Professional Documents
Culture Documents
REQUIREMENTS
FOR IMO 2021
Inmarsat
Research
Programme
WHITE PAPER
NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
2 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
CYBER SECURITY
REQUIREMENTS FOR IMO 2021
CONTENTS
1 Introduction 5
2 Cyber risk management – the threat to ships 6
– Ship threats and vulnerabilities 6
– Hardware, software, personnel 8
3 The basis for IMO 2021 10
4 IMO 2021 in practice 13
– Systems inventory 14
– Risk assessment scope 15
– Responsibilities 15
5 IMO 2021 compliance 17
– Responding to, recovering from and training
for cyber attacks 18
– A pathway to compliance 18
– Compliance checklist 18
6 Fleet Secure Endpoint – an introduction 20
– Security and endpoints 21
– FSE onboard 22
7 Fleet Secure Endpoint – supporting IMO 2021
compliance 24
– Identify, Protect, Detect, Respond and Recover 24
– Recovery, reporting, manageability 26
– FSE compliance checklist 27
– FSE key benefits 28
8 Fleet Secure Endpoint - installation and use 30
– Dashboard and alerting 30
– FSE use in context 31
9 Cyber security, Crew Training and Awareness 32
10 Fleet Secure Endpoint – real case studies 34
11 Conclusion and Next Steps 36
inmarsat.com 3
White Paper
Cyber security requirements for IMO 2021
4 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
* Safety at Sea and BIMCO cyber security white paper. Downloadable at: https://www.bimco.org/-/media/bimco/about-us-and-our-
members/publications/ebooks/cyber-security-guidelines-2018.ashx
** Managing Ports’ Cyber Risks: https://www.britishports.org.uk/system/files/documents/bpa_astaara_white_paper_0.pdf
inmarsat.com 5
White Paper
Cyber security requirements for IMO 2021
6 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 7
White Paper
Cyber security requirements for IMO 2021
However, ships themselves increasingly play a fully six months according to an Inmarsat analysis of its
connected data-centric role in the supply chain. Fleet Xpress customers. The need for cyber
In doing so, common cyber vulnerabilities can be resilience has therefore never been greater.
found onboard existing ships, and on some new-
build ships. These may include:
– Obsolete and unsupported operating systems HARDWARE, SOFTWARE AND PERSONNEL
– Outdated or missing anti-virus software and Understandably, the ship at sea is not itself likely
protection from malware to be the focus for targeted Denial Distribution of
– Inadequate security configurations and Service (DDOS) attacks, whose targets tend to be
best practices, including the use of default corporate or more transactional. However, malware
administrator accounts and passwords, and and Ransomware can be introduced easily enough
ineffective network management to the unguarded ship network, via:
– Shipboard computer networks which lack
– Terminal hardware
boundary protection measures and segmentation
– Software updates
– Safety-critical equipment or systems always
– Misconfigured systems
connected with the shore side
– Inadequate integration
– Inadequate access controls for third parties
– Maintenance and design of cyber-related
including contractors and service providers
systems
If these vulnerabilities are well-known, it is also
In addition, ship networks are vulnerable to cyber
widely recognised that incidents onboard are
threats arising from:
under-reported. Furthermore, a hallmark of
successful cyber crime will be a lack of publicity. – Email, Phishing, social media scams, etc.
In fact, the full extent of the incidents affecting – USB memory stick as a source of malware
shipping is therefore hard to gauge. In one alleged – Downloaded malware
incident, a ballast water management system – Connection with infected devices – cell phone,
cyber breach saw a ship heeled, with control only laptop, tablet
returned to the crew after a ransom was paid. – Unauthorised use of bandwidth, exposing a lack
However, the owner apparently preferred to leave of network segregation
the matter unreported, subsequently denying the
These second types of vulnerability relate to ‘the
whole episode over concerns that the ship would
human element’, and specifically to weaknesses
not be accepted for charter.
in cyber resilience brought by shortcomings
It is nonetheless fair to point out that – for the in procedures, training and awareness among
connected ship – the vulnerabilities listed above personnel.
