations that are tailored to the organization, preparation is the key to success. Not preparing for a cyber-
information system, and its requirements. There are three incident increases the risks impacting maritime operations. First
phases that govern actions to be taken following a system step to be prepared for a cyber incident is to do an impact
disruption: assessment.
The next step is to determine the kind of equipment and the cost
 Activation/Notification Phase describes the process of
of it in order to protect the assets that are critical to port and
activating the plan based on outage impacts and notifying
maritime operations. Maritime organizations must keep in mind
recovery personnel
that it may not make sense to spend a lot of money protecting a
 Recovery Phase details a suggested course of action
device unless the value of the information and data it stores or
for responsible staff to restore system operations at an alternate
processes is operationally critical. The cost of protecting the file
site or using contingency capabilities
server for example is not just the cost of replacement or repair
 Reconstitution Phase includes activities to test and or the cost of backup, but also the cost to the organization if the
validate system capability and functionality and outlines actions information and data that stored on it will lost.
that can be taken to return the system to normal operating Another important part of this phase is to train the personnel to
condition and prepare the system against future outages raise their cyber awareness. Every person in a maritime
g) Testing, Training and Exercises organization must have a basic training in cyber awareness
Contingency plan can be very complex. Testing this plan is focusing on impacts of cyber incidents and cyber-attacks. This
necessary if the maritime organization wants to be sure that it is is the best protection. In addition, ensure that users are made
effective. Organizations need to take many decisions such as aware of the lessons learned following a cyber incident. A small
who does what and where, and what to do if it doesn’t work. No investment in user training can turn into significant savings for
one never wants to find out that the plan was poor during a the organization when a threat is avoided by a trained user.
crisis. Each contingency plan element should be tested to Users should also know the responsible person to which they
confirm the accuracy of individual recovery procedures and the will report any suspicious activity. Maritime organizations must
overall effectiveness of the plan. The company should conduct create an incident handling team led by CCySO to be prepared
training classes and exercises to ensure that the plan is effective. to respond if an event occurs. Companies should decide who is
Test results and lessons learned should be documented and in charge if an event happens. Maritime organizations should
reviewed by test participants and other personnel as also take part in risk assessment. Frequent risk assessments of
appropriate. Important players should understand what their systems and applications help to identify vital resources and the
role is. Simulating a cyber disaster or performing testing to way to prioritize them during a cyber incident.
validate plan’s effectiveness is necessary. Anything anyone can b) Detection & Analysis
learn in a non-stress situation will be invaluable when the real The most challenging and also the most important part is to
thing happens. detect and analyze possible incidents. Early detection of an
h) Plan Maintenance incident allows the maritime organizations to respond before it
Nothing is ever static when dealing with cyber security. The escalates any further.
plan should be a living document. Companies will need to re- When an unusual action or network behavior is noticed, it
evaluate their cyber contingency plans on a regular (preferably should be reported immediately by the users. People have to be
scheduled) basis, especially if there are relevant technological, trained for being suspicious and for recognizing abnormal

Page | 7
behavior of their systems. This abnormal behavior may not only V. CONCLUSIONS
relate to incidents that have already occurred or are occurring at Although at the past the cyber security was something that
that time, but may also relate to incidents that indicate that they didn't concern the maritime industry, the last few years
may happen in the future. All these different categories of fortunately there has been a gradual change in the mindset of
incidents should be perceived and identified using many the industry, and cyber security is now perceived as genuine
different sources, like IDS or IPS systems, log files, publicly threat and is a necessary element for the safe and efficient
available information, and people. Different types of security operation of all maritime organizations. Cybersecurity risks
software systems should be used (not all systems detect all continue to grow exponentially around the world and greatly
incidents), as well as third party monitoring. influence the maritime which uses complex critical IT and OT
When an incident occurs, the incident handling team should systems which have several vulnerabilities and should be
immediately start recording all facts regarding the incident. protected against cyber threats.
Then, the team should perform an initial analysis to determine Taking into account the modern trends of shipping that lead it
for example which system or application is affected, who is to fully autonomous vessels then it is understood that cyber
responsible, what tools are being used etc. After this, the team security becomes even more important.
must ensure a fast and coordinate reaction and report the The aim of this paper is to analyze the common cyber threats,
incident to the public. In particular when more than one incident the possible actors behind a cyber-attack as well as its anatomy.
occurs, handling should not be handled on a first-come, first- Furthermore, give a short report about the vulnerabilities in ship
served basis. systems but the main purpose is to give a cyber security policy
Ultimately, detecting and analyzing a cyber incident is the main and its components for the maritime sector.
