CYBER SECURITY

REQUIREMENTS
FOR IMO 2021

Inmarsat
Research
Programme
WHITE PAPER
NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

2 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

CYBER SECURITY
REQUIREMENTS FOR IMO 2021

CONTENTS
1 Introduction 5
2 Cyber risk management – the threat to ships 6
– Ship threats and vulnerabilities 6
– Hardware, software, personnel 8
3 The basis for IMO 2021 10
4 IMO 2021 in practice 13
– Systems inventory 14
– Risk assessment scope 15
– Responsibilities 15
5 IMO 2021 compliance 17
– Responding to, recovering from and training
for cyber attacks 18
– A pathway to compliance 18
– Compliance checklist 18
6 Fleet Secure Endpoint – an introduction 20
– Security and endpoints 21
– Fleet Secure Endpoint onboard 22
7 Fleet Secure Endpoint – supporting IMO 2021
compliance 24
– Identify, Protect, Detect, Respond and Recover 24
– Recovery, reporting, manageability 26
– Fleet Secure Endpoint compliance checklist 27
– Fleet Secure Endpoint key benefits 28
8 Fleet Secure Endpoint - installation and use 30
– Dashboard and alerting 30
– Fleet Secure Endpoint use in context 31
9 Cyber security, Crew Training and Awareness 32
10 Fleet Secure Endpoint – real case studies 34
11 Conclusion and Next Steps 36

inmarsat.com 3
White Paper
Cyber security requirements for IMO 2021

4 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

average about 197 days to identify and 69 days to

01 contain a cyber breach, it is clear that an attack
on a vessel’s critical systems could threaten the
INTRODUCTION safety of a ship as well as the business of shipping.
The fact that a 2019 Data Breach Investigations
Developments in connectivity and the transfer Report from Verizon indicates that nearly one-third
of data in greater volumes between ship and of all data breaches involve phishing provides one
shore continue to bring significant gains for fleet indicator that, where cyber vulnerabilities exist, the
management efficiency and crew welfare, but they ‘human element’ can badly expose them.
also increase the vulnerability of critical systems
onboard vessels to cyber attacks. The U.S. Coast Guard has already advised ship
owners that basic cyber security precautions
A 2019 IHS Markit/BIMCO report* recorded 58% should include: segmenting networks so that
of respondents to a survey of stakeholders as infections cannot spread easily; checking external
confirming that cyber security guidelines had hardware such as USB memory devices for
been incorporated into their company or fleet by viruses before connection to sensitive systems;
2018. The increase over the 37% giving this answer and ensuring that each user on a network is
in 2017 explained a sharp drop in the number of properly defined, with individual passwords and
maritime companies reporting themselves as permissions.
victims of cyber attacks according to authors – 22%
compared to 34%. From 2021, the Convention for the Safety of Life
at Sea that covers 99% of the world’s commercial
However, the enduring feature of cyber threats shipping will formalise the approach to cyber
is their ability to adapt and evolve, with new security permissible for ships at sea.
lines of attack developed as barriers are put in
place, and strategies to expose vulnerabilities By International Maritime Organization (IMO)
constantly emerging. A June 2020 White Paper** resolution, no later than a ship’s first annual
from the British Ports Association and cyber risk Document of Compliance audit after 1 January
management specialists Astaara suggests that 2021, every Safety Management System must
reliance on remote working during the COVID-19 be documented as having included cyber risk
crisis coincided with a fourfold increase in maritime management, in line with the International Safety
cyber attacks from February onwards, for example. Management Code.
In fact, cyber security was ranked as the second- The following report offers ship owners and
highest risk for shipping in 2019, behind natural managers guidance covering their responsibilities
disasters, according to a survey of over 2,500 risk under the new IMO regime and explains how the
managers conducted by Allianz. cyber security solution Fleet Secure Endpoint
provides a comprehensive tool to support them
Given that, according to IBM, companies take on towards compliance.

* Safety at Sea and BIMCO cyber security white paper. Downloadable at: https://www.bimco.org/-/media/bimco/about-us-and-our-
members/publications/ebooks/cyber-security-guidelines-2018.ashx
** Managing Ports’ Cyber Risks: https://www.britishports.org.uk/system/files/documents/bpa_astaara_white_paper_0.pdf

inmarsat.com 5
White Paper
Cyber security requirements for IMO 2021

maintenance, or any activity involving connectivity

02 for a third party onboard).

