– Moby Dick, Or The Whale, Herman Melville
The past eighteen to twenty-four months have seen a tectonic shift of focus (as well as a plethora of industry-generated white papers) by virtually every governmental regulatory entity, NGO, and industry group in the maritime world (up to and including the President of the United States) to the amorphous and dynamic issue of maritime “cybersecurity,” a term that covers a large waterfront of potential threats. The United States Coast Guard (USCG) has adopted the following broad definition of “cybersecurity” from the U.S. Department of Homeland Security. National Infrastructure Protection Plan, 2013:
Cybersecurity – The prevention of damage to, unauthorized use of, or exploitation of, and, if needed, the restoration of electronic information and communications systems and the information contained therein to ensure confidentiality, integrity, and availability; includes protection and restoration, when needed, of information networks and wireline, wireless, satellite, public safety answering points, and 911 communications systems and control systems.
And with the recent September 2016 roll-out of what has been billed as the maritime industry’s first “cybersecurity” certification program by the American Bureau of Shipping (ABS) – the USCG’s foremost third-party delegated enforcement entity – vessel owners and operators would be well-advised to stay ahead of the ever-sharpening “cybersecurity” curve.
All of the competing (sometimes conflicting) and overlapping aspects of this ever-and-rapidly changing issue are far beyond the scope of this blog post. Given that the majority of the focus in this area has tended toward the traditional blue-water shipping industry (viz. vessels and ports/terminals), this post will focus on ways that the inescapable brave new world of maritime cybersecurity is affecting, and will continue to effect, inland and offshore vessel operators.
THE CURRENT STATE OF AFFAIRS
“I know not all that may be coming, but be it what it will, I’ll go to it laughing.”
– Moby Dick, Or The Whale, Herman Melville
As Rear Admiral Thomas of the USCG commented in May of last year, the USCG has “been encouraging industry to start tackling this issue because . . . if you wait until we have a real cyber incident, it’s going to be fast, painful and expensive.” Cybersecurity, even if it may not be specifically spelled out in the current regulatory framework, must be actively addressed sooner rather than later by all vessel operators inland and offshore – despite the inherent complexity and foreignness (for many) of the systems for which cybersecurity measures are most critical. And a recent 2015 “Crew Connectivity Survey” by Futurenautics, based on responses from over 3,000 mariners worldwide (most employed in blue water shipping, but with some offshore/inland respondents as well), revealed that nearly half (43%) of seafarers had been on a vessel that had experienced a cybersecurity incident. And yet, only 12% of the respondents had undergone any form of cybersecurity training.
Thus, the implications of kicking the cybersecurity can down the road are not mere administrative regulatory concerns. If and when the first major offshore/inland marine casualty occurs as the result of a cybersecurity breach/incident, the bottom line consequences of a potentially shoddy/non-existent cybersecurity program contributing to the casualty may be cripplingly expensive. First, many traditional marine insurance policies (hull & machinery, protection & indemnity, marine CGL, and see specifically the “Institute Cyber Attack Exclusion Clause (CL380)”) often exclude liability for damages arising from cyberattacks/risks. Additionally, and relatedly, if an involved company’s cybersecurity program is so ill-advised/non-existent, in the face of so many available industry standards and so much regulatory guidance/admonition about the importance of cybersecurity, it could arguably render a vessel “cyber unseaworthy” – which in turn might void any insurance coverage that might otherwise apply. Likewise, a non-existent/incompetent cybersecurity program could potentially constitute negligence necessarily within the privity and knowledge of the vessel’s owner, which could potentially void the owner’s right to invoke limitation of/exoneration from liability.
And the potentially catastrophic outcomes of a serious cybersecurity incident for the offshore oil and gas and inland towing industries are not difficult to envision. If an OSV loses its dynamic positioning capabilities due to a cybersecurity breach while servicing a semi-submersible rig during critical downhole operations, a resulting collision between the vessel and rig could lead to loss of life and a major pollution incident, as the USCG itself has recently recognized in a Marine Safety Alert. Likewise, for an inland tug pushing a cargo of volatile oil and gas, if the electronic chart system or engine monitoring sensors were somehow compromised by a cybersecurity breach, it could lead to an allision/collision and explosion with equally catastrophic consequences.