are not simply exposed to the same spread of cyber
Even setting aside the operational headaches, cost
threats as land-based counterparts: they are also
of system renewal and expenditure on training that
subject to the General Data Protection Regulation
a cyber breach can bring, ships that fall victim to a
(GDPR). Effective in EU jurisdictions from 2018, GDPR
cyber attack can expect far-reaching implications
requires businesses to demonstrate sufficient
that may include:
control and protection over the data they own
- especially if they subsequently have a breach. – Claims against interruption to operations, e.g., a
Failure to comply can bring fines of up to 4 per virus affecting onboard systems causes costly
cent of an organisation’s global turnover or £17.5m, delays in getting to port, potentially leading to
whichever is higher. cargo claims/charter party disputes
– Loss of business-sensitive information could
With more devices on board, and more applications
result in blackmail, with settlement no guarantee
and media channels being used than ever before,
of closure
some ships are doubling their data usage every
8 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
SYSTEMIC VULNERABILITIES
IMO highlights the following ship systems as
vulnerable to cyber attack:
1. Bridge systems
2. Cargo handling and management systems
3. Propulsion and machinery management and
power control systems
4. Access control systems
5. Passenger servicing and management systems
6. Passenger facing public networks
7. Administrative and crew welfare systems
8. Communication systems
inmarsat.com 9
White Paper
Cyber security requirements for IMO 2021
10 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 11
White Paper
Cyber security requirements for IMO 2021
12 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 13
White Paper
Cyber security requirements for IMO 2021
Incorporating cyber risk into the SMS can take – IoT Systems
several months, depending on the complexity of – Navigation
the systems onboard the vessel involved. Meeting – Engine Control
the 2021 deadline, or the first inspection thereafter – Cargo Control
will require a combination of technical mitigations, – DP, Gas, Firefighting, etc.
revised (or new) procedures and staff/crew training – ICT – Business Computer System
to develop a practical and cost-effective route to – ICT – Crew Systems
compliance.
This list needs to include:
It is important to add that ISM does not prescribe a
Hardware
calendar schedule for assessing new risks, instead
advising that they are accommodated as soon – Record make, model, version, function on all your
as possible. For this reason, the SMS should be hardware
considered by owners as a ‘live’ document that is – Individual hardware (and IP address) and patch
regularly updated and improved as risks evolve. panel, power
– Take note of possible attack surface/connection
point among your hardware and work to secure
SYSTEMS INVENTORY them (USB, Ethernet, exposed wiring)
14 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
Existing documentation should be used as much as normally be responsible for the owner/manager ISM
possible (especially Technical & Engineering details. documentation system for ships, for example.
In terms of response and recovery, it is also the Critically, under IMO 2021, at a minimum a ship’s
owner’s/manager’s responsibility to formalise the SMS will identify the party ashore and onboard
workarounds that address cyber security gaps, so taking responsibility for cyber security (ICT
that the ship can continue to operate in the event Manager, Chief Security Officer, or any other).
of a cyber attack or its aftermath, or risks can be
In broad terms, that individual will take
mitigated. Workaround plans for critical systems
responsibility for:
and processes should be incorporated into the
network and system design and described for – Having an understanding of the extent of cyber
Captains in a vessel’s emergency manuals. These risks
plans should include instructions and/or checklist – Managing crew awareness of and preparedness
in the event of critical system failure, due to cyber for threats to the vessel’s systems
incident or unplanned system breakdown without – Steps to secure ship systems to minimize the
a need to request and wait for help from the shore impact if a threat is actualised
office. Given that, in line with the ISO27001 standard, IMO
The responsibility for verifying these steps when 2021 also states that the owner’s risk assessment
the ship’s Document of Compliance is due for should be auditable for the following attributes:
renewal also falls to the ship’s owner/manager. – The hardware installed
– The software in use
– Details of what is connected to the network
RISK ASSESSMENT SCOPE – How the above is protected
The goal of the assessment of a ship’s network The Fleet ICT Manager will need to work with the
and its systems and devices is to identify any Head of Crewing to ensure that Crew understands
vulnerabilities that could compromise or result the importance of cyber security and have been
in either loss of confidentiality, loss of integrity trained either in the classroom or online. A record
or result in a loss of operation of the equipment, of the crew’s performance in these training
system, network, or even the ship. As explained exercises should be kept on file by the HR/Crewing
elsewhere, these vulnerabilities and weaknesses department.