key to quick return to normal operations with minimal The creation of a cyber security policy with: specific roles and
disruption. responsibilities for the users, secure procedures, and the
c) Containment Eradication & Recovery existence of plans to deal with the different cyber risks are
When an incident occurs, it must be contained to gain valuable essential elements in order to tackle and reduce the number of
time for reaction and prevent further damage. cyber-attacks more effectively in order to allow maritime
The key is to have a strategy already in place, based on known community to continue to prosper.
threats. This strategy should support rapid decision-making,
also define acceptable risks in dealing with incidents, identify REFERENCES
the different kinds of attacking hosts and consider the specifics
and individual aspects of each incident type. [1] Trend Micro (2014). A security evaluation of automatic identification
If an incident is only contained without eliminating the systems, Available at
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-
problems it has created, it will most likely continue to create digital-threats/a-security-evaluation-of-ais
more and more problems. This is the eradication phase, where [2] Understanding Cyber risk: Best practices for Canada’s Maritime sector,
all the "faults" created by the incident are detected and Transport Canada.
eliminated. [3] SANS Institute (2017), Reply to Request for Information (RFI),
Then follows the recovery phase. At this phase, all necessary Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure: Workforce Development.
steps are taken in order to restore systems to its normal
[4] Safety4Sea (2018). The seven phases of a cyber attack. Available at
operations such as use of backups, patches installations etc. or https://safety4sea.com/the-seven-phases-of-a-cyber-attack
in large-scale incidents maybe even rebuild the all system from [5] Safety4Sea (2018). 10 steps to maritime cyber security. Available at
beginning. https://safety4sea.com/10-steps-to-maritime-cyber-security
d) Post-Incident Activity [6] Safety4Sea (2018). Understanding the cyber risk at sea. Available at
https://safety4sea.com/understanding-the-cyber-risk-at-sea.
This phase aims to learning from incidents, reflecting and
[7] The Maritime Executive (2018), The Seven Phases of a Cyber Attack,
reviewing what happened, how the incident was managed and Available at: https://www.maritime-executive.com/blog/the-seven-
what can be improved. phases-of-a-cyber-attack#gs.
The key to a proper lessons learned regime is holding a “lessons [8] The Guidelines on Cyber Security Onboard Ships, version 3, Produced
learned” meeting with all involved parties after a major and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO,
incident, and optionally periodically after smaller incidents. OCIMF, IUMI and WORLD SHIPPING COUNCIL
As incidents performed through new attack methods, they are [9] MTI Network, Maritime Cyber Security, January 2016, Available at:
https://www.flipsnack.com/mtinetwork/mti-network-cyber-security-
of widespread concern and interest. Respective information on report-2016.html
this as well as on the incident handling, should be shared as well [10] National Institute of Standards and Technology (NIST), Contingency
as reported to other organizations. Prepared documentation Planning Guide for Information Technology Systems, Special Publication
should be updated as a result of the lessons learned meeting. 800-34, (June 2002).
Because of the changing nature of information technology and [11] National Institute of Standards and Technology (NIST), Computer
Security Incident Handling Guide, Special Publication 800-61 Revision
changes in personnel, the incident handling team should review 2, (August 20120.
all related documentation and procedures for handling incidents [12] SOPHOS, Threatsaurus, The A-Z of computer and data security threats,
at designated intervals. (2013).
At the end, an important post-incident activity creates a follow- [13] SBIR-STTR, America’s seed fund, Introduction to cyberthreats, course10
up report for each incident, which can be used as «best practice» - tutorial2, Available at
for future incident handling and data collection on incident https://www.sbir.gov/sites/all/themes/sbir/dawnbreaker/img/documents/
Course10-Tutorial2.pdf
handling (resources, time, and number) in order to justify future
[14] Rapid7, Common Types of Cybersecurity Attacks. Available at
organizational changes as well as funding issues. https://www.rapid7.com/fundamentals/types-of-attacks, (2018)

Page | 8
[15] Gnostech Inc (2018), Cyber Incident Response in the Maritime [43] MarineInsight, Marine Radars and Their Use in the Shipping Industry,
Enviroment, Available at https://www.gnostech.com/maritime- Available at https://www.marineinsight.com/marine-navigation/marine-
blog/cyber-incident-response-maritime-environment-part-1,2,3,4. radars-and-their-use-in-the-shipping-industry, (2017)
[16] HM Government, National Cyber Security Strategy 2016-2021, (2016). [44] Wikipedia, Voyage Data Recorder, Available at:
[17] National Cyber Security Center, Cyber Attacks White Papers, Common https://en.wikipedia.org/wiki/Voyage_data_recorder
Cyber attacks: Reducing the impact, (2016). [45] Wikipedia, Bridge Navigational Watch Alarm System, Available at:
[18] Institution of Engineering and Technology (IET), Hugh Boyes and Roy https://en.wikipedia.org/wiki/Bridge_navigational_watch_alarm_system
Isbell, Code of Practice - Cyber security for Ships. [46] I Filippopoulos et all, (2017), Collecting and using vessel's live data from
[19] UCSB Information Security (2015), Inventories. Available at on board equipment using “Internet of Vessels (IoV) platform”, 2017
https://security.ucsb.edu/faculty-staff/inventories. IEEE South Eastern European Design Automation, Computer
Engineering, Computer Networks and Social Media Conference
[20] Central Intelligence Agency (CIA), Carrers & Internships, Available at (SEEDA-CECNSM).
