IASME Maritime Cyber Baseline certification gives assurance to owners, managers and clients that suitable cyber security controls and processes are in place on maritime vessels to reduce the risk of a cyber attack occurring.
Foreland Shipping (FSL) owns and operates four Ro-Ro vessels which are on long-term charter to the UK Ministry of Defence. A RORO vessel or roll-on roll-off ship, is a type of freight or ferry vessel that is specifically designed to transport vehicles, such as cars, trucks and trailers. The vessels make up the UK Strategic Sealift Service, and are used to move UK and Allied forces’ equipment around the world.
AW Ship Management (AWSM) provide ship management to Foreland Shipping and other clients within both the defence, scientific, and civil nuclear sectors. AWSM support managed vessels operating worldwide from offices in London, Lowestoft, and Barrow-in-Furness.
Demonstrating cyber security with maritime vessel certification
The Maritime Cyber Baseline scheme is designed to certify the cyber security of commercial vessels of all sizes and classifications. Developed with maritime experts, Infosec Partners and supported by The Royal Institution of Naval Architects, the certification supports a path towards compliance within the IMO Maritime Cyber Risk Management guidelines.
Both FSL and AWSM provide services to clients where security, and particularly cyber security are of significant importance. Both companies are accredited to the Cyber Essentials Plus and IASME Cyber Assurance standards for their shore operations. Taking this into account, and in order to comply with new requirements as set out by the client, the decision was taken to improve the cyber security posture on board the Foreland fleet, and to certify the ship’s networks to the IASME Maritime Cyber Baseline scheme.
Why certify your vessels?
Certifying to Cyber Essentials (CE) is becoming a minimum standard for UK Government contracts. For certain contracts, cyber security procedures above the level required by CE are often a requirement. As both FSL and AWSM work within security-sensitive areas, both entities already had a good working relationship with IASME and were aware of the potential of the Maritime Cyber Baseline scheme.
The IASME Maritime Baseline scheme was implemented in order to strengthen the position of FSL for negotiation of a new contract with the Ministry of Defence. In addition, new cyber security requirements had been advised by the MoD which would be fulfilled by applying the Maritime Cyber Baseline scheme to the FSL fleet. It was also considered good practice to improve the cyber security posture on board the Foreland fleet.
Maritime cyber security experts
AWSM subcontract the management of the vessel IT networks to a specialist marine IT support company. Together, they assessed the Maritime Cyber Baseline question set, and produced a gap analysis which noted which areas were felt compliant, and which were not. A proposal was put forward to bring all areas noted up to standard. This included changes to the on-board hardware, software, and procedural elements.
Once the works to upgrade the cyber security hardware were completed, the Maritime Cyber Baseline question set was revisited, and a master version created for a single ship. This was sent to the IASME technical Assessor, Pete Ruckinski at Assure Technical for comment on the basis that the responses for the remainder of the fleet would be common.
Elevating cyber security across the fleet
In terms of hardware, new hardware firewalls were installed in order to improve the ability of the company to monitor identified threats. Secure USB memory sticks were provided to all vessels for the sole purpose of updating OT with the least risk of issues. Network switch boxes were provided to give the vessels the ability to quickly air-gap critical OT systems that are connected to the network.
Software upgrades included a move to the most recent version of Windows Server, implementation of upgraded antivirus and software firewalls, and the installation of software to support multi-factor authentication on board for the crew.
Updated cyber security policies and procedures were produced for the crew. Multi-factor authentication tokens were procured, and training given in how to use them.
Advice to other maritime businesses
Regardless of the type of vessel, cyber security has become a critical issue in the marine sector in recent years and will only become more critical as technology moves on. As such, it is important that owners and managers assess the condition of their on-board IT/OT networks and how they interact, with a view to making improvements.
To find out more about IASME Maritime Cyber Baseline, email the scheme Certification Manager, [email protected]
To find out more about AW Ship Management and the suite of vessel support services offered, email: [email protected]
*Please note, the Cyber Essentials scheme is owned by the UK’s National Cyber Security Centre and represents the recommended minimum cyber security for organisations of all sizes. IASME Cyber Assurance and IASME Maritime Cyber Baseline are separate IASME-owned schemes; they are in no way endorsed by the National Cyber Security Centre.