标准2025自古以来,从亚洲到地中海,海盗一直对船员构成巨大安全威胁。未来,武装分子可能不再登上轮船挟持船员来要求赎金,转而通过网络空间威胁船员。每天成千上万的机构、组织和个体都是网络攻击的对象,据悉,其中航运业遭受的网络攻击最多。航运业自己也承认,船舶被网络攻击盯上是早晚的事。因此,航运业正在采用国际标准等预防措施来减少网络攻击,降低危害风险。
武装海盗仍是航运的主要威胁
武装抢劫和海盗仍对海运构成巨大威胁,并且主要集中在特定地区,2011年索马里海盗猖獗之后,其他地区情况有所好转。国际商会(ICC)国际海事局(IMB)2015年 “海盗和武装抢劫船舶” 年报显示,2015年全球发生246起海盗和武装抢劫船舶事件(2014年为245起,2011年为439起)。近60%的案件(147起)发生在东南亚地区。报告指出,203艘船舶曾遭海盗袭击,发生了27起未遂袭击和15起绑架事件,有333位船员遭受了绑架挟持等暴力侵害,部分船员受伤,其中一起案件甚至有船员死亡。90%的袭击目标为散装船、各类油船、集装箱船以及货船。海盗给航运业造成数十亿美元的损失。除了传统海盗,如今兴起的网络海盗更为隐蔽,它的出现可能对航运业构成更大威胁,造成更为严重的损失。
船舶的网络事件并不少见
从欺诈到恶意隐瞒,我们常在新闻里看到船舶遭受的各种网络攻击,报道还详细指出巨额经济损失。航运业经常登上新闻头条,但是这并不意味着如今航运业已经脱离危险,不再是袭击目标。联合国贸易和发展会议(UNCTAD)指出,对海运资产的网络攻击尤为猖獗,原因在于全球将近80%的贸易量和超过70%的贸易额通过海运输送到世界的各个港口。
另外,船舶本身就是价值极高的资产。目前投入运营的最大的18000ETU船造价近2亿美元,如果加上货物,该船的价值甚至超过10亿美元。
国际海事组织(IMO)是联合国负责海上航行安全和防止船舶造成海洋污染的专门机构。目前国际海事组织和其他国际相关组织一道,研究船舶的网络安全问题。
国际海事卫星组织(Inmarsat)是国际海事组织建立的全球卫星通讯公司,其高级主管Gert-Jan Panken告诉最近在伦敦举办的海上网络风险管理峰会(Maritime Cyber Risk Management Summit)的与会者,43%的船员受到过网络侵害,包括恶意软件植入、电脑病毒攻击和软件升级问题。海洋电子与通信(Marine Electronics & Communications)称,95%的网络事件由人为引起,而没有受到攻击的船员仅为10%,这些船员都接受了网络安全培训。由此可见,恰当的培训有助于应对网络事件。
除了人员还存在其他最薄弱环节
普利茅斯大学的海洋网络威胁研究小组研究发现,软件未及时更新和船舶老旧不符合现代网络安全要求是目前存在的两个主要问题。发表在《工程技术参考》(Engineering and Technology Reference)的文章指出,针对导航、推进、货运相关功能的海事系统很可能成为网络攻击的对象。文章指出,海事是本国部队专用的永久性设施中最薄弱的一环。
海洋网络风险管理峰会上的发言人提出,网络事件会影响许多系统和输入点,包括船舶自动识别系统(AIS)和全球定位系统(GPS),以及电子海图显示与信息系统(ECDIS)的输入点。另外,卫星通讯和无线网络等网络服务,承包商的远程监控服务,以及工程师升级船舶软件系统都会让网络攻击有机可乘。国际海事组织(IMO)研发的全球海上遇险与安全系统(GMDSS)也是网络攻击的潜在目标。
国际电工委员会第八十技术委员会( IEC TC 80):海上导航和无线电通信设备及系统,正在按国际标准研发以适应此类系统。
根据国际海事组织决议,IEC 61097系列中的海上导航和无线电通信设备及系统目前已经发行12种版本,涵盖各个部分的全球海上遇险与安全系统(GMDSS)。另外还研制国际标准版本用于船舶自动识别系统(AIS)和电子海图显示与信息系统(ECDIS)。
航运领域的网络安全意识逐渐提高
许多航运业组织机构意识到了网络事件的潜在风险,并且开始着手预防。
2015年9月,联合船舶保险委员会(JHC)携手两大保险业巨头伦敦劳合社(Lloyd’s)和国际保险协会(IUA)共同发布网络风险参考文件,指出“网络攻击造成船舶损失的风险可以预见,但还没变成现实。”
2016年1月,全球最大的航运组织,波罗的海国际航运公会(BIMCO)发布船舶网络安全指南。波罗的海国际航运公会秘书长安格斯.弗鲁(Angus Frew)称指南的目标是“为航运业提供清晰全面的网络安全信息”。他补充道,他们“应该针对公司运营的生意和船舶,帮助公司采取相应的网络安全风险防御措施。”
2016年1月,加拿大和美国向国际海事组织(IMO)提交网络风险管理(CRM)框架文件《保护海上运输系统免受网络威胁的促进指南》。文件提出五个基本因素——鉴别、保护、侦查、反应、恢复,认为“这五个因素是构成有效网络风险管理系统的基础”。
基于国际标准的网络风险管理指南
这些文件有一个共同特征,所有的网络安全建议措施都是基于国际标准,其中许多是由ISO/IEC JTC 1/SC 27:安全技术”制定的。