CYBER RISK MANAGEMENT - Effective cyber risk management must therefore

consider not only multiple cyber assailants but:
diverse lines of attack (targeted and random);
THE THREAT TO SHIPS continuous efforts by assailants to update
strategies including malicious coding; and
One description of cyber risk management used by
vulnerabilities in hardware, software and human
IMO sees it as “the process of identifying, analysing,
behaviour.
assessing, and communicating a cyber-related risk
and accepting, avoiding, transferring, or mitigating
it to an acceptable level, considering costs and SUPPLY CHAIN CYBER THREATS AND
benefits of actions taken to stakeholders”.
VULNERABILITIES
The description draws on wording developed by
THREATS:
the National Institute of Standards and Technology
caret-right Adversarial: e.g. insertion of counterfeits,
(NIST) of the US Department of Commerce for Cyber
tampering, theft, insertion of malicious
Supply Chain Risk Management (C-SCRM). In full,
software.
NIST explains C-SCRM as the process of identifying,
caret-right Non-adversarial: e.g. natural/man-made
assessing and mitigating the risks associated
disaster, poor quality products/services, poor
with the distributed and interconnected nature of
practices.
data-centric information technology (IT) systems
and the operational technology (OT) systems VULNERABILITIES:
monitoring events, processes and devices. It is a caret-right Internal: e.g. information systems and
process which covers a system’s entire life cycle components, organizational policy/processes.
(design, development, distribution, deployment, caret-right External: e.g. weaknesses to supply chain/
acquisition, maintenance, and destruction), given within entities in supply chain, dependencies
that supply chain threats and vulnerabilities may (power, communications, transportation, etc.).
(intentionally or unintentionally) compromise IT/OT
at any stage.
In 2017, NotPetya ransomware found a point
Businesses most commonly experience the of entry to the Maersk logistics network via its
consequences of cyber threats as financial container terminals business. The widely reported
penalties but this is not always the case, as incident cost the container giant over $300m in
perpetrators can include: systems renewal, with the group’s IT team having
caret-right Terrorism to reinstall 4,000 servers, 45,000 PCs and 2,500
caret-right Hacktivists groups applications in 10 days. Also reported, although in
caret-right Nation states less detail, has been a suspected malware attack
caret-right Insider attacks that brought the Mediterranean Shipping Company
caret-right Cyber criminals website and portal to a standstill in April 2020.
While all of the above involve ‘bad actors’, many
attacks are also automated and their source
is not immediately apparent: they succeed by SHIP THREATS AND VULNERABILITIES
repeated or multiple probing for weaknesses in These incidents are in the public domain and
an organisation’s systems or by individual acts involve the land-side systems managed by two of
of carelessness by those having access to them. the most sophisticated shipping and logistics
In addition, cyber security can be vulnerable organisations in the world, both of which place a
where ‘threats’ are non-adversarial (e.g. software premium on public profile.

6 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

inmarsat.com 7
White Paper
Cyber security requirements for IMO 2021

However, ships themselves increasingly play a fully months according to an Inmarsat analysis of its
connected data-centric role in the supply chain. Fleet Xpress customer vessels. The need for cyber
In doing so, common cyber vulnerabilities can be resilience has therefore never been greater.
found onboard existing ships, and on some new-
build ships. These may include:
– Obsolete and unsupported operating systems HARDWARE, SOFTWARE AND PERSONNEL
– Outdated or missing anti-virus software and Understandably, the ship at sea is not itself likely to
protection from malware be the focus for targeted Denial Distribution of
– Inadequate security configurations and Service (DDOS) attacks, whose targets tend to be
best practices, including the use of default corporate or more transactional. However, malware
administrator accounts and passwords, and and Ransomware can be introduced easily enough
ineffective network management to the unguarded ship network, via:
– Shipboard computer networks which lack
boundary protection measures and segmentation
– Terminal hardware
– Safety-critical equipment or systems always
– Software updates
connected with the shore side
– Misconfigured systems
– Inadequate access controls for third parties
– Inadequate integration
including contractors and service providers
– Maintenance and design of cyber-related
If these vulnerabilities are well-known, it is also systems
widely recognised that incidents onboard are
In addition, ship networks are vulnerable to cyber
under-reported. Furthermore, a hallmark of
threats arising from:
successful cyber crime will be a lack of publicity.
In fact, the full extent of the incidents affecting – Email, Phishing, social media scams, etc.
shipping is therefore hard to gauge. In one alleged – USB memory stick as a source of malware
incident, a ballast water management system – Downloaded malware
cyber breach saw a ship heeled, with control only – Connection with infected devices – cell phone,
returned to the crew after a ransom was paid. laptop, tablet
However, the owner apparently preferred to leave – Unauthorised use of bandwidth, exposing a lack
the matter unreported, subsequently denying the of network segregation
whole episode over concerns that the ship would
These second types of vulnerability relate to ‘the
not be accepted for charter.
human element’, and specifically to weaknesses
It is nonetheless fair to point out that – for the in cyber resilience brought by shortcomings
connected ship – the vulnerabilities listed above in procedures, training and awareness among
are not simply exposed to the same spread of cyber personnel.
threats as land-based counterparts: they are also
Even setting aside the operational headaches, cost
subject to the General Data Protection Regulation
of system renewal and expenditure on training that
(GDPR). Effective in EU jurisdictions from 2018, GDPR
a cyber breach can bring, ships that fall victim to a
requires businesses to demonstrate sufficient
cyber attack can expect far-reaching implications
control and protection over the data they own
that may include:
- especially if they subsequently have a breach.
Failure to comply can bring fines of up to 4 per – Claims against interruption to operations, e.g., a
cent of an organisation’s global turnover or £17.5m, virus affecting onboard systems causes costly
whichever is higher. delays in getting to port, potentially leading to
cargo claims/charter party disputes and claims
With more devices on board, and more applications
for compensation
and media channels being used than ever before,
– Loss of business-sensitive information could
some ships are doubling their data usage every six

