2. People are part of complex systems in the maritime environment; they inter-
act with one another and computer systems in both creative and destructive
ways. At every intersection of human and machine there is the possibility for error,
manipulation, coercion or sedition.” - The Future of Maritime Cyber Security - Lan-
caster University
IT systems are crucial to the safe and efficient operation of modern vessels and to the
functioning of the maritime industry in general. Increasingly complex systems enable a
host of essential maritime operations, from navigation and propulsion to freight manage-
ment and traffic control.
Onboard systems include GPS, DP, AIS, ECDIS, Radar, autopilot etc. and control sys-
tems for ballast, stability, engine and propulsion control, cargo handling etc.
Advances in satellite technology mean these previously remote onboard systems are in-
creasingly likely to have a permanent internet connection, with the potential for any device
onboard the vessel to become a node of the on-shore corporate IT network. The 24hr
availability of email, web browsers, cloud storage, network access, smartphones and the
challenges of 'BYOD' all add to the complexities and the vulnerable gateways to our data.
In addition to the equipment onboard vessels, there are similarly vulnerable systems lo-
cated in ports, VTS centres, offshore installations, operators and manager’s offices and in
numerous maritime support businesses and organisations.
There are considerable risks to the safety and security of vessels, the security and reputa-
tion of the owners and operators and risks to the movement of world trade should mari-
time corporate IT networks become compromised. The act of compromise can be either
deliberate and criminal, or unforeseen and accidental. Either way, the results can be
equally widespread and potentially disasterous.
3. The IMO propose that the subject be tackled using a process of Cyber Risk Management
(CRM), covering safety, security and operational risks under one umbrella. This pro-
ject will approach the subject from a similar viewpoint.
Aims
To mitigate the risk of exposure to cyber-vulnerabilities (deliberate or otherwise) by edu-
cating those who have access to exposed IT systems and infrastructure, both onboard
and shoreside. This will be achieved by giving a non-technical audience the knowledge to
understand the risks, to know what to do to protect against these risks and what to do in
response to a direct threat.
During the development of this resource, the participating parties will form a working
group to learn from the knowledge and experiences of each other to enhance their own
internal procedures and systems for implementing a successful corporate CRM strategy.
The final public output of the project will be to give practical guidance and advice on ‘Best
Practices’ to those who may not have an IT background or training, enabling those at the
sharp end to better support the work of the IT department in protecting the corporate net-
work.
For most companies, the greatest threat comes from the naivety of their
own employees, on ship and shore. Awareness and good procedures can
dramatically reduce the risk." - The Navigator, June 2016
Achieving the aims
To achieve the stated aim, the working group will gather the latest in technical, security
and behavioural knowledge and information and distil this into a series of practical
‘takeaways’ that can be easily understood and put into practice by a non-technical audi-
ence.
Fidra will then work with the creative team to create either a single film, or a series of
‘shorts’, that illustrate these points in a way that is both educational and entertaining to
watch. It is only by achieving the second of these two goals that we have the greatest
chance of the films being widely shared and the knowledge widely disseminated. If we are
successful, the exposure will extend beyond the maritime industry.
Fidra will work with the partners in the project and the maritime media outlets to ensure
that as much publicity as possible is generated on release, using all available channels.
Supporting materials could also be produced if these were felt to be of further benefit, in
the form of guide notes and ‘best practice’ leaflets and posters (distributed as PDF docu-
ments).
4. Project structure
The biggest risk is from employees using computer-based systems since
security prevention mechanisms within the network itself are rarely imple-
mented in the mistaken belief that perimeter defences are all that is required.” -
Maritime Cyber Security White Paper - ESC Global Security
The project will be developed by a working group consisting of a small number of interest-
ed parties, primarily but not necessarily exclusively from the maritime domain. Led by Fid-
ra, the group will assemble a body of technical knowledge and best practices that will then
be handed over to a team of behavioural and creative specialists.
A primary feature of this project is its collaborative nature, the sharing of information and
ideas for the benefit of the group (internally/privately where deemed appropriate) and for
the wider maritime community on release of the resource.
The technical working group will be tasked with:
Assembling a body of reference materials and resources pertinent to the subject
matter.
Identifying the most commonly encountered risks and vulnerabilities and those that
have the greatest potential to cause damage.
Creating clear and unambiguous advice for a non-technical audience on ways to de-
tect the presence of a risk, whether this be deliberate criminal activity or an internal
system failure.
Creating clear advice suitable for a non-technical audience on appropriate measures
to take in response to the presence of a potential threat to protect the network.
Collating a list of ‘Best Practices’ that should be adopted by all those with access to
the corporate IT infrastructure.
Discussing and sharing, although not necessarily publicly disseminating, internal
procedures and IT system defence policies and Best Practices from a more tech-
nical perspective (suitable for corporate IT and security teams and management).
The above is subject to discussion and amendment but is a logical starting point.
Budget
The budget is yet to be defined, but will be agreed upon by all parties to the project prior
to commissioning the creative team. The cost will be shared amongst those involved.