ISO/IEC JTC 1/SC 27是ISO/IEC JTC 1的分技术委员会,联合技术委员会是由国际电工委员会(IEC)和国际标准化组织(ISO)共同建立,负责信息技术方面的国际标准化工作。
加拿大和美国向国际海事组织(IMO)提交的指南列出了下列网络风险管理的相关标准和由 ISO/IEC JTC 1/SC 27制定的技术要求(TR):
ISO/IEC 27001:2013,信息技术-安全技术-信息安全管理体系-要求
ISO/IEC 27019:2013,信息技术-安全技术-基于ISO/IEC 27002针对能源公益事业行业的过程控制体系信息安全管理指南
ISO/IEC 27031:2011信息技术-安全技术-业务可持续性的信息和通信技术指南》
ISO/IEC 27033-3: 2010 信息技术–安全技术–网络安全–第3部分: 参考网络方案 –威胁、设计技术和控制问题》
ISO/IEC27039:2015信息技术—安全技术—入侵检测系统的选择、部署与操作
波罗的海国际航运公会(BIMCO)指南强调“航运业船上遇到的问题”,同时“包含岸上运营的网络安全问题”,给“信息安全管理体系ISO/IEC 27000 系列标准”提供了一个国际标准和指南的例子。
联合船舶保险委员会(JHC)的《网络风险评估指南》检查了航运公司应该实施“彻底的威胁评定,考虑(……)当前与国际安全标准(ISO/IEC 27001 / ISO/IEC 27002, NERC [北美电力可靠性协会] 1300, ISA/IEC 62443)的符合情况”。工业自动化与安全62443标准(IEC 62443)系列的国际标准(IS),技术规范(TS)和技术报告(TR)关于《工业通信网络/网络和私通安全》是依据“IEC TC 65:工业过程的测量、控制和自动化”发展而来。
长期来看网络事件不仅限于货物盗窃和走私
近年来报道的大量网络事件集中于货物走私而非船舶本身。
2013年6月,比利时和荷兰警察同伙追踪黑客抓获一个毒品走私团伙。这些黑客侵入航运公司电脑来跟踪装有毒品的集装箱动态,帮助贩毒者锁定目标集装箱,然后秘密转移毒品。
威瑞森的一份资料外泄调查报告显示,海盗还通过侵入航运公司电脑来锁定贵重货物。报告指出,“他们会登上船只,通过条形码锁定装有贵重货品的木箱,只偷那个木箱里的货物,然后马上离开船只。”
目前为止,网络攻击还没有造成巨大的航运灾难,然而根据之前的报告来看,航运业认为存在这个可能性。保险公司也担心网络事件会引发航运灾难。安联全球企业及特殊风险有限公司(Allianz Global Corporate & Specialty)发布的《年安全及航运回顾2015》指出,“网络攻击会毁了一家公司,导致大量船只、货物的保险索赔以及保险商的保护和赔偿,甚至还会造成同一家公司的大量船只遇害。”
安联称涉及两艘巨能船的海运灾难可能造成20亿美元的损失。
随着自动化技术提升以及远程操作的无人驾驶船舶的开发,未来航运资产的网络事件可能还会增加。
国际海事组织(IMO)和海运组织的报告和建议十分重视网络威胁。报告显示, IEC自主制定或与ISO/IEC JTC 1共同制定的国际标准主要用于保护航运打击威胁。
Shipping sets watch for [not so] distant cyberthreats
Maritime industry bodies consider pre-emptive measures to thwart cyberthreats
Piracy has posed a major security threat to mariners everywhere, from Asia to the Mediterranean, since time immemorial. In the future, threats from armed gangs boarding ships and holding vessels and crews for ransom may be replaced by ones from cyberspace. Every day, many institutions, establishments and individuals are the targets of cyberattacks. While the maritime industry has yet to record a major cyber incident, it recognizes that it is only a matter of time before some of its assets are targeted. As a result, it is taking pre-emptive measures, which include the adoption of International Standards, to mitigate the possibility of cyberattacks and their potential impact.