8 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

result in blackmail, with settlement no guarantee

of closure
– Insurance cover: impact on premiums due to lack
of cyber security measures
– Loss of reputation: corporate image tarnished by
vulnerability to hackers
– Privacy impact: fined for failing to secure
employee information

SYSTEMIC VULNERABILITIES
IMO highlights the following ship systems as
vulnerable to cyber attack:
1. Bridge systems
2. Cargo handling and management systems
3. Propulsion and machinery management and
power control systems
4. Access control systems
5. Passenger servicing and management systems
6. Passenger facing public networks
7. Administrative and crew welfare systems
8. Communication systems

inmarsat.com 9
White Paper
Cyber security requirements for IMO 2021

– Identify: Develop the understanding to manage

03 cyber security risk. Define personnel roles and
responsibilities for cyber risk management
THE BASIS FOR IMO 2021 and identify the systems, assets, data and
capabilities that, when disrupted, pose risks to
To be approved as IMO-compliant, after 1 January ship operations.
2021 every ship’s Safety Management System MUST – Protect: Safeguard to ensure delivery of critical
include a Cyber Security Plan. However, some will infrastructure services. Implement risk control
be unfamiliar with the rationale driving ‘IMO 2021’. processes and measures, and contingency
Regulators have aligned the provisions with planning to protect against a cyber-event and
International Safety Management Code (ISM ensure continuity of shipping operations.
Code) guidelines to ensure that companies and – Detect: Develop and implement activities
their employees, on ship and shore, observe the necessary to detect and identify the occurrence
Convention of the Safety of Life at Sea (SOLAS). of a cyber-event in a timely manner.
The ISM Code requires all identified risks to ships, – Respond: Develop and implement activities
personnel and the environment to be assessed and and plans to provide resilience and to restore
appropriate safeguards to be established. systems necessary for shipping operations or
services impaired in the event of a detected
IMO sees it as the responsibility of the ship owner/
cyber security breach/cyber-event.
manager to “Identify, Protect, Detect, Respond
– Recover: Identify measures to back-up and
[to] and Recover [from]” cyber attacks through the
restore cyber systems necessary for shipping
preparation of cyber security planning that can
operations impacted by a cyber-event. Maintain
be audited as part of a ship’s Safety Management
plans for resilience and to restore all that was
System. These functional elements can be
impaired by the cyber security event.
explained as:

10 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

Guidelines on Cyber Security Onboard Ships Version

2.0 were produced with input and support from
a joint maritime industry working group whose
members include BIMCO, Cruise Lines International
Association (CLIA), International Chamber of
Shipping (ICS), International Association of Dry
Cargo Shipowners (INTERCARGO), International
Association of Independent Tanker Owners
(INTERTANKO), International Union of Maritime
Insurance (IUMI) and Oil Companies International
Marine Forum (OCIMF). These guidelines describe
ship cyber security as “an inherent part of the
safety and security culture necessary for the safe
and efficient operation of the ship”. The guidelines
are addressed to senior management ashore and
onboard personnel alike.
The following section offers guidance on what ‘IMO
2021’ means in practice for owners.

inmarsat.com 11
White Paper
Cyber security requirements for IMO 2021

12 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

in accordance with the ISM Code. Routine

04 examinations would verify that a management
system includes cyber risk management with a
IMO 2021 IN PRACTICE cursory review of the system’s documentation.
By IMO resolution (MSC.428(98)), no later than Achieving and documenting compliance relies
a ship’s first annual Document of Compliance on ship owners and ships to having had their IT,
verification after 1 January 2021, any ship’s Safety operating technology systems, procedures and
Management System (SMS) will need to take crew training risk-assessed to demonstrate that
account of cyber risk management to secure Flag they are prepared for cyber attacks and the actions
State approval, in accordance with the ISM Code. that will be taken should systems be compromised.
The Cyber Security Onboard Ships Version 2.0 The IMO resolution on cyber risk - MSC.428(98)
Guidelines note that chapter 8 of the International – references MSC-FAL.1/Circ.3 on Guidelines
Ship and Port Security Code obliges ships to on maritime cyber risk management offer an
conduct security assessments, which should introduction to cyber threats in the maritime
include all operations that are important to protect. domain covering:
They should address radio/telecommunication – IT and OT systems
systems, including computer systems and – Intentional and unintentional threats
networks and those controlling and monitoring ship – Identify – Protect – Detect – Respond – Recover
to shore internet connectivity. The Guidelines note, – International best practices – ISO and EN
in the context of the fast adoption of digitalised standards
onboard OT systems, that systems “have not always
been designed to be cyber resilient”. This is all-embracing, and the modular concept
of the ISM Code is also flexible enough to offer a
The objective of a ship’s Safety Management framework for continuous improvement that can
System (SMS), meanwhile, is to provide for safe accommodate cyber security in a company’s SMS.
practices and a safe working environment by
establishing appropriate mitigation measures Even so, individual companies will clearly vary
based on an assessment of all identified risks in terms of systems, personnel, procedures and
to ships, personnel and the environment. As preparedness. The risks to a specific ship will
cyber-enabled systems present operational also be unique and dependent upon the specific
risks, the justification for incorporating cyber risk integration of cyber systems aboard.
management into Safety Management Systems is It is nonetheless up to ship owners and operators
self-evident. to assess their cyber risks and to implement
To verify that companies have adequately and appropriate mitigating measures: each ‘Document
appropriately implemented and incorporated of Compliance’ holder must consider their own
appropriate cyber risk mitigation into their cyber risks and implement necessary measures in
SMS, internal and external audits are required their SMS.

