Description
With so much digitization and linking happening in the maritime industry, cyber security has become a very important issue. In particular, ships have combined information technologies (IT) and operational technologies (OT), joined global networks, and added high-tech digital industrial systems. Vessel systems in the digital realm can break down by accident or be attacked on purpose. Cyber security in the marine sector is more important than ever for national security and international economic growth, as well as for protecting systems and preventing accidents, deaths, and damage to the environment. Moreover, a cyber breach causes monetary loss, disruption in corporate activities, and reputational damage. With so many potential threats, it's in the best interest of any business to eliminate the incident as soon as possible and strengthen its defenses so that normal operations can resume. This objective can only be fulfilled by first addressing the dual challenges of ship defense systems against physical attack and the design of the systems and supporting processes.IT and OT, like control systems, actuators, sensors, radar, etc., are all part of a ship's cyber environment, which is made up of different networks that talk to each other. Services, data, commerce, and social activities are all made available over the ship's internal internet. Human security, the insider threat from shore or on board, ship-owners, operators, stakeholders, procedures, processes, and physical features are all important parts of cyber security in the marine industry. Within the parameters of these resources, proper action must be taken.
Cyber security in the maritime sector has evolved over time in a hierarchical fashion, and the aforementioned framework has been found to be explicitly articulated at each level of this evolution. It was not until the 2010 Strategic Defense and Security Review identified cybercrime as a top threat to national security that it really began to gain traction in the marine industry. In 2011, the European Union Agency for Cybersecurity (ENISA) brought attention to the maritime sector's lack of cyber security awareness and offered some book recommendations to improve the situation. In 2016, the International Maritime Organization (IMO) produced a circular outlining best practices for managing cyber risk in the marine industry. As stated in this circular, cyber threats are adequately addressed in the International Safety Management (ISM) Code until January 1, 2021. Baltic and International Maritime Council (BIMCO), Det Norske Veritas (Norway) and Germanischer Lloyd (Germany) (DNV-GL), Cruise Lines International Association (CLIA), International Trade Association for the Ship Management Industry (INTERMANAGER), International Association of Dry Cargo Shipowners (INTERCARGO), International Association of Independent Tanker Owners (INTERTANKO), Oil Company International Marine Forum (OCIMF), etc.
all updated their respective recommendations for cyber security on ships to reflect these changes. An analysis of the published research on cyber security in the maritime sector reveals that, as of 2018, the maritime sector has advanced past the operation level for cyber security. The years 2019, 2020, and 2021 have seen the appearance of cyber security risk assessment and management studies. There is a dearth of studies in the literature that examine cyber insurance from a marine viewpoint. At the moment, cyber security provisions in maritime insurance policies are extremely limited. There is a deficiency in marine cyber insurance due to the following provisions, insurances, and endorsements: CL380, "Institute Cyber Attack Exclusion Clause, LMA5402, "Marine Cyber Exclusion Clause", LMA5403, "Marine Cyber Endorsement", and P&I, "Protection & Indemnity Insurance."
A ship's cyber risk includes its vulnerability to attacks from outside sources like hackers or viruses, as well as internal threats like data corruption and system failures caused by mistakes in the ship's safety, security, or operations. In the maritime industry, cyber security affects logistics, shipping, the supply chain, business processes, transportation, and more. So, for a marine business to have a high level of cyber security, maritime cyber risk must be part of how the business handles risks and makes decisions. Cyber threats in the maritime industry span the gamut from the mundane to the potentially catastrophic. Thus, cyber risk management in various insurer types, including P&I clubs, hull and machinery insurance, transportation insurance, and stand-alone cyber insurance policies, must be implemented to strengthen cyber insurance.
It's important to note that while cyber losses can come in many forms, there are also many ways to prevent them. As a rule, the strategies employ a dual approach. In the first place, there is the design approach, which is used to create the framework and activities of the system. The other is shifts in operational strategies, which may involve new approaches to commerce. Methods for controlling cyber threats include the use of antivirus programs and funding for a trained cyber workforce. Cyber risk, on the other hand, can be reduced with the use of developed theoretical concepts and preventive technical solutions like software encryption, firewalls, system separation, and virus detection. Organizational measures for cyber risk can be broken down into three categories: procedural measures, which involve operational and management systems; structural measures, which involve hardware and software; and responsive measures, which involve damage assessment and response management when an attack or incident is discovered. Institutions should understand that the aforementioned steps will not eliminate all cyber risk, so they should properly manage any remaining risks and consider purchasing cyber insurance to offload some of the responsibility for protecting against cyber-attacks onto another party.
All in all, the goal of the thesis was to find out how IT and OT affect maritime cyber security for ships and to make a tool for managing maritime cyber security risks from the point of view of marine insurance. The research highlighted the growing importance of cyber security in the maritime industry, and the need for a comprehensive risk management approach to address the cyber threats faced by ships. The study identified the key cyber security risks facing ships, including data breaches, system disruptions, and physical safety threats. It also highlighted the importance of addressing both IT and OT security, as these two systems are increasingly interconnected in modern vessels. Based on these findings, a maritime cyber security risk management tool is developed that can assist ship owners and operators in identifying and mitigating cyber security risks. The tool takes into account the specific risks facing each vessel and provides a customized risk management plan that includes technical, organizational, and insurance-based measures. For this purpose, the bridge navigation systems, including the Electronic Chart Display and Information Systems (ECDIS), Radio Detection and Ranging (RADAR), Voyage Data Recorder (VDR), and Automatic Information Systems (AIS), are taken into consideration. Their IT and OT dynamics are determined to understand their cyber space range. The vulnerabilities of their system, possible cyber threats against them, and their risk level for the cyber threats are defined. By creating a framework based on the triad of technology, policy, and humans, the mitigations and barriers are determined under the processes of identification, protection, detection, response, and recovery. These treatments provide a checklist for ship bridge navigation systems’ cyber security.
In the thesis, in order to better assess cyber risks in the marine industry and lay the groundwork for a cyber insurance policy, it is proposed to use the risk management strategy outlined in "The Guidelines on Cyber Security Onboard Ships". The purpose of this document is to provide an explanation of why and how cyber hazards should be addressed in the maritime industry. Risk assessment procedures, records, parts, and owners are all part of this. Moreover, the International Organization for Standardization (ISO) 27000 family of standards is also used under the thesis since it is useful for ship owners and other stakeholders in the marine sector because of their consistent approach to compliance. A set of guidelines for improving public opinion both on and off the ship, implementing cyber risk management in the marine industry, and validating the effectiveness of an Information Security Management System (ISMS) are utilized in the thesis.
To achieve the aforementioned goal, the thesis includes several separate studies, some of which have already been published and others which are currently being reviewed. The importance of this paper lies in its identification of and recommendations for resolving maritime cyber security challenges from the vantage points of maritime cyber risk and maritime cyber insurance.
The thesis’s primary teaching goals are to introduce the significance and essence of maritime cyber security within a holistic framework, (ii) illustrate the potential impact of cyber-attacks on board a vessel and risk assessment, (iii) show the significant impacts of a cyber incident on the maritime environment, and (iv) identify the dynamics affecting any breaches in the scope of maritime cyber security in marine insurance.
| Period | 2025 |
|---|---|
| Examinee/Supervised Person | Gizem Kayisoglu & Pelin Bolat |