Thus, while much of the higher profile discussions around maritime cybersecurity have focused on the blue water high seas, the stakes for the offshore and inland vessel industries, given their close link and frequent interfacing with critical and potentially catastrophically at-risk oil and gas infrastructure, may be even higher than those facing ocean-going shipping. Offshore and inland operators cannot afford to “go to it laughing” when it comes to assessing and implementing cybersecurity in their fleets and across their operations.
WHAT IS CYBERSECURITY AND WHAT ARE ITS IMPLICATIONS?
The most common associations with the term “cybersecurity” concern malevolent “hacks” in which groups or individuals – Melville’s “paid spies and secret confidential agents on the water of the devil” – infiltrate, take over and destroy or virtually “hold hostage” computer systems for nefarious purposes. These kinds of malevolent “hacks” can be generally sub-grouped into three categories: (1) so-called “hacktivism,” defined as “unauthorized digital intrusion to express a political agenda, [without intent] to create intimidation or fear”; (2) “cyber crime,” defined as “computer related crime referring to crimes committed through a computer” (e.g. the infamous Antwerp Port Hack – see Jordan Robertson and Michael Riley, The Mob’s IT Department: How two technology consultants helped drug traffickers hack the Port of Antwerp, Bloomberg Business Week, July 7, 2015); and (3) “cyber terrorism,” defined as “an unlawful attack against computer networks, to cause violence against persons or property, and as a result, to coerce a government.” See Rebekah Tanti-Dougall, Cyber Terrorism: A New Threat Against the Maritime Industry, Benedicts Maritime Bulletin, Vol. 12, No. 2 Second Quarter 2014, p. 49.
In addition, however, cybersecurity also encompasses non-malevolent security vulnerabilities – “dead reckoning of [an] error-abounding log” – that may arise due to poor system architecture, failure to update systems (both hardware and software) and potential incompatibilities among various systems (i.e. a third party contractors’ software not properly syncing or potentially harming a vessel’s own systems). All of these potential non-malicious security/compatability issues fall within the realm of maritime cybersecurity. And as the maritime industry continues to increasingly and rapidly move to a seaborne “Internet of Things,” with “new assets being built as fully connected devices and older vessels . . . linking systems that were never envisaged being controlled or communicated with via the internet,” the pathways for both malevolent “hacks” and unintended security breaches will only increase. http://www.marsecreview.com/2015/11/the-maritime-security-cyber-threat/.
By way of context, a recent study by the Lloyd’s Market Association Joint Hull Committee (which is linked at the page of the Comite Maritime International’s “Cybercrime in Shipping” working group) concluded that while the risk of loss and damage to bulk and cargo shipping interests was relatively low given the current state of shipboard technologies, the risk is much “higher for specialised or technically advanced ships engaged in oil and gas exploration and exploitation by reason of remote systems access and the potential vulnerability of Dynamic Positioning.” Joint Hull Committee, Cyber Risk: A Joint Hull Committee Paper in Conjunction with Stephenson Harwood, LLP (September, 2015). Given that virtually all offshore operators, and a large portion of the inland fleet, work in the various upstream, downstream, and midstream phases of the oil and gas industry, the focus on cybersecurity is critical to these sectors. Likewise, the Coast Guard’s National Offshore Safety Advisory Committee (NOSAC) has recently issued a report (in response to a Coast Guard request for public comment via the Federal Register) on the issue of cybersecurity specifically on the Outer Continental Shelf. See NOSAC, Final Report – Cybersecurity/Cyber Risk Management on the US OCS (April 24, 2016). And the American Waterways Operators (the leading industry group for the inland vessel fleet, who also responded to the Coast Guard’s request for public comment) recently announced that “the Coast Guard-AWO Safety Partnership’s National Quality Steering Committee (NQSC) in February . . . will consider a draft charter for a Coast Guard-AWO Quality Action Team to develop best practices for cyber risk management in the tugboat, towboat and barge industry.” Thus, while there are no discrete cybersecurity regulations that have been issued to date, this is clearly an area on which the Coast Guard and industry groups are expending many resources and which should be on the front burner for the management of every offshore/inland operation.