inmarsat.com 13
White Paper
Cyber security requirements for IMO 2021

ISM CODE CYBER SECURITY PROCESS

(SOURCE: DEUTSCHE FLAGGE – ISM CYBER SECURITY 2018)

1. POLICY 8. QUALIFICATION 9. EMERGENCY

2. RESPONSIBILITY 7. OFFICE SUPPORT 10. REPORTING 15. CIP (Improvement)

3. COMPLIANCE 6. MASTER 11. PMS 14. EVALUATION

4. RISK ASSESSMENT 5. SMS (RESULT RA) 12. DOCUMENTATION 13. VERIFICATION

Incorporating cyber risk into the SMS can take – IoT Systems
several months, depending on the complexity of – Navigation
the systems onboard the vessel involved. Meeting – Engine Control
the 2021 deadline, or the first inspection thereafter – Cargo Control
will require a combination of technical mitigations, – DP, Gas, Firefighting, etc.
revised (or new) procedures and staff/crew training – ICT – Business Computer System
to develop a practical and cost-effective route to – ICT – Crew Systems
compliance.
This list needs to include:
It is important to add that ISM does not prescribe a
Hardware
calendar schedule for assessing new risks, instead
advising that they are accommodated as soon – Record make, model, version, function on all your
as possible. For this reason, the SMS should be hardware
considered by owners as a ‘live’ document that is – Individual hardware (and IP address) and patch
regularly updated and improved as risks evolve. panel, power
– Take note of possible attack surface/connection
point among your hardware and work to secure
SYSTEMS INVENTORY them (USB, Ethernet, exposed wiring)

Developing a process to identify, protect against, Software

detect, respond to and recover from cyber attacks – Record make and version of the applications
is no box-ticking exercise: in the first instance, the used on ship across all hardware. Firmware and
ship owner/manager must establish an inventory of software application versions, patch levels,
all critical hardware and software systems onboard malware protection
each of its ships, listing the:

14 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

Existing documentation should be used as much as normally be responsible for the owner/manager ISM
possible (especially Technical & Engineering details. documentation system for ships, for example.
In terms of response and recovery, it is also the Critically, under IMO 2021, at a minimum a ship’s
owner’s/manager’s responsibility to formalise the SMS will identify the party ashore and onboard
workarounds that address cyber security gaps, so taking responsibility for cyber security (ICT
that the ship can continue to operate in the event Manager, Chief Security Officer, or any other).
of a cyber attack or its aftermath, or risks can be
In broad terms, that individual will take
mitigated. Workaround plans for critical systems
responsibility for:
and processes should be incorporated into the
network and system design and described for – Having an understanding of the extent of cyber
Captains in a vessel’s emergency manuals. These risks
plans should include instructions and/or checklist – Managing crew awareness of and preparedness
in the event of critical system failure, due to cyber for threats to the vessel’s systems
incident or unplanned system breakdown without – Steps to secure ship systems to minimize the
a need to request and wait for help from the shore impact if a threat is actualised
office. Given that, in line with the ISO27001 standard, IMO
The responsibility for verifying these steps when 2021 also states that the owner’s risk assessment
the ship’s Document of Compliance is due for should be auditable for the following attributes:
renewal also falls to the ship’s owner/manager. – The hardware installed
– The software in use
– Details of what is connected to the network
RISK ASSESSMENT SCOPE – How the above is protected
The goal of the assessment of a ship’s network The Fleet ICT Manager will need to work with the
and its systems and devices is to identify any Head of Crewing to ensure that Crew understands
vulnerabilities that could compromise or result the importance of cyber security and have been
in either loss of confidentiality, loss of integrity trained either in the classroom or online. A record
or result in a loss of operation of the equipment, of the crew’s performance in these training
system, network, or even the ship. As explained exercises should be kept on file by the HR/Crewing
elsewhere, these vulnerabilities and weaknesses department.
broadly fall into one of the following categories:
1. Technical such as software defects or outdated
or unpatched systems
2. Design such as access management, unmanaged
network interconnections
3. Implementation errors for example
misconfigured firewalls
4. Procedural or other user errors