broadly fall into one of the following categories:
1. Technical such as software defects or outdated
or unpatched systems
2. Design such as access management, unmanaged
network interconnections
3. Implementation errors for example
misconfigured firewalls
4. Procedural or other user errors
RESPONSIBILITIES
IMO 2021 requirements do not cover servers or
staff onshore but they clearly have a major impact
on fleet management. For example, the individual
managing the Fleet IT policy and documentation
(usually, the ‘Fleet ICT Manager’) will would also
inmarsat.com 15
White Paper
Cyber security requirements for IMO 2021
16 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 17
White Paper
Cyber security requirements for IMO 2021
3. Has measures in place to protect systems and of backup email ID from ship-to-shore and from
software onboard shore-to-ship
4. Has response measures in place to deal with – Fall back to paper charts in case of compromised
a cyber attack, specifically related to system ECDIS
redundancy, training and workaround plans
In all cases, the Fleet ICT Manual inserted into
the Ship’s SMS/ISM Code documentation should
provide full guidance ad document the Cyber
RESPONDING TO CYBER ATTACKS Response Plan for all critical on-ship systems
The Cyber Security Plan should, at minimum,
include:
– A process for initial incident triage
TRAINING FOR CYBER ATTACKS
– Steps to quarantine all electronic traffic to and As the Plan is part of the Vessel’s ISM it is also
from ship or fleet. Procedures for alerting and essential to periodically carry out drills to test
requesting communication vendors to check any issues, train the crew, HSSE team and any
traffic other stakeholders on how to respond to a cyber
– Procedures for keeping corporate IT security incident onboard ship, and encourage a culture of
department abreast of the situation continual improvement. This means ship owners
– Procedures to secure/establish backup and managers should give cyber security drills
communications to the affected vessel(s) the same weight as they give any regular Incident
– Steps to stabilize and isolate the infected system Management Drill – whether for grounding, ship
to guard against further spread fire or collision.
– Steps for gathering Intelligence and evidence
Under the new regime, cyber drills should be
from affected systems
conducted across the fleet at least once a
– Procedures for executing recovery of critical
year to test response procedures and assess
systems remotely
crew preparedness, procedures during a cyber
– Arrangements for completely replacing the ICT
incident onboard. It is essential that the Ship
system at next safe port after cyber event
Manager’s Incident Commander takes charge
and demonstrates effective leadership in these
exercises to ensure the security of the ship, its
RECOVERY FROM CYBER ATTACKS crew and cargo, while allowing the Fleet IT team to
Workaround plans are required to take account of concentrate on securing the ICT infrastructure and
possible failures in critical shipboard systems, with resolving the cyber issues.
the processes described in a vessel’s emergency In addition, regular anti-phishing campaigns and
manuals so that the Captain can respond without penetration testing using simulated malicious
the need to ask for help from/wait for shore-based emails can maintain high-levels of crew vigilance
colleagues. These plans should provide the Captain and test onboard systems and processes.
with instructions and/or a checklist on what to do. Penetration testing by professional ‘white-hat’
In the case of cyber resilience, workarounds plans hackers should also take place to identify technical
might include: weaknesses.
– Actions to restore crashed/ failed email clients or
degraded/failed ship-shore communication links;
use backup FleetBroadband for email/voice until
A PATHWAY TO COMPLIANCE
recovery As the leading supplier of ship-to-shore
– Actions to work around/recover failed PCs connectivity in commercial shipping, Inmarsat
– Usage of citadel telephone to send telex; testing is also a stakeholder where the development of
18 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 19
White Paper
Cyber security requirements for IMO 2021
20 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 21
White Paper
Cyber security requirements for IMO 2021
22 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
Web control R R
Two-way firewall R R
Botnet protection R R
Ransomware prevention R R
Multi-engine scanning R
Network monitoring R
Asset inventory (software, hardware,
driver, etc.) R
inmarsat.com 23
White Paper
Cyber security requirements for IMO 2021
PROTECT
07 FSE is built around ESET Endpoint Security, an
FLEET SECURE ENDPOINT AND award-winning enterprise-grade endpoint security
product, and has special adaptations for use in a
maritime setting. It not only detects and blocks
FLEET XPRESS - SUPPORTING IMO files with known signatures from operating but
monitors low-level system calls and actively
2021 COMPLIANCE analyses software for suspicious behaviour in real
time.
Fleet Secure has been designed to align with IMO’s
five pillars for cyber resilience, namely: identify; – Botnet protection shuts down malicious
detect; protect; respond; and recover, while its connections to known botnets. Botnets hijack a
reporting function has been developed with IMO machine without the owner’s knowledge to carry
compliance in mind. In addition, an ISO 27001 audit out Distributed Denial of Service (DDOS) attacks.
of FSE conducted by DNV GL describes Fleet Secure When activated, they consume processing power
Endpoint as a single product which can assist in and cause spikes in bandwidth consumption.
achieving IMO 2021 compliance. Although Fleet – Multi-engine scanning broadens detection by
Secure Endpoint works across all of Inmarsat's using malware signature databases from multiple
maritime services, to maximise protection and security vendors so that new fingerprints
compliance FSE should be used in conjunction with not known by all vendors are included during
Fleet Xpress, which provides reliable high-speed inspection.
internet access with the ability to separate crew – Ransomware prevention detects and prevents
and business traffic and make it easier to respond malicious encryption attempts before they have
and recover to attacks. a chance to initiate and encrypt the device.
