Page 50: of Maritime Reporter Magazine (November 2024)

ANGELIKI ZISIMATOU, DIRECTOR OF CYBERSECURITY, ABS yber security and all that it entails is quickly climb- owner/manager’s ‘to do’ list.

ing the priority ladder in maritime, as increasing de- But while the gaps and problems are potentially large, the pendance on connectivity is a double edge sword of solutions can be easy, at least to start.

Cpromise and peril. “I would start with the obvious,” said Zisimatou. “First of

While the level of cyber security preparedness varies widely all, take it seriously. Consider it an actual risk to your opera- across all industries, perhaps the biggest concern is that some tions and to your business. Follow what is mandated, or what don’t even acknowledge the risk. “Many times over the last is recommended by IMO, what is recommended by NIST, eight years I’ve heard ‘Cybersecurity is a hoax’; I’ve heard cybersecurity framework. Follow the steps. Start with a very that again and again from crews, from operators, from own- robust risk assessment, and put the right people in the room; ers,” said Angeliki Zisimatou, Director Cybersecurity, ABS, people from operations and people from the IT side. Brain- as they believe that their onboard systems are ‘air-gapped’ storm; really think of the risks and how to mitigate them. If from onboard connectivity, leading to a false sense of security. your identi? cation of risk is poor, the controls that are going

Step one for ABS is to inform, educate and illustrate that to be implemented are poor as well.” yes, the threat is real. Just ask A.P. Moller-Maersk Group, one of the world’s largest shipping companies which in 2017 was NEW COAST GUARD RULES hit with the NotPetya attack, disrupting operations for 10 days Earlier this year, the Coast Guard published a proposed rule and costing hundreds of millions in revenue. in the Federal Register proposing to update maritime secu-

While maritime collectively has been slow on the cyber secu- rity regulations by adding regulations speci? cally focused on rity uptake, Zisimatou said large ? eet owners and operators are establishing minimum cybersecurity requirements for U.S.- taking the risk seriously – investing heavily in their own secure ? agged vessels, facilities on the Outer Continental Shelf, operation centers – and she is starting to see attitudes change and U.S. facilities subject to regulations under the Maritime across the industry, particularly when high pro? le events like Transportation Security Act of 2002. The new rules are ex-

NotPetya grab headlines and illustrate the potential scope of the pected to be ? nalized later this year, and many questions re- problem. A driver too, per usual, are emerging rules from the main on what they will mandate, and how it will ultimately

International Maritime Organization and the US Coast Guard. impact vessel owner/operator procedure and cost.

“For the smaller- and the medium-size operators and own- “We provided some feedback to the Coast Guard as far as to ers, I think that regulation is what is driving their actions, so what is potentially missing, or potentially is going to be chal- they try to stick to the bare minimum, doing what is mandated lenging for the operators,” said Zisimatou. “[At this time] we or recommended,” said Zisimatou. don't really know whether the new regulation is going to apply to new construction vessels, or to existing vessels, too. That

FILLING THE GAPS would have a huge impact to U.S. ? ag vessels.” She said there

As new, connected vessels increasingly come on line, and a are some requirements within the proposed rule which talk newer generation of seafarers – online natives – increasingly about segmentation of networks, for example, and especially take command of the maritime space, cyber security awareness in existing vessels, where the networks are typically ? at, “that and action will follow in step. Until then, much work remains. would require some extra effort.” “Lack of knowledge on the topic, [plus] the lack of train- But it doesn’t end there. ing and awareness; that applies to the crews and to onshore “There are other items as well, like cybersecurity drills ev- personnel,” is arguably the biggest gap today, said Zisimatou.. ery three months required within the regulation, which we “Even shipping companies that know they need to act, they think is a little too frequent,” said Zisimatou. “Then there are might assign the task to their IT department, and typically, IT no speci? cs; what does it mean, what needs to be tested?” personnel have [little or no] knowledge of onboard systems,” She said the classi? cation society has recommended that the presenting a challenge on where to start. Coast Guard take into consideration what IACS has proposed as

The antiquity of legacy systems running onboard existing far as new construction vessels, how to address the whole supply tonnage, including Windows NT and other outdated software, chain, from the design, commissioning, construction, and opera- poses an equally big challenge in terms of vulnerability. tional life of a vessel, but also how it has approached the speci? c

Another potential problem throughout the whole of the controls, providing a bit more clarity on what class needs to do, maritime supply chain possessing adequate visibility on main- what owner needs to do, what a shipyard needs to do. tenance and upgrade of onboard systems, as typically vessel “I'm waiting to see the regulation coming out, and I'm sure owners and managers have vendors physically come onboard that the Coast Guard has received plenty of comments that to access and upgrade systems, providing little if any visibility they're working on right now,” said Zisimatou. “I'm eager to on what has actually been updated and installed on the ships. see that, and then I think it's going to have a huge impact, espe-

Getting complete control and visibility on critical system up- cially [later on when] more regulation come out from other ? ag dates and maintenance is yet another priority item on an vessel administrations, based on what the Coast Guard has set out.” 50 Maritime Reporter & Engineering News • November 2024

MR #11 (50-65).indd 50 10/25/2024 2:49:55 PM