RESPONSIBILITIES
IMO 2021 requirements do not cover servers or
staff onshore but they clearly have a major impact
on fleet management. For example, the individual
managing the Fleet IT policy and documentation
(usually, the ‘Fleet ICT Manager’) will would also

inmarsat.com 15
White Paper
Cyber security requirements for IMO 2021

RELATED CYBER SECURITY GUIDELINES 2. NIST framework

Published in 2014 by the US National Institute of
Related guidelines
Standards and Technology, the NIST CSF guide
IMO’s GUIDELINES ON MARITIME CYBER RISK focuses on the same five functional elements
MANAGEMENT refer to three specific guidelines as presented by the IMO for risk management -
having been developed to help shipping get ‘cyber Identify, Protect, Detect, Respond, Recover, to
ready’: assist organisations in:
1. Guidelines on Cyber Security Onboard Ships – Describing their current cyber security posture
– BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, – Describing their target state for cyber security
INTERTANKO, OCIMF, IUMI and WORLD SHIPPING – Identifying/prioritising opportunities for
COUNCIL. improvement within a repeatable process
Guidance to ship owners and operators on – Assessing progress toward the target state
procedures and actions to maintain the security of – Communicating among internal and external
cyber systems in the company and onboard ships; stakeholders about cyber security risk
designed to help owners understand, and manage: The NIST framework includes usable profile
– Limitation and control of network ports, templates for use in risk assessment profiling at
protocols and services the individual vessel level. The resulting profile
– Configuring network devices such as firewalls, will help to identify and prioritise actions to align
routers and switches policy, business and technological approaches in
– Secure configuration of hardware and software order to manage and reduce risks.
– Protecting web browsing and email 3. ISO27001
– Satellite and radio communications The ISO27001-Annex A of cyber security objectives
– Defences against malware is published currently as ISO 27002. Here, cyber
– Data recovery capability security controls are not specifically focused on
– Wireless Access control Critical Infrastructure Protection or on the Maritime
– Application software security (patch Industry, but with appropriate focus on cyber risk
management) they may be applied by any organization.
– Secure network design
ISO27001 is also the only information security
– Physical security
management system standard that can be
– Boundary defence
independently certified with a level of authority.
The Guidelines also includes procedural controls for
crew, including training and awareness, software
maintenance and upgrades, and anti-virus updates.
However, the Guidelines are not a basis for external
auditing of a company’s/ship’s approach to cyber
risk management.

16 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

to Port State Control or any other recognized

05 authority that the ship, its systems and its crew are
prepared for cyber risks and what to do about them
IMO 2021 COMPLIANCE in the same way that they would need to document
any other safety issue.
Managing cyber risk onboard ship is considered
a natural extension of current operational risk Therefore, prepared answers are needed to the
management practices incorporated into existing questions:
Safety Management Systems within the existing – What assets do we have (kind of hardware/
ISM Code. software and what is connected to the network)?
The relevant MSC.428(98) - Maritime cyber risk – What would we do if they do not work?
management in safety management systems – How are assets protected?
resolution therefore: – What would we do if they were compromised?
– Who has control ashore and onboard?
caret-right Affirms that an approved safety management
system should consider cyber risk management As well as being able to liaise with or identify the
in accordance with the objectives and functional person responsible for cyber security on the ship,
requirements of the ISM Code. the Port State/Flag State/RO auditor should be
able to check that the Safety Management System
caret-right Encourages administrations to ensure that
documents this and shows that the ship’s owner or
cyber risks are appropriately addressed in safety
manager:
management systems no later than the first
annual verification of the company’s Document 1. Has identified the systems on-board and outlined
of Compliance after 1 January 2021. the relevant cyber risks
The owner/manager must be able to demonstrate 2. Has the ability to detect breaches in cyber
security onboard