Armed piracy still a major threat to shipping
Armed robbery and piracy against ships still poses a significant threat to shipping; it is concentrated in certain areas but has dropped 44% since 2011 when Somali pirates were most active. The International Chamber of Commerce (ICC) International Maritime Bureau (IMB) 2015 annual report on "Piracy and armed robbery against ships" recorded 246 incidents worldwide in 2015 (as against 245 in 2014 and 439 in 2011). Nearly 60% of these incidents (147) took place in Southeast Asia. The report indicates that 203 vessels were boarded, that there were also 27 attempted attacks and 15 hijackings and that 333 crew were victims of various acts of violence ranging from kidnapping to being kept hostage, being injured or even killed (one case). Bulk carriers, tankers of various types and container and cargo ships made up some 90% of the targets. The cost to the industry represents billions of dollars. However a new, less spectacular form of piracy, cyberpiracy, looms on the horizon. It may prove far more costly and quite possibly no less dangerous to the shipping industry.
Cyber incidents on ships are not unusual
Cyberattacks on a broad range of sectors for fraudulent or malicious reasons are widely reported on a nearly daily basis. Financial losses, which are often considerable, are also detailed. The maritime industry has yet to make headlines in this domain. However, this doesn't mean that it is not targeted or that it is safe. Cyberattacks against maritime assets would have particularly serious ramifications since around 80% of global trade by volume and over 70% of global trade by value is carried by sea and is handled by ports worldwide, according to UNCTAD, the United Nations Conference on Trade and Development.
Furthermore, ships represent very high value assets. The cost of an 18 000 Twenty Foot Equivalent Unit (TEU) container ship, one of the largest types currently sailing, is around USD 200 million. If its cargo is included, it can be worth one billion dollars or more.
The International Maritime Organization (IMO), the UN specialized agency with responsibility for the safety and security of shipping and the prevention of marine pollution by ships, is now considering cyber security matters together with other bodies and relevant international organizations.
Gert-Jan Panken, a senior executive from Inmarsat, the global satellite communication company set up by the IMO, told participants to a recent Maritime Cyber Risk Management Summit held in London, that 43% of seafarers reported having worked on vessels that had been compromised by a cyber incident, which could have constituted malware insertion, digital virus attack or software updating issues. Some 95% of cyber incidents were human-related, yet only 10% of crew surveyed had received some form of cyber security training, according to Marine Electronics & Communications. This fact points to a major weakness that should, however, be relatively easily remedied by applying appropriate training measures.
Humans are not alone as the weakest links
Outdated software and ships not designed with modern cyber security in mind are two existing vulnerabilities that have been identified in a study led by Plymouth University’s Maritime Cyberthreats Research Group. The paper, published in Engineering and Technology Reference, notes that maritime-related systems for navigation, propulsion, and cargo-related functions can be the targets of cyber-attacks. It points out that “the [maritime] sector is probably the most vulnerable aspect of critical national infrastructure”.
Cyber incidents could affect a number of systems and points of entry. Some of these were identified by speakers at the Maritime Cyber Risk Management Summit. They include the Automatic Identification System (AIS), Global Positioning System (GPS) and inputs to the Electronic Chart Display and Information System (ECDIS). They could also come from connection to online services over satellite communications, in-port WiFi, or through contractors providing remote monitoring services, or engineers updating shipboard system software. The Global Maritime Distress and Safety System (GMDSS) developed by the IMO is seen as another potential target of cyber attacks.
IEC TC 80: Maritime navigation and radiocommunication equipment and systems, is involved in developing International Standards for many of these systems.
