Resolution MSC.428(98) OMI, requires shipping companies to integrate cyber risk into the ISM code.

They must comply from January 1st,  2021 and no later than the first renewal of the compliance document.

Cybersecurity is about protecting computers, servers, mobile devices, electronic systems, networks and data from malicious attacks. It is also called computer security or information system security.

Cybercrime is the set of criminal offences committed through the Internet or computer networks. Cybercrime is one of the greatest modern challenges facing humanity.

Cybercrime takes place in cyberspace. This can be:

• Computer hacking, intrusion into computers, computer servers orwebsites.
• Remote destruction of computer data.
• Internet credit cardfraud.
• Automated processing ofunauthorizedor unreportedpersonal
• Creating fake websites imitating knownsites.
• Inciting crimes against persons or property, via the Internet.
• Remote installation takeover….

• For the year 2019, cybercrime was estimated at more than $600 billion (in data misappropriation, ransom demands, etc.), or 1% of the world’s GDP diverted.
• More than 30,000% is the increase in computer attacks since January 2020 in France. From 1200 at the beginning of the year, they rose to 380,000 at the beginning of April. These are mainly phishing, and malware, malicious sites that target users remotely.
• Between 30 minutes and 10 days, this is the average time to break into a corporate network. 93% of the most successful is the case.
• For a company, no less than 13 penetration vectors were identified.
• In 68% of cases, only 2 steps were needed to access the network.
• From February to March 2020, malicious domain name registrations increased by 569%.
• A cyberattack costs on average nearly 1.3M euros and 15 days of interruption.
• 9 out of 10 companies are affected.
• 7 months, the average time to identify a data breach. According to the FFA (French Insurance Federation):  For the fourth year in a row, the risk of lethal cyberattacks remains the main risk that would weigh on companies. The year 2020 was marked by an increase in cyber attacks, partly explained by the containment and intensification of telework.

• Malware: a type of malware in which any file or program can be used to harm the user of a computer, whether by a worm, virus, Trojan or spyware.
• Ransomware: A type of malware in which an attacker blocks access to the victim’s computer system files, often by encryption and demands a ransom to reveal the code and unlock the computer.
• Social engineering: a method that relies on human interaction to deceive the user and bypass security procedures in order to access sensitive, usually protected information.
• Phishing: a type of fraud that mimics emails from trusted sources. The purpose of these messages is to steal sensitive data such as credit card code or login information.
• Zombie Networks: This is one of the most dangerous      threats, since they are made up of control serversand controls and a large number of infectedcomputers, usually hundreds of thousands who participate inthe attack and are managed remotely.
• Service Denials: Prevent legitimate users of a service from using the service in a different way
• Internal threat: Reducing employee attention when dealing with sensitive data  s/insufficient training  on cybersecurity /unsuitable policye…
• Leakedinformation  s:  Presents the risk of malicious use of technical systems to obtain small amounts of information on individual files.
• Cyberespionage….

2015: SABELLA submerges the first productive hydroline 2kms off Ushant. In October, a viral attack on the communication servers of the SABELLA turbine, neutralizing the connection with the control center for a fortnight. The attack was accompanied by a ransom demand.

2017: MAERSK was one of the first large-scale maritime victims of the Petya Not Petya (wannacry) epidemic. $300 million in losses.

2018: The ports of Barcelona and San Diego targeted. The desired impact was the neutralization of commercial operations between the companies and their vessels. And the slowdown on all land operations such as unloading and loading ships.

2019: Israelicyber defence solution provider Naval Dome conducted an experiment on a 260m container ship. After infecting the ship’s captain’s computer via email, a team compromised the navigation system, radars and engine room management system. This allowed them to divert the vessel from its original route and disable the engines. An absolute danger on sea routes.

2020:  CMA CGM was attacked  by ransomware Ragnar Locker, 15 days passed before the situation returned to normal. E-Commerce sites, booking, tracking, road finder, Myprices, billing, have undergone  significantmalfunctions.  The group also said  it feared data theft. The financial impact

of 2020 is not yet known: MSC announced that a major network outage was being resolved and all internal systems were again “fully functional”. Initially, the company described the outage, which began on the evening of 9 April and affected the company’s geneva headquarters and affected “the availability of some of the digital tools. But after a “thorough investigation,” she admitted to being the victim of malware exploiting a vulnerability. While refraining from disclosing more, citing security reasons.

2021: Beneteau, attacked on 19 February 2021, has not yet resumed its entire activity.

The elements of an IT departmentare broken down into two groups:

• Department of Computer Science (IT, Information  Technology):

Denotes the entire information processing technology sector. Mainly computer science, telecommunications and the Internet.

• Operational Technology (OT, Operational Technology)

The OT includes hardware and software systems that monitor and control physical equipment and processes.

OT systems are often protected by physically insulating them from the network. But as companies expand remote operations and outsource many tasks, including equipment maintenance and maintenance, connectivity becomes essential, and OT and IT technologies continue to converge.

Ships are affected by the OT and IT interaction:

1. Trackingfunction for information/administrative tasks
2. Alarm and monitoring functions
3. Control functions that arenecessary to keep the vessel in its normal operational and habitable conditions.

example:

• Maintien of the propulsion and direction of the ship-Power management
• Safety management: Detection et la fight  against fires / Invasion surveillance  / Internalcommunication systems  …
• Navigation management: ECDIS / Autopilot / Radar /  Stabilizer….
• Dynamic positioning management.
• Cargo transfer control system / ballastage /
• Alarm and monitoring system.

The development of the IT department requires a regular evaluation of its cybersecurity:

• Development of the computerization of pay slips
• invoicing
• Development of telework: Use of virtual privatex network (VPN) to secure exchanges.
• Staff awareness and implementation of “good practices”
• Client file
• Order / Booking ….

• Develop contingency plans to respond effectively to identified cyber-risk.

To begin with, we need to carry out a Ship/Armament/Tierce part audit based on the ISO/CIS 27001 methodology.

The Audit is based on 14 chapters:

1. Information Security Policy
2. Information Security Organization
3. Human Resources Security
4. Asset management
5. Access control
6. Cryptography
7. Physical and environmental safety
8. Operational safety
9. Communications security
10. Acquisition, development and maintenance of information systems
11. Supplier relationship / Tierce party.
12. Management of information security incidents .
13. Aspect of information security in business continuity management
14. Compliance

MSC FAL 1-Circ 3 / MSC 428 (98) / ISO 27001 / ISO 27002 / Guidelines on Cybersecurity onboard ships V4 / IACS Recommendation on Cyber resilience / IACS UR e 22 / NIST Framework / CSIS, Centre for Strategy and International Studies / Zscaler /  Agence financial rating Moody’s  /  VMware Carbon Black / Google /  Positive Technologies  /  World Forum    / Le Figaro /  FFA:French Insurance Federation  /  Interpol.