And these risks are not merely academic. Over the last several years, several high-profile examples of both ethical and malicious hacking of offshore assets have been canaries in the mine for the issues facing these particular maritime industry sectors. In 2013, a University of Texas engineering professor and a group of graduate students put together a $3,000 homemade device that allowed them remotely and without detection to take control of an $80 million, 210 foot superyacht off the coast of Italy (an analog to any one of the offshore supply vessels that operate in the Gulf of Mexico) by GPS “spoofing” (i.e. remotely creating false civil GPS signals to gain control of a vessel’s GPS receivers). More recently, as noted in June 2015 comments by the USCG Commandant in a presentation to the bipartisan, nonprofit policy research organization Center for Strategic and International Studies, malicious hackers and/or flimsy security systems have caused specific downtime incidents in the offshore oil industry:
[H]ackers caused an oil rig off the coast of Africa to tilt to one side, shutting down production for a week as engineers worked to identify and fix the issue. In another instance, it took network experts 19 days to rid an oil rig on its way from South Korea to Brazil of malware that had taken the rig’s system offline. None of the workers knew the ins and outs of the computer system they were using to operate the rig, which contributed to the delayed response.
Further, while few if any documented cyberattacks/cybersecurity breaches have occurred in the inland towing industry, some of the same systems (GPS, automatically updated electronic charting) implicated in the above-mentioned offshore incidents apply equally to the brown water fleet. Moreover, Automated Identification Systems, known by the common acronym AIS, which are regulatorily mandated (see 33 C.F.R. Part 164) on virtually all commercial vessels including inland towing vessels, have been ethically hacked with potentially dire consequences. Specifically, a team of ethical hackers in 2014 identified numerous cybersecurity threats inherent in the AIS systems that are ubiquitous both inland and offshore:
We assessed the system from both a software and a hardware (i.e., radio frequency [RF]) perspective. Overall, we identified threats that affected AIS implementation and protocol specifications. These include disabling AIS communications (i.e., denial of service [DoS]); tampering with existing AIS data (i.e., modifying information ships broadcast); triggering SAR alerts to lure ships into navigating to hostile, attacker-controlled sea space; or spoofing collisions to possibly bring a ship off course. Interestingly, according to Bloomberg, AIS has been found to be polluted with counterfeit information (i.e., Iranian ships flagged as belonging to Zanzibar when the United States and Europe tightened sanctions [issued in response] to [Iran’s] nuclear programs).
Additionally, the USCG just this month announced a voluntary cybersecurity “Profile for Maritime Bulk Liquid Transfer (MBLT) Facilities,” which was developed together with the National Institute of Standards and Technology (NIST, the leading U.S. governmental entity in the realm of cybersecurity in general) and various maritime industry interests. This MBLT Profile, touted as “the first of its kind for the maritime transportation sector,” will affect inland towing vessels engaged in transport of oil and gas products. Moreover, the press release regarding the MBLT Profile noted that the USCG anticipates developing four additional such profiles, including one for mobile offshore drilling operations.
Thus, the importance of cybersecurity concerns in both the offshore and inland marine industries is at the forefront for both industry and regulators.
CURRENT REGULATORY FRAMEWORK FOR CYBERSECURITY INLAND AND OFFSHORE
Notwithstanding the tide of regulators’ informal literature on cybersecurity, there are currently no specific, discrete cybersecurity regulations for either offshore or inland vessel operations. However, existing regulatory frameworks likely encompass issues of cybersecurity for offshore and inland vessel operators, even if they do not specifically address cybersecurity as such.