inmarsat.com 17
White Paper
Cyber security requirements for IMO 2021

3. Has measures in place to protect systems and of backup email ID from ship-to-shore and from
software onboard shore-to-ship
4. Has response measures in place to deal with – Fall back to paper charts in case of compromised
a cyber attack, specifically related to system ECDIS
redundancy, training and workaround plans
In all cases, the Fleet ICT Manual inserted into
the Ship’s SMS/ISM Code documentation should
provide full guidance and document the Cyber
RESPONDING TO CYBER ATTACKS Security Plan for all critical on-ship systems.
The Cyber Security Plan should, at minimum,
include:
– A process for initial incident triage
TRAINING FOR CYBER ATTACKS
– Steps to quarantine all electronic traffic to and As the Plan is part of the Vessel’s ISM it is also
from ship or fleet. Procedures for alerting and essential to periodically carry out drills to test any
requesting communication vendors to check issues, train the crew, HSSE (Health, Safety, Security
traffic & Environment) team and any other stakeholders
– Procedures for keeping corporate IT security on how to respond to a cyber incident onboard ship,
department abreast of the situation and encourage a culture of continual improvement.
– Procedures to secure/establish backup This means ship owners and managers should give
communications to the affected vessel(s) cyber security drills the same weight as they give
– Steps to stabilize and isolate the infected system any regular Incident Management Drill – whether
to guard against further spread for grounding, ship fire or collision.
– Steps for gathering Intelligence and evidence
Under the new regime, cyber drills should be
from affected systems
conducted across the fleet at least once a
– Procedures for executing recovery of critical
year to test response procedures and assess
systems remotely
crew preparedness, procedures during a cyber
– Arrangements for completely replacing the ICT
incident onboard. It is essential that the Ship
system at the next safe port after a cyber event
Manager’s Incident Commander takes charge
and demonstrates effective leadership in these
exercises to ensure the security of the ship, its
RECOVERY FROM CYBER ATTACKS crew and cargo, while allowing the Fleet IT team to
Workaround plans are required to take account of concentrate on securing the ICT infrastructure and
possible failures in critical shipboard systems, with resolving the cyber issues.
the processes described in a vessel’s emergency In addition, regular anti-phishing campaigns and
manuals so that the Captain can respond without penetration testing using simulated malicious
the need to ask for help from/wait for shore-based emails can maintain high-levels of crew vigilance
colleagues. These plans should provide the Captain and test onboard systems and processes.
with instructions and/or a checklist on what to do. Penetration testing by professional ‘white-hat’
In the case of cyber resilience, workarounds plans hackers should also take place to identify technical
might include: weaknesses.
– Actions to restore crashed/ failed email clients or
degraded/failed ship-shore communication links;
use backup FleetBroadband for email/voice until
A PATHWAY TO COMPLIANCE
recovery As the leading supplier of ship-to-shore
– Actions to work around/recover failed PCs connectivity in commercial shipping, Inmarsat
– Usage of citadel telephone to send telex; testing is also a stakeholder where the development of

18 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

industry best practices are concerned, both as THE COMPLIANCE CHECKLIST

a service provider and as custodian of a global
1. As a ship owner/manager, to defend your IT set-
network that is secure across all touchpoints. In
up you MUST:
fact, its secure, encrypted network uses military-
grade satellites, is fully approved by the highest – Know what you have: all IT systems/systems
standards of the IMO and is fully audited by the controlled by IT - including Main Engines and
stringent standards of International Mobile Satellite Navigation Systems, etc.
Organization (IMSO). – Defend what you have: to fight off basic
threats to your organization, systems
Based on its experience of offering a secure
should be designed to guard against failure,
communication platform from the onshore office to
using Software/Hardware/Ship’s Systems
the maritime terminals onboard ship, Inmarsat has
redundancies.
developed security services designed to uphold
– Be able to recover: workarounds and recovery
cyber resilience at sea. These are most effective
processes must be in place for ICT and Ship’s
with Inmarsat's high-speed service Fleet Xpress
systems, with crews trained and at least Yearly
and include:
Incident Drills for Cyber Security.
– Fleet Secure Endpoint - a powerful multi-layered
2. However, IMO 2021 Compliance is NOT just
endpoint security solution for remote monitoring
about defending ICT against cyber threats. It is
of onboard computers
about Total IT Best Practice on a ship’s:
– Fleet Secure Cyber Awareness - a mobile training
app for crew to gain up-to-date cyber security – IT system AS WELL AS
knowledge – Technical, Navigation, Safety and Mechanical
Systems.
The following section of this report offers guidance
covering Fleet Secure Endpoint, with a specific 3. Therefore, as an IMO 2021-compliant cyber
focus on the digital tool’s potential to offer direct secure ship owner/manager, you MUST:
support to ship operators/owners seeking to – Know what they have – Establish and record all
implement IMO 2021-ready cyber security SMS. the systems (ICT and Technical) used on your
While not representing compliance itself, Fleet ships (including make, model, version, software
Secure Endpoint implementation provides ship updates, supplier, etc.).
network protection based on IMO’s ‘identify, detect, – Defend what they have - Ensure that steps
protect, respond, recover’ pillars for cyber security are being taken to harden ICT and Technical
planning. In offering a fully IMO-compliant reporting systems against cyber threats.
solution, it also supports operators/owners to – Be able to recover – update all documentation
achieve compliance at every stage in an orderly onboard to include guidance on what to do in
and straightforward manner. case of IT or Technical system failures on ship,
including IT Policy in ISM Manuals, Training for
Crew, Workarounds Process and Drills.

