In spring this year, Japanese ship classification society Nippon Kaiji Kyokai (ClassNK) laid out its latest ideas for ensuring onboard cyber security for ships. The society published a series of technical guidance documents incorporating topics such as designing cyber security onboard ships, effective vessel cyber security management systems, and software security.
The documents were guided by ClassNK’s new Cyber Security Approach, which is something of a vision statement for cyber security in the maritime industry.
“Response to cyber threats is an urgent matter for the entire maritime industry,” ClassNK said in a March press release. “In the ClassNK Cyber Security Approach, ensuring navigational safety is regarded the most important goal of onboard cyber security. To achieve it, it is of high priority to ensure availability of systems in terms of operation technology (OT) as well as information technology (IT) systems, which support operation of ships.”
The Cyber Security Approach adopts a strategy of layered cyber security controls, with each layer supporting the others and designed to contribute to a “balanced combination of physical, technical, and organisational approaches” to cyber security.
ClassNK’s mutually reinforcing cyber security layers take in onboard hardware and software equipment, operational controls, organisational controls for information security management and developing more cyber-savvy shipboard products across the supply chain. Below is a breakdown of ClassNK’s cyber security layers and the key takeaways from the society’s recently-published guidance documents.
Equipment and operational controls
Three of ClassNK’s five cyber security layers – listed as controls with software and hardware equipment; operational controls to ensure the health of equipment controls; and controls to ensure the health of operational controls – relate to effective controls for securing potentially vulnerable onboard systems, as well as the implementation and validation of operational controls to confirm that protocols are running correctly.
These three layers are primarily targeted at shipowners, shipyards and systems integrators, and covered in ClassNK’s guidance document, ‘Guidelines for Designing Cyber Security Onboard Ships’.
Onboard electronic systems are separated into categories based on their safety functions, with Category I systems such as administrative software not directly related to the safety of the vessel, crew or environment. Failure of Category II systems, including propulsion alarms and liquid cargo transfer controls, could eventually lead to dangerous situations, while Category III systems could present an immediate threat to vessel safety, human life and the environment if they fail. These safety-critical systems include propulsion, steering control, dynamic positioning and navigation systems.
The guidance document’s six annexes cover a range of systems based on their cyber security requirements. For example, systems that require access control and identification/authentication, including propulsion and electrical power systems, could be threatened by unauthorised users making changes that interrupt power supply or make the propulsion system reject commands from the operator. The document provides guidance on setting a consistent access control policy for crew, multi-factor authentication to separate privileged and non-privileged accounts, and replay-resistant authentication mechanisms.
Other system types covered in the document include systems requiring software update, systems with functions connecting to media, and those that require physical and environmental protection.
Organisational controls: information security management
Organisational controls for onboard cyber security – ClassNK’s fourth cyber security layer – are defined by ClassNK as “activities to establish, maintain, and continually improve a management system for cyber security so that the company and ship can ensure safety”.
This is delivered through the society’s Cyber Security Management System for Ships (NK-CSMS) guidelines, as outlined in the ‘Cyber Security Management System for Ships’ guidance document. This document is predominantly aimed at vessel operators and ship management companies, which take primary responsibility for ongoing cyber security risk assessment and mitigation.
Under the NK-CSMS guidelines, the objectives for vessel cyber security management include providing a safe working environment, assessing all identified cyber risks to ship, crew and environment, and continuously improving the cyber security management skills of all personnel ashore and onboard. To improve consistency and communication around these sometimes subtle risks, the guidelines recommend all shipping companies designate a shore-based person or team for cyber security management and that this team should have “direct access to the highest level of management”.
While effective equipment controls can be incorporated as part of the shipbuilding phase – for newbuilds, at least – a comprehensive and well-understood cyber security management system defines the human processes necessary to support deployed cyber security technologies. Some of the major operational recommendations included in ClassNK’s guidance are training programmes to ensure that personnel understand the cyber security context and related protocols, emergency preparedness and clear procedures for reporting incidents or non-compliance.
Developing shipboard products with reduced cyber risk
ClassNK’s fifth and broadest cyber security layer is the development of shipboard products with reduced cyber risk. The society’s guidelines on this topic, which mainly applies to the wider vessel equipment supply chain, are intended for shipboard equipment manufacturers, as well as shipping personnel involved in equipment procurement. The guidelines are set out in the most recent document ClassNK’s Cyber Security Series, ‘Guidelines for Software Security’.
This is an important factor in onboard cyber security, because there has to be an expectation that the resilience of software against external attacks is as important as its intended functions. Growing demand for secure software will help shape the products that are offered on the market, and as Roi Mit of cyber security firm Regulus Cyber recently highlighted in the case of GNSS receivers, a lack of secure technology options is still an issue in some sections of the maritime sector.
“Security requirements should be defined and analysed for each and every stage of software’s life cycle, adequately addressed and managed on a continuous basis,” ClassNK notes in the software security guidance document. “Software security requirements should be treated in the same manner as functionality, quality and usability requirements.”
ClassNK has found that “vague security requirements” are regularly encountered in software documents, and the society expects that much clearer and more verifiable security requirements should be an expectation. Fundamental software security principles highlighted by ClassNK include minimising the ‘attack surface area’ of software architecture, establishing secure defaults, eliminating unnecessary software privileges from personnel, and keeping the system as simple as possible.
“Attack surface area and simplicity go hand-in-hand,” notes the guidance document. “Certain software engineering fads prefer overly complex approaches to what would otherwise be relatively straightforward and simple code.”