It has published 12 Standards covering various aspects of GMDSS (based on IMO resolutions) in the IEC 61097 series. It has also developed International Standards for AIS and ECDIS.
Growing awareness from the sector
A number of maritime industry organizations and bodies have highlighted the potential risks posed by cyber incidents and are preparing for these.
A September 2015 information paper on cyber risk by the Joint Hull Committee (JHC), which brings together underwriting representatives from both Lloyd’s and the International Underwriting Association of London(IUA) notes that "the risk of a loss to a ship as a result of cyber disruption is foreseeable, but is not yet a reality".
The Baltic and International Maritime Council (BIMCO), the world’s largest international shipping association, published guidelines on cyber security onboard ships in January 2016. BIMCO Secretary General Angus Frewsaid at the time that the aim of these guidelines was “to provide the shipping industry with clear and comprehensive information on cyber security risks to ships”. He added that they “should help companies take a risk-based approach to cyber security that is specific to their business and the ships they operate”.
Canada and the United States submitted a framework document for cyber risk management (CRM) to the IMO Facilitation Committee in January 2016. These “Guidelines on the facilitation aspects of protecting the maritime transport network from cyberthreats”, list five functional elements – identify, protect, detect, respond, recover – “which taken together can form the foundation of an effective CRM system”.
Cyber risk management guidelines rest on International Standards
A common thread to all these documents is that they show clearly that all the measures recommended to be taken to ensure better cyber security rest on a number of International Standards, many of which are developed by ISO/IEC JTC 1/SC 27: Security Techniques.
ISO/IEC JTC 1/SC 27 is a Subcommittee of ISO/IEC JTC 1, the Joint TC formed by the IEC and the International Organization for Standardization (ISO) to prepare International Standards for Information Technology.
The Guidelines submitted by Canada and the US to IMO list the following CRM-related Standards and Technical requirements (TR) developed by ISO/IEC JTC 1/SC 27:
ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements
ISO/IEC TR 27019:2013, Information technology – Security techniques – Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
ISO/IEC 27031:2011, Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity
ISO/IEC 27033-3: 2010, Information technology – Security techniques – Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues
ISO/IEC 27039:2015, Information technology – Security techniques – Selection, deployment and operations of intrusion detection systems (IDPS)
The BIMCO Guidelines focus on “issues facing the shipping industry onboard ships” but gives the “ISO/IEC 27000 series of Information Security Management Systems (ISMS) standards” as an example of international standards and guidelines that “cover cyber security issues for shoreside operations.”
As for the JHC, its Cyber Risk Assessment Guidance background checks state that shipping companies should carry out “a thorough threat assessment, contemplating (…) the current level of compliance with international security standards (ISO/IEC 27001 / ISO/IEC 27002, NERC [North American Electric Reliability Corporation] 1300, ISA/IEC 62443). The IEC 62443 series of IS, TS and TR on Industrial communication networks/network and system security, is developed by IEC TC 65: Industrial-process measurement, control and automation.
Cyber incidents may not stay limited to cargo theft and smuggling for long
In recent years a number of cyber incidents focusing on cargo rather than vessels have been reported.
In June 2013 Belgian and Dutch police broke a drug smuggling ring after tracking down hackers who had penetrated shipping companies computers to follow the movement of containers loaded with drugs to let traffickers locate the right containers and remove them undetected.
Pirates have also been found to have hacked a shipping company’s computers to locate valuable cargo, according to findings published in a data breach investigation report by Verizon. “They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate – and that crate only – and then depart the vessel without further incident,” the report notes.
So far no major shipping disaster has resulted from cyber attacks. However, the industry considers this to be a possibility, as previously mentioned reports indicate. Insurers also worry about the possibility of a shipping disaster resulting from a cyber incident. In its 2015 Safety and Shipping Review, Allianz Global Corporate & Specialty notes that “A cyber-attack could result in a total loss, leading to substantial insurance claims for hull, cargo and protection & indemnity underwriters. It could even involve multiple vessels from the same company”.
Allianz says that the cost of a maritime disaster involving two megaships could reach USD 2 billion.
The trend towards increased automation and ongoing work on the introduction of remotely operated unmanned vessels, may see cyber incidents on shipping assets increase in the future.
Reports and recommendations from the IMO and the maritime sector organizations show that the cyberthreats are being taken seriously; these reports also show that International Standards developed by the IEC on its own or within ISO/IEC JTC 1 are seen as central to protecting shipping against these threats.