inmarsat.com 19
White Paper
Cyber security requirements for IMO 2021

– Fostering a culture where Inmarsat people

06 embrace security and where threat-based
security measures are embedded in their day-to-
FLEET SECURE ENDPOINT - AN day working
– Sustaining a demonstrable framework for
INTRODUCTION effective, efficient, and adaptable threat-based
cyber risk management
Inmarsat’s objective is to deliver cyber
Day to day protection of Inmarsat’s Information
resilient digital services and mission-critical
Systems infrastructure is the responsibility of the
communications to its global maritime customers.
Security Operations Team. Inmarsat has instituted
It does so by:
an in-house 24/7 Cyber Security Operations
– Embedding threat-based risk management into capability that collaborates actively with the cyber
Inmarsat systems, products and services security intelligence community as well as Cyber
– Delivering operational resilience by identifying, Security, our partners and maritime customers to
managing and responding to cyber threats with tackle cyber threats and manage incidents.
people, process and technology capabilities

20 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

SECURITY AND ENDPOINTS were conceived around a machine-centric view of

security and worked by scanning and quarantining
Security devices such as Unified Threat suspicious files to prevent them from being
Management/Next Generation Firewall sit at the launched and were not geared to offer protection
ship network level, where they detect and protect against attacks launched on a machine from its
against attacks commonly made from shore to ship host network.
and vice versa. However, while network monitoring
will display a detailed view of the vessel’s IT Conventional AV software requires constant
infrastructure, it will not have any jurisdiction over updates of new signature files to remain current.
the endpoint, meaning that endpoints such as Having only one security feature to protect the
business-essential PCs and crew laptops remain at endpoint will rely heavily rely on a signature set by
risk. one security vendor and, in many cases, individual
security vendors will not catch 100% of malware.
Traditional anti-virus solutions were not really To maintain integrity, a full system scan would also
designed to prevent the sort of sophisticated and be required after every update, which would often
targeted malware that has become the mainstay slow the machine’s performance to a crawl and
of today’s maritime cyber threat landscape. They frustrate end-users.

inmarsat.com 21
White Paper
Cyber security requirements for IMO 2021

If no or lower forms of security is installed on the FLEET SECURE ENDPOINT ONBOARD

endpoint, then it is at risk of infection even if the
ship network is protected by a security device. Fleet Secure Endpoint provides an extension of
For example, someone plugging a USB into the security to all endpoints on a vessel and delivers
computer can infect it even without clicking several security functions in a single managed
anything. If a network security device is being used, service which protects everything from business
then it may recognize the device is infected but essential PCs to crew laptops. Fleet Secure
cannot clean the infection. Endpoint can be applied to multiple Inmarsat
maritime services – Fleet Xpress, FleetBroadband,
With new variations of malware emerging almost and Fleet One.
daily, no single vendor was able to keep up and
include all new signatures in their database. Cyber Fleet Secure Endpoint scans the network for
criminals preference for the latest iterations security issues and records its findings, providing
shows they know this and actively exploit the lag an auditable trail covering alerts and network
between new malware being detected, a signature status. Its reach extends to any new devices joining
being developed, and an update being issued and the network. Whilst Fleet Secure Endpoint itself
installed. does not deliver IMO 2021 compliance, it provides
the ship owner and ship manager with a cyber
Inmarsat Fleet Secure Endpoint avoids many of security solution that facilitates and supports
these shortcomings as it was built from scratch compliance.
with a network-centric view of security in mind but
targets endpoints. Endpoint protection is a crucial
step to ensuring layered protection and not just
relying on firewalls, company policies, and network
security devices to be the saving grace for security.

22 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

MORE THAN ANTI-VIRUS

Standard anti-virus is no longer adequate protection

GENERIC ENDPOINT FLEET SECURE

ANTI-VIRUS PROTECTION ENDPOINT
(Bitdefender, (ESET Protection)
Symantec, etc.)

