One year of IMO’s Cyber Security resolution: what has changed and the road ahead

As the pandemic continues for the third year, the shipping industry has been facing some heavy headwinds - from container shortages, congested ports, vessels having to wait for days outside ports to crew change crisis - the whole industry has been heavily focused on solving these current supply chain issues while keeping all operations safe. Ironically, this pandemic - the catalyst of all the chaos - has also made the case for digitalisation as well as amplified the need for cyber resilience.

The goal of maritime cyber risk management is to ensure safe and secure shipping. Understanding how different software systems, hardware solutions and network connections contribute to maritime operations and improving the resilience and robustness of these systems is essential. As the technology, commercially available solutions and legal instruments related to maritime operations are all currently evolving at different speeds, we are navigating a constantly changing maze of emerging requirements and risks.

On the other hand, data-driven operations are shaping the next phase of efficiency in shipping. As the industry increasingly uses remote activities like type approvals and class inspections, and gathers big data to improve efficiency of systems, the solutions introduced are breaking traditional cyber security barriers. So, where do we go from here?

To mark the one-year anniversary of IMO's Resolution on Maritime Cyber Risk Management Resolution, which came into effect in January 2021, we sat down with our Head of Cyber Security, Päivi Brunou, to discuss how much things have changed in the past one year and what more is needed going forward to strengthen Maritime's cyber resilience.

Voyage: It's exactly a year since the IMO Resolution MSC 428(98) came into effect. What are the biggest changes in the industry since?

Päivi: For one, cyber security is discussed much more, and not only just with the technical peers. We are increasingly seeing existing fleets, as well as new builds, being surveyed by third-party to give vessel owners an understanding of the cyber security posture of the vessel. Another immediate and easily observable change is that cybersecurity is now increasingly becoming part of contracts and tender processes. For instance, during tendering processes, our customers also want to understand how Wärtsilä approaches cyber security as a company and how, for example, we manage our own risks related to supply. We have also introduced a secure way of exchanging confidential data when planning a maintenance visit to a vessel and need to share the personal information of our service engineers. Crew training and awareness activities are also increasing as vessel owners are realising that role-tailored training (technical roles versus hospitality roles, for example) is needed.

Voyage: Although the IMO 2021 is about how shipowners manage risk, there are indirect consequences for suppliers and digital technology providers, such as Wärtsilä Voyage. Could you tell us a little bit about how the cyber landscape has changed for marine technology providers in the last year?

Päivi: Absolutely, even though we (vendors) are not directly bound to comply with the IMO 2021's set of requirements, our main motivation is to understand rationale and goals of our customers so that we can implement context relevant and effective cyber capabilities.

Us supporting the customers often means very practical work like improving the technical controls and capabilities to reduce attack surfaces in the systems or helping the vessel operators to identify the residual risks and then work together to implement best way to minimise those through layered security activities, vulnerability management activities, and such. We are also working with different third-party assessors when existing fleets and new builds are being surveyed to give owners an understanding of the cyber security posture of the vessel.

While it is true that security is in constant flux where context plays a critical role, there are a few fundamental principles that form the basis of any security journey. Our fundamental activities are related to secure product development, delivery and operations during the full lifecycle of the system.

We, therefore, define our security culture as an "all hands on deck" approach where cyber security skills are built into all business and technical teams. For this to happen we have introduced role-based training tailored for different teams and their tasks and increased focus on R&D.

Voyage: Would you say maritime 'cyber security' has matured? The IMO 2021 seems to be just a steppingstone. What's still lacking - what are the challenges and what's holding the industry back?

Päivi: The IMO 2021 regulation is a great catalyst. However, as cyber security is not static, we cannot just focus on checking-off regulatory boxes.

IIoT, Cloud and autonomous maritime systems are driving the maritime industry to leverage new technologies on multiple fronts. There is no silver bullet or any single approach, activity, technology, tool, or process that can address all things that cyber resilience demands. There are still barriers and inertia within the somewhat conservative maritime industry when it comes to addressing cyber security gaps.

Another low-hanging fruit that can be improved at large-scale is sharing of information related to maritime cyber security incidents and near-misses via trusted channels. Collecting the data and anonymising it will give us all better understanding if the activities already done are effective enough and where to improve next.

The above challenges create some great opportunities as well. As IoT, cloud and data-driven technologies become increasingly relevant, for this intertwined digital landscape of "systems of systems", we are beginning to see better collaboration, push for certifications and standardisation practices among stakeholders to keep the resilience of systems at all fronts.

Voyage: What are some of the major opportunities to improve cyber resilience that will unfold in the next 1-2 years?

Päivi: As resilience is needed for both products and business, the industry can collaborate at a level that goes beyond contractual relationships and obligations. We can leverage joint cyber security strategies to accelerate the adaptation of digital solutions within the maritime industry, for instance.

For the vessel owners to be able to safely and securely benefit from technological advances, understanding the impacts of the converging operational technology (OT) and information technology (IT) networks is a key question. Finding suitable solutions to monitor and protect these networks is a major focus currently and will also be for the next few years.

