Something else to worry over

Malcolm Latarche
Malcolm Latarche

26 August 2016


In recent years, shipowners have learned to be security conscious for a number of reasons. It began with the ISPS Code and all that brought with it such as ship security alert systems and LRIT and progressed through tackling the scourge of piracy to what is now being said to be the latest threat – cyber attacks. Cyber attacks are only possible because of the modern use of computerised equipment and while there is a widely held view that it is the opening up of marine communications that allows them to be made, the fact is that computers on ships are just as susceptible to contamination by viruses and malware through use of removable media as through internet or satellite connections. This has been a known problem for decades and is only beginning to attract attention because of the type of attacks that are being perpetrated against industries ashore. Another fear today is that with the advent of ECDIS and the mandatory connection of equipment through VDRs, a ship’s navigational integrity could be compromised. Reacting to the threat the IMO has approved a circular (MSC.1/Circ.1526) providing Interim Guidelines on maritime cyber risk management. The Interim Guidelines are likely to change next year but it is not anticipated that this will affect the technical content. Instead it should add implementation aspects, particularly where the ships’ systems interact with the systems belonging to shore-based facilities, aiming to ensure that no divergence or contradictions will be introduced and the industry will find the information it needs in one source. The IMO is not the only source of advice on the issue as class societies, communication service providers and independent consultants are all offering their services to concerned shipowners. Weighing up the risks of cyber attacks is something that owners may feel they need to do and the first task is to evaluate the possible problems. As things stand, the biggest threat would appear not to be against ships but against the offices and online services of ship operators. One can imagine that it will be liner operators most in the line of fire because there is far more confidential data and the potential for service disruption is greater so ransom type attacks might be used. Very few if any ships now operating would be able to be remotely operated by any cyber attacker but incorrect navigational data used for passage planning could result in a grounding or worse. If the promised age of autonomous ships ever materialises, then the risk will obviously increase. The threat of that may be sufficient to deter the more trepid from being front runners in cyber enabled ships. Although there is a lot of noise around the threat of cyber attacks, finding anyone in shipping that has knowledge of anything beyond viruses spread by crew using USB sticks and the like is almost impossible. Possibly that is because with a few exceptions most shipping companies and their activities are almost invisible to those outside of the industry. There is no reason to think that may change but on the other hand if autonomous ships become mainstream, the kudos of being able to hijack one may be a spur to malicious attacks.