To begin with, the MARSEC regulations (33 C.F.R. Part 101, promulgated pursuant to the Maritime Transportation Security Act, MTSA), which are applicable to all vessels on the waters subject to the jurisdiction of the United States (33 C.F.R. §101.110) and specifically the inland towing fleet (46 C.F.R. §140.660), encompass issues of cybersecurity. For example, vessel owners must “[e]nsure that security systems and equipment are installed and maintained” on their vessels and designate a qualified “Company Security Officer” (CSO) tasked with ensuring various aspects of vessel security, including inter alia “[s]ecurity equipment and systems and their operational limitations” as well as “[r]elevant international conventions, codes, and recommendations,” which now includes (as discussed below) specific codes regarding cybersecurity. See 33 C.F.R. Part 104, Subpart B. All of these regulatory provisions can be read to encompass cybersecurity concerns. Moreover, vessel operators are required under the MARSEC regulations to keep records of all “[i]ncidents and breaches of security [including] [d]ate and time of occurrence, location within the port, location within the vessel, description of incident or breaches, to whom it was reported, and description of the response.” 33 C.F.R. §104.235. In this regard, the USCG has separately defined cybersecurity “incidents” and “breaches”:
Cybersecurity breach – Unauthorized access to data, applications, services, networks and/or devices, by-passing their underlying security mechanisms. A cybersecurity breach that may rise to the level of a reportable [MTSA] security breach occurs when an individual, an entity, or an application illegitimately enters a private or confidential Information Technology perimeter of a MTSA-regulated facility or vessel, Maritime Critical Infrastructure/Key Resources, or industrial control system such as Supervisory Control and Data Acquisition systems, including but not limited to terminal operating systems, global positioning systems, and cargo management systems
Cyber incident – An occurrence that actually or potentially results in adverse consequences to an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.
Thus, again, §104.235 clearly encompasses a cybersecurity breakdown that results in a “breach of security,” even if the “breach” does not result in an “incident.”
Additionally, the newly minted Subchapter M regulations that will apply to essentially the entire inland fleet also include regulatory requirements that implicate cybersecurity concerns. Towing vessels opting for the alternative Towing Safety Management System compliance regime (TSMS, 46 C.F.R. Part 138, which is in lieu of USCG inspections) will be required to develop and maintain a TSMS that specifically addresses inter alia “ensuring vessel compliance, including, but not limited to, policies on maintenance and survey, safety, the environment, security, and emergency preparedness.” 46 C.F.R. §138.220. Likewise, Subchapter M requires specific record keeping regarding “[o]perative navigational safety equipment”; and “failure and subsequent repair or replacement of navigational safety equipment must be recorded” in a vessels log book or Towing Vessel Record. 46 C.F.R. §§140.915, 140.620. Thus, to the extent there are failures and/or security breaches in shipboard computers and/or software dependent systems, such cybersecurity incidents would require recording.
THE REGULATORY FUTURE OF CYBERSECURITY INLAND AND OFFSHORE
And while cybersecurity may not yet appear by name in the USCG regulations, the USCG has expressly noted that existing regulations may encompass cybersecurity concerns, and has called for public comments on “how to identify and mitigate potential vulnerabilities to cyber-dependent systems” in the marine industry to assist “in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure.” 79 Fed. Reg. 75574, 75574 (2014).
Additionally, the Bureau of Safety and Environmental Enforcement’s (BSEE) (in)famous SEMS regulations (Safety and Environmental Management System) include various provisions regarding offshore installation safety and security. Notably, the USCG (which is a close regulatory partner with BSEE) has raised with BSEE the issue of whether its SEMS regulations should expressly include cybersecurity provisions. And in a recent May 2016 joint discussion between BSEE Director Brian Salerno and USCG Rear Admiral Paul Thomas at the annual Offshore Technology Conference in Houston, Salerno acknowledged that “[i]t is certainly appropriate to factor cyber safety into your overall SEMS planning.” Given that the USCG has already expressed its own intent to promulgate maritime SEMS regulations for vessels operating on the OCS, the prospect of specific cybersecurity regulations in the context of SEMS is imminent.
Thus, cybersecurity is clearly on the USCG’s regulatory docket, both formally and informally.
Moreover, a little known but vitally important regulatory statute enacted under the National Technology Transfer and Advancement Act of 1995 (NTTAA) likely paves the way for incorporation by reference into the C.F.R. of some (or all) of the myriad NGO/industry-generated cybersecurity guidelines and best practices that have recently been published. Notably, this statutory provision falls under the Chapter 7 of Title 15 of the U.S. Code establishing the NIST, which as previously mentioned is the foremost federal regulatory agency in the realm of cybersecurity and which has been and continues to be working closely with the USCG on maritime cybersecurity issues. See Coast Guard Maritime Commons, The shipboard application of cyber risk management (Nov. 3 2016).