https://www.cia.gov/careers/opportunities/support-
professional/information-assurance.html#job-details-tab2 [47] Wikipedia, Advanced Persistent Threat, Available at
https://en.wikipedia.org/wiki/Advanced_persistent_threat
[21] Bunkerspot, Limassol based shipping company victim of cyber fraud,
Available at https://www.bunkerspot.com/latest-news/40447-global- [48] Gnostech Inc (2017), Maritime Cyber Vulnerabilities and Hacking in the
limassol-based-shipping-company-victim-of-cyber-fraud News, Available at https://www.gnostech.com/maritime-blog/maritime-
cyber-vulnerabilities-hackings-news/
[22] FutureDirections (21 August 2018), The Global Maritime Industry
Remains Unprepared for Future Cybersecurity Challenges, Available at [49] International Maritime Organization (IMO), Measures to Enhance
http://www.futuredirections.org.au/publication/the-global-maritime- Maritime Security, (17 May 2016)
industry-remains-unprepared-for-future-cybersecurity-challenges/
[23] Dejan Kosutic, 9 Steps to Cybersecurity, (2012).
[24] Edith Cowan University, A critical analysis of security vulnerabilities and
countermeasures in a smart ship system, Dennis Bothur, Guanglou Zheng,
Craig Valli, (2017)
[25] Techopedia, definitions, Available at https://www.techopedia.com
[26] Agence Nationale De la Securite Des Systemes d’Information, Thierry
COQUIL,Guillaume POUPARD, Best Practices For Cyber Security On-
Board Ships, (2016)
[27] Blank Rome Maritime, Maritime Cybersecurity: A Growing Threat Goes
Unanswered, Kate B. Belmont, (2015)
[28] National Cyber Security Center, The cyber threat to UK business,
(2016/1017) report.
[29] JRCS Corporation, Engine Control Console, Available at
https://www.jrcs.co.jp/en/products/detail/engine-control-console
[30] The North of England P&I Association, Cyber Risks in Shipping, (June
2016)
[31] Safety4Sea (2017). Inmarsat takes mature approach to maritime cyber
security Available at https://safety4sea.com/inmarsat-takes-mature-
approach-maritime-cyber-security/
[32] Maritime Security Review (14 June 2018), The maritime cyber threat,
Why 50.000 ships are so vulnerable to cyberattacks, Available at
http://www.marsecreview.com/2018/06/the-maritime-cyber-threat.
[33] CyberKeel, Copenhagen, Denmark, Maritime Cyber Risks,(pages:16-19),
Available at www.cyberkeel.com, (2014)
[34] International Armour Co, Defence and Security, Maritime Cyber
Security, Available at
https://www.armour.gr/catalogues/pdf/CyberSecurityOnBoard.pdf
[35] National Institute of Standards and Technology (NIST), Guide for
Conducting Risk Assessments, Special Publication 800-30 Revision 1,
(September 2012).
[36] Royal Belgian Institute of Marine Engineers, The ship’s electrical
network, engine control and automation, Kari Valkeejärvi, Marine
Technology, Wärtsilä Corporation
[37] Marineinsight, What Are The Duties Of Ship Security Officer (SSO)?
Available at https://www.marineinsight.com/marine-safety/what-are-the-
duties-of-ship-security-officer-sso/
[38] Wikipedia, AIS, Available at
https://en.wikipedia.org/wiki/Automatic_identification_system
[39] MarineInsight, What is Ship Security Alert System (SSAS)?, Available at
https://www.marineinsight.com/marine-piracy-marine/what-is-ship-
security-alert-system-ssas/, (2018)
[40] I Filippopoulos et all, (2018), Transferring Structured Data and applying
business processes in remote Vessel’s environments using the" InfoNet"
Platform, 2018 IEEE South-Eastern European Design Automation,
Computer Engineering, Computer Networks and Society Media
Conference (SEEDA_CECNSM).
[41] Wikipedia, Dynamic Positioning, Available:
https://en.wikipedia.org/wiki/Dynamic_positioning
[42] Wikipedia, Global Maritime Distress and Safety System, Available at
https://en.wikipedia.org/wiki/Global_Maritime_Distress_and_Safety_Sy
stem

Page | 9

View publication stats