– Two-way endpoint firewall blocks malicious
incoming and outgoing network traffic.
IDENTIFY – Anti-spyware terminates malicious applications
designed to steal sensitive information.
Fleet Secure highlights where errors and warnings – Anti-phishing blocks connections to sites known
have occurred in the vessel/fleet, which enables to extract confidential user information.
the designated security personnel to quickly – Web control allows the system administrator
ascertain potential weak spots that require further granular control over the websites users can visit.
investigation. It does this using a powerful network – Endpoint Threat alerting sends an email
scanning and monitoring module, called Teyla, notification to the system administrator listing
that automatically detects devices on the local recently detected threats on vessel/s.
network and checks whether Fleet Secure Endpoint
(FSE) is installed. If not endpoints will be marked as
‘rogue nodes’ and alerts are raised as an alert. The RESPOND
designated security officer can either allow or deny
network access privileges to that device. Knowing how to react during and after a cyber-
incident is critical to a well-rounded cyber security
This oversight means someone on the vessels is strategy. It is necessary to envisage a wide range of
always aware of what is connected to their network. potential scenarios and plan the steps needed, to
To aid network audits, on machines where installed, contain their impact on vessel operation and safety
FSE will also collect data on installed software, and secondly to restore impaired systems and
hardware and system configuration. recover data in a timely fashion.
FSE can assist the response stage in several ways.
In contrast to off-the-shelf products, the service
24 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 25
White Paper
Cyber security requirements for IMO 2021
26 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 27
White Paper
Cyber security requirements for IMO 2021
28 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 29
White Paper
Cyber security requirements for IMO 2021
30 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
multiple operating systems. For Windows operating Scenario: a crew member opens a phishing email
systems, Vista and up is supported. OSX, Linux and
The Fleet Secure Endpoint response:
their mobile counterparts IOS and Android are also
supported. – Scenario 1: If FSE is fully updated then it should
have detected that virus.
Fleet Secure Endpoint is distinguished from
– 1.1: The SOC is notified of this activity.
Endpoint Detection & Response (EDR) packages.
– Scenario 2: FSE is not updated, the virus is not
While these solutions are highly effective, they
detected, and the ransomware process is not
demand strict ship networking setup to ‘signature’
stopped.
and check every file on the vessel, consuming
– 2.1: The SOC is notified of this activity.
huge amounts of data. FSE addresses attacks
– Scenario 3: The firewall in FSE introduces
and infections without needing to signature each
segmentation of the network so that the virus
file, saving on costs and data usage. In fact, FSE
cannot spread to other PCs as they block the
frequency and control reporting times can be
incoming attack.
adjusted, with data usage as low as 5MB a month.
Where ships have internet connectivity, Inmarsat Fleet Secure Endpoint handles all of these
recommends more frequent reporting of network scenarios automatically. An option is also available
status so that its security operation centre can take to block out an endpoint from the network
swift action when malicious traffic is detected. remotely.
In addition, Fleet Secure Endpoint can be used
onboard vessels using FleetBroadband as their
connectivity solution. In this case, trench rules
need to be set correctly and onboard firewalls
(if any) must be updated to accommodate Fleet
Secure Endpoint IPs and port numbers.
inmarsat.com 31
White Paper
Cyber security requirements for IMO 2021
32 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
inmarsat.com 33
White Paper
Cyber security requirements for IMO 2021
10
FLEET SECURE ENDPOINT - REAL
CASE STUDIES
CASE 1 CASE 2
Vessel type: Undisclosed Vessel type: Liquid Ethylene Gas Carrier
Assailant: Multiple infections with normal anti- Assailant: Emotet trojan, causing vessel
virus installed operations to stop
The customer was using Palo Alto cyber security Emotet is well-known as a trojan in banking circles
software when the vessel was hit by multiple but was detected as infecting the majority of
infections, including Trojans, Worms and data machines onboard a LEG Carrier, becoming active
exfiltration viruses infesting the system. The whenever a PC was switched on. The virus can
customer decided to install Fleet Secure Endpoint intercept and exfiltrate data transmitted and
as part of a shipboard trial. Inmarsat’s engineer saved when the user is browsing banking websites,
found 79 infections that had not previously been resulting in leakage of sensitive data and malicious
detected. use of the user's banking details.