Fidra will not seek to sell or otherwise monetise the project following release, with the aim
of achieving as widespread distribution as possible. This is the reason that the develop-
ment, production and distribution budget must be raised from industry partners.
However, if the loss, damage, or liability was caused either directly or indi-
rectly by the use of a computer and its associated systems and software “as
a means of inflicting harm,” such loss, damage, or liability would be excluded from
coverage.” - Marsh & McLennan report
5. Fidra are in the process of encouraging a ‘headline sponsor’ who has an interest in raising
their profile within the maritime industry. This business or organisation may be less in-
volved with the creation of the content but will cover a significant proportion of the produc-
tion budget in return for the publicity generated by the release of the film(s). With the
sponsorship contribution it is envisaged that individual partners will invest somewhere in
the region of £5k (+VAT) each.
ESC Global Security recommends that companies operating in the maritime
industries put cyber security awareness training at the top of the agenda for
users of technology and computer resources. This is one of the most effective
ways of reducing a company's exposure to cyber security threats and increases
both detection and incident response at the same time.” - Maritime Cyber Security
White Paper - ESC Global Security
While we are acutely aware of the financial position of many businesses in the maritime
sector in these challenging times, we must be aware of the need to balance prudence
with the ability to be creative and produce an effective resource. If the budget is too high,
the project will languish as an idea that never came to fruition. If the budget is too low, we
will be limited in what we can do and may fail our objectives by producing ‘just another
training film’.
For those looking to get internal budget sign-off, it may help to spread the cost across
HSEQ, Risk Management, IT and Marketing Dept. budgets, as each department stand to
benefit. The sum invested in this project could be recouped if just one cyber-attack or fail-
ure can be avoided.
It might be argued that the relatively low public profile of most marine busi-
nesses means they are less likely to be the subject of a cyber-attack than fi-
nancial institutions, energy companies, public utilities, or airlines. That may be the
case, but nevertheless, the threat is real, and the results of a successful attack
could be catastrophic. Certainly, the lack of any inbuilt encryption or authentication
code in the critical systems used for navigation on board ship means that shipping
could be seen as a soft target, and that perception alone could be enough to pro-
voke an attack.” - Marsh & McLennan report
6. Resources & references
Hackers working with a drug smuggling gang infiltrated the computerized
cargo tracking system of the Port of Antwerp to identify the shipping con-
tainers in which consignments of drugs had been hidden. The gang then drove the
containers from the port, retrieved the drugs and covered their tracks. The criminal
activity continued for a two-year period from June 2011, until it was stopped by
joint action by Belgium and Dutch police. Cyber criminals will continue to do the
unexpected, and the nature of attacks of this sort will evolve.” - Marsh & McLennan
report
IMO document MSC 96/4/1 (4th
Feb 2016): Measures to enhance maritime security -
Guidelines for Cyber risk management - SOURCE
IMO document MSC 96/4/2 (9th
Feb 2016): Measures to enhance maritime security -
Guidelines for Cyber risk management - SOURCE
IMO document MSC 96/4/5 (8th
March 2016): Measures to enhance maritime securi-
ty - Measures aimed at improving cybersecurity on ships - SOURCE
IMO document MSC 96/INF.4: Measures aimed at improving cybersecurity on a
ship - SOURCE
BIMCO: The Guidelines on Cyber Security Onboard Ships - SOURCE
United States National Institute of Standards and Technology's Framework for Im-
proving Critical Infrastructure Security (the NIST Framework) - SOURCE
ENISA (European Network and Information Security Agency): Analysis of cyber se-
curity aspects in the maritime sector (Nov 2011) - SOURCE
Lancaster University: The Future of Maritime Cyber Security - SOURCE
Marsh & Mclennan report: The risk of cyber-attack to the maritime industry –
SOURCE
NCC Group: Maritime cyber security: Threats & Opportunities - SOURCE
ESCGS: Maritime Cyber Security White Paper - SOURCE
AMMITEC: Cyber Security Awareness Guidelines - SOURCE
The Navigator: June 2016 issue – SOURCE
ABS: The application of cyber-security principles to marine and offshore opera-
tions - SOURCE
7. Contact details
Interested parties should in the first instance contact Chris Young:
Chris Young MNI
Executive Producer
Fidra Films
Tel: +44 (0)7500 906 220
chris@fidragroup.com
... it is important that security procedures and processes are in place so that opera-
tors know how to identify a potential security threat or have been trained to re-
spond when a cyber attack is in process.
Cyberspace was once just a way to communicate but now pretty much everything de-
pends on it. Our critical infrastructures for energy, healthcare, banking, transportation and
water are dependent on how well we protect and secure the systems and the data that
controls them.” - Maritime Cyber Security White Paper - ESC Global Security
Fidra Films is a trading name of Fidra Group Ltd, a company registered in England and
Wales No. 9864419, VAT Reg. No. 232197420
Project partners
To become a partner in this ground breaking project please contact us directly. See below for
details.
For reasons of project scale and collaborative logistics, places are strictly limited and will be
offered on a first come first served basis.