Early this year, BIMCO, the world’s largest international shipping association, released the Guidelines on Cyber Security Onboard Ships, together with industry partners such as CLIA, ICS, INTERCARGO and INTERTANKO.
Philip Tinsley, maritime security manager at BIMCO, talked to NauticExpo e-Magazine about the rising importance of cyber risk awareness.
NauticExpo e-magazine: What are the key principles of the new guidelines?
Philip Tinsley: It is a tool for shipping companies to identify the core systems of their ship and to understand the likelihood and consequences of a cyberthreat to those systems. As a second step, they should determine the security and safety impact and establish a contingency plan.
Our guidelines were accepted as good guidance for the industry by the International Maritime Organization. The IMO also issued the Interim Guidelines on Maritime Cyber Risk Management in June on the back of the guidelines, which shows the relevance of the topic.
NauticExpo e-magazine: How relevant is cyber security?
Philip Tinsley: Cyber security is as important as piracy, migration or drug smuggling. At BIMCO we say that it should not be dealt with any differently than other security measures, no matter if it’s a man over board drill or a piracy drill. Cyber drills should be incorporated in the security plan.
NauticExpo e-magazine: Could you give some examples of cyber security incidents?
Philip Tinsley: Cyber criminals stole $644,000 U.S. from a big maritime company: They posed as supplier of marine fuel and emailed the company an invoice to send them the payment to their account in Poland. The company paid. Only when the legitimate company invoiced the bunker supply, the crime was noted.
And in early July, vessels in the Gulf of Guinea got under an email phishing attack. Messages were sent from a pretended official coastguard address in order to obtain sensitive vessel data.
NauticExpo e-magazine: Is there a worst-case-scenario with regard to cyber-attacks?
Philip Tinsley: When we look into the future, with less crew and more and more automation, there is the potential for a serious cyber incident.
When we look into the future, with less crew and more and more automation, there is the potential for a serious cyber incident.
Imagine a steering system that is remotely accessed and locked so that a ship cannot maneuver. Navigational areas of vulnerability are GPS, AIS and ECDIS because they all rely on software and operational technology.
It doesn’t even have to be an attack: A crewmember once plugged his phone charger into the USB port of the ECDIS and it basically contaminated the whole system. This shows that it’s all about separating the operational system from the information and entertainment systems that crews require today.
We don’t want people to avoid using the great modern electronic devices. Again, it is about awareness, first of all from the management and in the end of the crew.