Among the significant findings, the HTTP Filter As part of a Fleet Xpress agreement, the ship was
detected users onboard unknowingly visiting equipped with two Fleet Secure Endpoint security
websites serving malicious code. The connection modules, installed across all PCs onboard:
was dropped, and the user informed accordingly.
Again, the FSE email filter detected infected caret-right Advanced Memory Scanner – This detected
attachments, including: Emotet in the memory, terminated and blocked it
from recurring.
– CoinMiner.T trojan (A trojan which uses system
caret-right Heuristic Intrusion Prevent System (HIPS) – This
resources to mine cryptocurrency for its
detected the malicious code being executed and
distributor)
stopped the execution of this code.
– TrojanDownloader.Agent.OJL trojan (a trojan
capable of downloading and executing other The virus was successfully cleared from the
malicious code) memory on all infected devices.
– Agent.AQ trojan (A trojan agent template
frequently used as a starting point for malicious
code that can be modified to do whatever the
malicious actor wants)
The FSE email filter disposed of these infections,
preventing further infections.
34 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
CASE 3 CASE 4
Vessel type: Undisclosed Vessel type: Bulk carrier
Assailant: Sohanad worm Assailant: CoinMiner
A USB memory stick infected with the NCB worm The vessel in question had trialled Fleet Secure
Sohanad was connected to an endpoint onboard Endpoint. After the trial’s conclusion, the ship ran
ship. Sohanad spreads via removable media and for two months without FSE. On re-installation of
shared folders: once it has infected any part of FSE, all devices onboard that were tested were
the network, it tries to replicate itself by infecting found to have been infected with a CoinMiner.
applications and files. CoinMiners use a device’s processing power to
mine cryptocurrency for the attacker without the
Two Fleet Secure Endpoint security modules were
user’s knowledge.
implemented:
FSE was able to neutralise all threats.
caret-right Real-time file system protection – Detected that
files were being infected and automatically
halted the process from accessing files so it
could be investigated by the engine.
caret-right Heuristic Intrusion Prevent System (HIPS) -
Detected the malicious code that was causing
the replication and stopped the execution of this
code.
Fleet Secure Endpoint was able to stop the infection
from continuing, cleaning 17.000 infections in the
process.
inmarsat.com 35
White Paper
Cyber security requirements for IMO 2021
11
NEXT STEPS - HOW TO PROCEED
CYBER RESILIENCE FOR IMO 2021 – NEXT STEPS
HOW TO PROCEED WITH FLEET XPRESS ENDPOINT
APPOINT Appoint person on board for cyber security planning for IMO requirements
Angle-Down
Review and check plan against guidance on onboard ICT covering communication
REVIEW and ship networks for business/crew
Angle-Down
PURCHASE FSE Purchase FSE – one month free trial available
Angle-Down
PREPARE Remove any existing anti-virus software on each endpoint
Angle-Down
DOWNLOAD Download and run the installer
Angle-Down
SET-UP Set-up dashboard, manage reports
Angle-Down
CREW TRAINING Crew to complete MLA e-learning module, records kept for compliance purposes
Angle-Down
Repeat crew cyber awareness training annually – periodic threat intelligence
REPEAT offered via FSE
36 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021
For further information and questions, please contact the Inmarsat Maritime Security Services team:
Maritime.Security@inmarsat.com
inmarsat.com 37
inmarsat.com
While the information in this document has been prepared in good faith, no representation, warranty, assurance or undertaking (express or implied)
is or will be made, and no responsibility or liability (howsoever arising) is or will be accepted by the Inmarsat group or any of its officers, employees or
agents in relation to the adequacy, accuracy, completeness, reasonableness or fitness for purpose of the information in this document. All and any such
responsibility and liability is expressly disclaimed and excluded to the maximum extent permitted by applicable law. INMARSAT is a trademark owned
by the International Mobile Satellite Organization, licensed to Inmarsat Global Limited. The Inmarsat LOGO and all other Inmarsat trade marks in this
document are owned by Inmarsat Global Limited. In the event of any conflict between the words of the disclaimer and the English version from which it is
translated, the English version shall prevail. © Inmarsat Global Limited 2020. All rights reserved. Cyber Security Requirements for IMO 2021 White Paper.
November 2020.