Specifically, Section 12(d) of the NTTAA (found as a ‘‘note’’ to 15 U.S.C. §272) mandates that federal agencies, including the USCG, consult with industry groups and adopt industry standards where consistent with their regulatory mission:
. . . all Federal agencies and departments shall use technical standards that are developed or adopted by voluntary consensus standards bodies, using such technical standards as a means to carry out policy objectives or activities determined by the agencies and departments . . . [and] shall consult with voluntary, private sector, consensus standards bodies and shall, when such participation is in the public interest and is compatible with agency and departmental missions, authorities, priorities, and budget resources, participate with such bodies in the development of technical standards.
15 U.S.C. §272.
Thus, given the USCG’s laser focus on cybersecurity across the depth and breadth of its regulatory reach, the recent spate of industry standards issued by high profile maritime governance and standards bodies may very well be destined for incorporation into the CFR.
In this regard, several leading NGO’s in the maritime standards space have independently issued guidelines in the last six months regarding shipboard cybersecurity measures:
- IMO – Interim Guidelines On Maritime Cyber Risk Management (June 2016)
- BIMCO (together with Cruise Line International Association, International Association of Cargo Shipowners, International Tanker Owner Association) – The Guidelines on Cyber Security Onboard Ships (February 2016)
The IMO and BIMCO guidelines are relatively (and admittedly) high level “best practices” regarding shipboard cybersecurity (with the IMO set actually cross-referencing the BIMCO set), and both refer users to the NIST’s “Framework for Improving Critical Infrastructure,” which the USCG has also consistently referenced in its cybersecurity guidance literature. Both sets of guidelines also emphasize that cybersecurity must “start at the senior management level of a company” and should commence with a comprehensive baseline assessment of a company’s current and aspirational cybersecurity management risks and goals. The BIMCO guidelines go on to offer selected and specific “Critical Security Controls” (developed by the Centre for Internet Security) that are substantively pertinent to shipboard systems/activities.
In stark contrast, and perhaps most notably as mentioned at the outset, ABS – the USCG’s primary third-party regulatory enforcement delegate whose standards have been widely incorporated by reference in existing USCG regulations – has recently published a five-volume highly detailed and prescriptive sets of guidelines regarding cybersecurity, including two specific to offshore vessel operations:
- Guidance Notes On The Application Of Cybersecurity Principles To Marine And Offshore Operations – ABS CyberSafetyTM Volume 1 (February 2016; amended September, 2016)
- Guide For Cybersecurity Implementation For The Marine And Offshore Industries – ABS CyberSafetyTM Volume 2 (September, 2016)
- Guidance Notes on Data Integrity for Marine and Offshore Operations – ABS CyberSafetyTM Volume 3 (September, 2016)
- Guide for Software Systems Verification – ABS CyberSafetyTM Volume 4 (September, 2016)
- Guidance Notes on Software Provider Conformity Program – ABS CyberSafetyTM Volume 5 (September, 2016)
These ABS standards are the most robust and substantively detailed set of cybersecurity guidelines currently available that specifically address maritime operations. And in fact, the Volume 2 “Guide For Cybersecurity Implementation For The Marine And Offshore Industries” includes requirements for issuance of a newly minted ABS CyberSafety Management System Certificate (CMSC, for a company’s cybersecurity management system) and Certificate of Cyber Compliance (CCC, for specific vessels/facilities). While these certifications will only be available to ABS-classed vessels, ABS will issue a “Statement of Fact” to vessels classed by another member of the International Association of Classification Societies that are otherwise compliant with the CMSC/CCC requirements.
The ABS CyberSafety certificate “[is] not [intended to be] required as a condition for ABS Class,” but is offered as “a useful indication of the due diligence applied by owners to better prepare for cybersecurity concerns affecting ships, offshore assets and their associated shoreside facilities.” This certification process involves annual assessments “when there are major cyber-enabled, safety-related networked system configuration changes,” including (without limitation) “major-version number operating system or firmware changes in either OT or IT; control system changeouts in safety-critical systems; or combined configuration changes between or among two or more systems that control safety-critical systems”; and otherwise during multi-year class survey events. The assessment process focuses on documentation of a cyber safety management system, as well as extensive record-keeping “of all modifications, maintenance and system security or configuration updates and upgrades, including any outstanding help desk tickets or vendor/integrator repair or maintenance requirements, and any insecurities or breaches.”
