Anonymous Reporting
MCA Chatter
V-ID Terminal
My Account


Icon representing US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels
US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels

June 21st 2019
Icon representing Would you pay $1m for a laptop full of malware?
Would you pay $1m for a laptop full of malware?

May 23rd 2019
Icon representing Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)
Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)

May 22nd 2019

Shipping industry urged to update crew training to strengthen cyber resilience

February 5th 2018
There is no lack of industry guidance when it comes to cyber security in shipping. Class societies, industry associations, and specially founded action groups have published plenty of papers that advise ship managers and crew how to secure a ship’s IT from unwanted hacks and digital attacks. In addition, the IMO has demanded that cyber security must be part of the vessel safety systems and embedded requirements into the International Safety Management (ISM) Code by January 2021.

Nevertheless, there still seems to be a lack of implementation of this guidance. While companies such as MSC Cruises or the Liberian Registry announced cyber training courses for their seagoing staff in late 2017, the annual joint Fairplay/BIMCO cyber security survey, published in October 2017 and reported in Safety at Sea (SAS) in November 2017, showed that 76% of seafarers said they had never received training on cyber security. They therefore continue to be the weakest link in the cyber chain, despite being on board potentially targeted vessels on a daily basis.

Class society DNV GL has published numerous cyber security guides but still sees the need to educate crew. It launched an “e-learning suite of cyber security awareness training for crew and staff” comprising four modules, with the fourth being a little more advanced. “We have since made updates and are planning to make more this year to include new real-life scenarios,” Patrick Rossi, maritime cyber security service manager and integrated software dependent systems approval engineer at DNV GL – Maritime Advisory, told Fairplay sister title  SAS.

Lessons that stay learnt

After a cyber security course, seafarers should no longer risk plugging a private USB drive into a computer board or the bridge’s ECDIS, or click on phishing links in emails. But how does DNV GL ensure that crew continue to adhere to such ‘cyber hygiene’? “There is no way of guaranteeing 100% compliance with policies, processes, and procedures or 100% security,” Rossi said.

The company is working on various methods to evaluate crew compliance to training. DNV GL’s so-called Penetration Testing by Social Engineering service for example, which is about to be launched, will use “friendly phishing campaigns to test the awareness levels of staff and crew”. But while awareness is key, it cannot prevent everything. “For example, if you want to make sure that no one plugs in their USB drives into corporate workstations, then you need to manage the workstations, either by disabling USB ports or configuring a USB device manager”.

Road to recovery

Since the infamous NotPetya ransomware that shut down Maersk computer systems in June 2017, the company has made a number of improvements, broadly speaking a “centralisation and modernisation” of its global systems, most of which cannot be shared for security reasons. Maersk senior press officer Mikkel Elbek Linnet told SAS the company also “has an ongoing awareness programme with its entire staff, inclusive of seafarers, around cyber security. The development of mandatory learning and general awareness of information security through campaigns and varied material, are a key part of this programme”.

And while USB drives have a bad reputation in maintaining good cyber hygiene, they were definitely helpful to get the Danish container giant back online, with 2,000 USBs sent “to every corner of the globe” to help recover the Windows 10 operating system in locations that did not have enough bandwidth to download it from the internet.

Onboard visits, as part of DNV GL’s cyber training to watch seafarers’ interaction with the devices they use on a daily basis, have revealed glaring mistakes: “Usage of default passwords, no logging out of workstations, sharing of passwords, using public internet cafés to send corporate information, sharing of USB drives, installation of wireless access points, as well as sending private emails from corporate workstations.”

Peter Broadhurst, senior vice-president for safety and security at Inmarsat Maritime, agreed that there was still a failure to see how cyber security applied to individual crew members. “Thoughts like ‘I’m not the target. It can’t be me. We have security in place. I will be protected by anti-virus [software]’ etc are a common approach, despite the training,” he told SAS. He suggests separating business and crew networks to lower the risk of compromising security.

This view is shared by Paul Walter, who is responsible for cyber service delivery at the American Bureau of Shipping. “Personnel need [internet] access to perform their duties and nothing more,” he told SAS, adding that everyone was responsible for cyber security. Once company officers recognise the risk factors, he said, “awareness can be shared along the chain of command so risks can be identified and mitigated”. For him, it is vital to observe whether crew continue to endanger IT security “in the same old ways” after receiving training. “If you have evidence that this is happening, then I would have to ask whether they have in fact received any training, how good that training was, and whether the learning is being reinforced by their superiors, shipmanagers, and owners.”

A lack of communication between management and crew was revealed to be preventing cyber security messages filtering from top to bottom in the 2017 Fairplay/BIMCO cyber survey. Some managers and owners are tackling this issue. “We have provided each seafarer with detailed information about the potential threats and are updating this information when needed,” said Nils Haupt, senior director of corporate communications at Hapag-Lloyd.

In a similar bid to improve dissemination of information down the ranks, Artiom Guzar, quality assurance and international safety manager at Norbulk Shipping, told SAS that all its crew members must take part in “pre-voyage instruction” once a year at their local training centres. They will be briefed on company safety and security procedures, including cyber security.

Furthermore, current policy on cyber security best practice is shared with crew in regular seminars held in Riga and Manila, backed up by company manuals on every ship. These include best practice on cyber hygiene – safe use of personal mobile phones, USB drives, and passwords.

Ship-specific action

Norbulk also requires each ship to conduct specific risk assessment to identify areas where it is vulnerable and what measures can be put in place to minimise cyber theft. “If the risk factor for any of the threats is high and the ship cannot manage that themselves, they are required to contact the office for further assistance,” said Guzar.

Meanwhile, Thome Shipmanagement carries out a range of cyber training for crew to emphasise the role the individual and crew as a whole play to protect against cyber attacks. The company uses practical examples to teach participants how to detect typical kinds of attack and what actions to take. Training provider Seagull also teaches its crew and on-shore staff to understand that software “is not just found in obvious IT systems, but also embedded in many types of equipment essential for operating ships and offshore assets”, Claes Eek Thorstensen, Thome Shipmanagement COO, told SAS.

An over-reliance on technology is discouraged, with emphasis put on verifying and double-checking systems manually and relying on experience. “Contingency plans are in place, for example, in case of ECDIS being corrupted. The ship must immediately report this to the office and stop navigating in congested waters,” said Thorstensen.

He wants regulators to jump in rather than leave shipping companies to handle cyber threats alone. “Cyber security is a global issue for all industries and the appropriate authorities must help to eliminate the threats and find ways to track, apprehend, and punish the perpetrators, even those located outside the country where the attack has been launched.”