And then, on the human side, we need to find ways to create awareness and ensure people have the needed cyber-related skills that match their job profiles. For me, personally, one of the highlights during 2021 has been the collaboration with our partners where we are creating cyber security training scenarios for maritime simulator systems.

Voyage: More concretely, what are Wärtsilä Voyage's plans to capture these opportunities?

Päivi: While we continue to implement cyber security capabilities into products and solutions, we are looking forward for collaboration projects related to secure delivery and industry requirements.

With our key customers, we are aligning and formalising cyber security activities during new build acceptance tests. The target is to ensure consistent and identical cyber security posture across all newbuilds. Doing this together will shift the activities to earlier phases and reducing workloads for all parties.

On the product side, we still see a varied set of requirements and frameworks being requested - our approach is to understand the various sources of requirements, whether they are technical, contractual or legislative and build capabilities to reduce risks.

One key challenge in the maritime industry is the long lifecycles of the solutions onboard vessels. Meaning, finding solutions to keep the existing systems on a "good enough" level when it comes to cyber resiliency. Vulnerability management, offering system upgrade paths and patching opportunities have been a very practical activity that we, at Wärtsilä Voyage, continue to work on and provide a more gradual and stepwise solution to. Wärtsilä is also running a vulnerability disclosure program, and we are increasingly working with ethical hackers and cyber security researchers to strengthen our products.

We are also working to certify selected products along with the IEC 62443 set of standards addressing secure development on Industrial Automation and Control Systems (IACS) and the IEC 61162-460 maritime navigation and radio communication standards. Our Information Security Management System (ISMS) is developed in alignment with ISO 27001 information security management standards.

In addition to hands-on projects, industry collaboration around autonomous maritime operations, edge computing and emerging technologies involves cyber security as well. After all, maritime cybersecurity needs to be ready not only for what's happening today but what will be a reality during the next decade.

Voyage: You say that cyber security warrants "all hands on deck". There are two aspects of it: a) All hands on deck in terms of officers onboard and onshore; and b) All hands on deck in terms of industry collaborations. Thus, the following two questions:

i. Knowing that 84% of all cyber-attacks rely on social engineering and human behaviour, what needs to be done to resolve this?

ii. Product level resilience is one thing. But ships are, as you said, a "system of systems". As vessels become more complex and connected by the day, how are the various technology providers preparing to identify and align in order to manage risks arising from system integration throughout the lifecycle of the vessel?

Päivi: With regards to human behaviour, just like safety, cyber security needs to become second nature, not only a mindset but an everyday activity. Most of the learning is happening in assignments and regular work supported by coaching, courses and training. When changing a behaviour it's important to remember that a one-time activity will not bring the change; it needs to be integrated into routine operations. For instance, for our R&D teams, this means adapting secure development activities such as threat modelling into regular workflow. One of our major efforts during 2021 has been to improve code-centric security. With this, we are making it as easy as possible for the developers to make right decisions and produce secure code. We have, for example, increased automated security testing scope and introduced collective code ownership to increase transparency and monitoring. For vessel crew, it could mean regular drills how to identify, respond and recover for cyber events and making it easy to report concerns.

Coming to the second part, the maritime industry has already recognised the need to better understand the various threat vectors and their impact on vessel systems and maritime operations. A good example here is simulation and table-top exercises where different scenarios and their impacts to systems are evaluated. But that alone is not enough. The cyber security domain itself is also shifting. Traditionally, a lot of effort has been put into protecting the assets. This has meant building perimeter defences and leveraging a plethora of expensive tools. The shift we need to make now will help us all to answer question like: Do we know our critical assets? Do we know what data to secure? And do we have visibility of these systems? This is something where we all need to work towards together to be able to prioritise and concentrate on the right actions throughout the ecosystem.

Voyage: Taking the collaboration talk one level higher: it's known that improving cyber security is best achieved by talking with peers, proactive information exchange and collaborations - not just among industry stakeholders but also between public and private. How much has the marine industry matured in this direction and what else can be done?

Päivi: The evolving maritime cyber security is truly a 'VUCA environment'. Meaning, it is Volatile, Uncertain, Complex, and Ambiguous (VUCA). And one of the absolutely critical needs to operate in such an environment is acknowledging the interdependence of the various variables - in this case, technologies, businesses and global operations of the maritime industry.

We need to understand the broad array of issues that affect this domain; and we definitely do not fully yet understand the interdependence of the variables, especially the impacts in other domains such as smart cities and logistics chains.

Thus, we as a maritime community, need to become more inclusive, which not only involves leveraging public and private partnerships but also academia, various flag states and even intergovernmental organisations. A good example could be the financial world and how that community currently operates - they have established worldwide channels for unfettered information exchange on threats, impact reporting, and mitigation. Maritime too needs to leverage its existing architectures and evolve its information exchange policies. We need to have a collaborative approach on research, conducting broad-reaching exercises to fully understand its impact on the supply chain, throughout the ecosystem and wherever we sail in the world.

We are underway, but still need to turn a few more knots.