The CyberSafety certificate will be issued in a three-tiered progression, with a focus on shipboard “Operational Technology (OT)” systems – i.e. internet-connected systems and devices that operate as part of the “Internet of Things” or “Industrial Internet of Things” for day-to-day operations aboard vessels (for example, engine, hull, dynamic positioning sensors/monitors etc., all connected to the internet and transmitting data continuously to the bridge and/or shoreside management):
- CS1 Informed Cybersecurity Implementation
- CS2 Rigorous Cybersecurity Implementation
- CS3 Adaptive Cybersecurity Implementation (Highest level of Readiness)
This tripartite certificate annotation system may also be supplemented as CS1+, CS2+ or CS3+ “in cases of advanced vessels that will link control systems between vessel and onload/offload facility to regulate cargo or hazardous operations through cyber-enabled systems” – i.e. for vessels that will interface their own cyber systems with those of non-vessel facilities.
Substantively, these incremental ratings focus on nine areas of competency:
- Exercise Best Practices
- Build the Security Organization
- Provision for Employee Awareness and Training
- Perform Risk Assessment
- Provide Perimeter Defense
- Prepare for Incident Response and Recovery
- Provide Physical Security
- Execute Access Management
- Maintain Asset Management
These nine competency markers will be verified across the CS1-CS3 progression according to a detailed set of required processes and systems outlined in the “Capability Matrix” that makes up the bulk (pp. 27-96 of the ABS CyberSafetyTM Volume 2).
The remaining CyberSafetyTM volumes address more discrete aspects of the “cybersecurity” spectrum.
- Volume 3 – addresses issues concerning electronically generated data integrity and security (i.e. intra-vessel sensors, vessel-to-vessel or vessel-to-shore communications/data exchange) vis-à-vis human, environmental and vessel safety. Various types of vessel-generated/received data are categorized on a sliding scale of criticality from Integrity Level 0 to Integrity Level 3 (IL0-IL3), with IL2-3 data considered most critical to the safety/security of human life/the environment, and IL0-1 data considered important to convenience/efficiency but less critical in terms of security safety. These guidelines focus on cybersecurity implications concerning the “Internet of Things” – i.e. the data-fueled connectivity between/among vessels and/or their onboard equipment and other vessels and/or the shore or other facilities (such as an OSV’s shipboard systems interacting with the systems on a rig/platform being serviced); and set forth preventative measures for protecting against potential data integrity breakdowns, from hardware problems to unintentional data errors to intentional/malicious capture/manipulation of data. In this regard, the guidelines note that under the recently promulgated BSEE well-control regulations, “[r]eal-time data from well control equipment is required to be transmitted to BSEE for monitoring.” See 30 C.F.R. §250.724. To the extent OSV’s may be involved in downhole operations, data from these vessels must be transmitted to BSEE as well (either directly or via the rig). These regulations provide an excellent real-life example of the types of cybersecurity data-integrity concerns that will necessarily arise via the cyber systems mandated by BSEE.
- Volume 4 prescribes system-specific requirements “applicable to any control system where software is used to control, monitor, report, etc., on equipment or conditions utilizing computer-based control systems” (i.e. dynamic positioning, power management controls, thruster controls, etc). Compliance with the Volume 4 protocols, as verified by third-party independent “Validation and Verification Organization” during annual or special periodic surveys and the mandatory interim software system maintenance records kept by the vessel owner, can result in an additional “SSV” notation (“Software Systems Verification”) for individual vessel/facility-integrated control systems on a vessel/facility’s CMSC/CCC certificate.
- Volume 5 (the longest volume after Volume 2), dovetailing off the SSV notation process provided for in Volume 4, sets forth lengthy requirements and guidelines by which providers/vendors of software systems are vetted as part of the SSV certification process.
The ABS CyberSafetyTM protocols/guidelines are likely just the first of many prescriptive standards for maritime cybersecurity, and it is likely only a matter of time before the USCG (and/or BSEE) take steps to ensure cybersecurity via regulations/agency guidance (which may very well incorporate the ABS guidelines). Accordingly, the inland and offshore vessel industries would be well-advised to take active steps toward ensuring cybersecurity measures in their fleets in light of “all that may be coming.”
* This post includes references to numerous sources. If any of the included links/citations are unavailable/inaccessible to our readers, please contact Chris Hannan (504-566-8620; firstname.lastname@example.org).