Anti-Virus (Anti-Spyware, Anti-Phishing) R R R

Web control R R

Two-way firewall R R

Botnet protection R R

Ransomware prevention R R

Multi-engine scanning R

Network monitoring R
Asset inventory (software, hardware,
driver, etc.) R

Endpoint health status alerting R

Endpoint threat alerting R

inmarsat.com 23
White Paper
Cyber security requirements for IMO 2021

07 PROTECT
Fleet Secure Endpoint is built around ESET Endpoint
FLEET SECURE ENDPOINT AND Security, an award-winning enterprise-grade
endpoint security product, and has special
FLEET XPRESS - SUPPORTING IMO adaptations for use in a maritime setting. It not only
detects and blocks files with known signatures
2021 COMPLIANCE from operating but monitors low-level system calls
and actively analyses software for suspicious
Fleet Secure has been designed to align with IMO’s behaviour in real time.
five pillars for cyber resilience, namely: identify; – Botnet protection shuts down malicious
detect; protect; respond; and recover, while its connections to known botnets. Botnets hijack a
reporting function has been developed with IMO machine without the owner’s knowledge to carry
compliance in mind. In addition, an ISO 27001 audit of out Distributed Denial of Service (DDOS) attacks.
Fleet Secure Endpoint conducted by DNV GL When activated, they consume processing power
describes Fleet Secure Endpoint as a single product and cause spikes in bandwidth consumption.
which can assist in achieving IMO 2021 compliance. – Multi-engine scanning broadens detection by
Although Fleet Secure Endpoint works across all of using malware signature databases from multiple
Inmarsat's maritime services, to maximise protection security vendors so that new fingerprints not
and compliance Fleet Secure Endpoint should be known by all vendors are included during
used in conjunction with Fleet Xpress, which provides inspection.
reliable high-speed internet access with the ability to – Ransomware prevention detects and prevents
separate crew and business traffic and make it easier malicious encryption attempts before they have a
to respond to and recover from attacks. chance to initiate and encrypt the device.
– Two-way endpoint firewall blocks malicious
incoming and outgoing network traffic.
IDENTIFY – Anti-spyware terminates malicious applications
designed to steal sensitive information.
Fleet Secure highlights where errors and warnings
– Anti-phishing blocks connections to sites known
have occurred in the vessel/fleet, which enables the
to extract confidential user information.
designated security personnel to quickly ascertain
– Web control allows the system administrator
potential weak spots that require further
granular control over the websites users can visit.
investigation. It does this using a powerful network
– Endpoint Threat alerting sends an email
scanning and monitoring module, called Teyla, that
notification to the system administrator listing
automatically detects devices on the local network
recently detected threats on vessels.
and checks whether Fleet Secure Endpoint is
installed. If not endpoints will be marked as ‘rogue
nodes’ and alerts are raised as an alert. The
designated security officer can either allow or deny RESPOND
network access privileges to that device. Knowing how to react during and after a cyber-
This oversight means someone on the vessel is incident is critical to a well-rounded cyber security
always aware of what is connected to their network. strategy. It is necessary to envisage a wide range of
To aid network audits, on machines where installed, potential scenarios and plan the steps needed, to
Fleet Secure Endpoint will also collect data on contain their impact on vessel operation and safety
installed software, hardware and system and secondly to restore impaired systems and
configuration. recover data in a timely fashion.

24 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

inmarsat.com 25
White Paper
Cyber security requirements for IMO 2021

Fleet Secure Endpoint can assist the response and respond by blocking it, removing it and
stage in several ways. In contrast to off-the-shelf finally reporting it. The built-in memory analysis
products, the service is enhanced by round-the- will detect both known threats and new security
clock monitoring by a dedicated team of IT experts vulnerabilities. If Fleet Secure Endpoint recognises
based in the Inmarsat Security Operating Centre, a file to be malicious, it will be stored in a dedicated
who check security events or other signs of unusual quarantine location on the device. Quarantined files
network activity on a vessel as and when they are stored in a location that ensures the malicious
occur. They are supported by marine engineers with file cannot infect the system.
extensive knowledge of different hardware and
Once a security incident has been brought under
software systems found on modern vessels.
control and the immediate threat has been
Via the portal, the ship owner’s in-house IT team neutralised, attention shifts to restoring and
can roll out updates in real-time, quickly and reconnecting systems needed for normal vessel
remotely to all computers installed with Fleet operation. Work also begins on investigating the
Secure Endpoint in the wake of an incident, in order exact cause of the incident and taking measures to
to prevent an attack spreading across the fleet and prevent a recurrence or similar event from taking
reduce exposure to similar attacks in the future. place elsewhere in the fleet.
Additionally, the shore-based portal retains a
centralised log of all flagged security events and
allows bespoke alerts to be created. For example, REPORTING
alerts can be set up to warn when a certain virus Fleet Secure Endpoint comes with extensive built-
or class of virus is detected or certain software in reporting functionality which can help in this
requires updating. exercise. A full report can be created on the vessel,
The asset management functionality incorporated containing a record of all devices connected to
into Fleet Secure Endpoint gives offers a clear the network, their hardware and the software
overview to designated security personnel and that is installed. This report can be given to port
IT staff of which devices are onboard and which state control and/or authorities to show them the
devices have Fleet Secure Endpoint installed. It also vessel has been taking adequate steps to minimise
provides detailed information on assets and the cyber security risks on board. While Fleet Secure
software environment available for responding to Endpoint implementation does not by itself achieve
an incident and for analysis during the post-incident compliance, Fleet Secure Endpoint reporting is fully
review. IMO compliant.

– Alerting offers pro-active insight on what is The Fleet Secure Endpoint Security report shows
happening on board and helps react to incidents the following:
– Alerts can be created to E-mail the user when – Network connected devices with Fleet Secure
events happen on board, such as virus detections Endpoint installed, devices without Fleet Secure
or outdated software Endpoint installed
– A single agent handles all Fleet Secure Endpoint – System specifications such as free disk space,
related activities and multiple software packages CPU and amount of memory
are not needed, saving system resources – Installed software and their version
– A 24/7 Security Operations Centre takes action – Security events such as neutralized viruses and
when needed blocked USB drives
– Acknowledgements of the Security Operations
Centre team based on security events
RECOVERY Reports are generated in formats like PDF and can
If an infection is detected onboard, Fleet Secure be printed onboard so that the master of the vessel
Endpoint will automatically detect the infection can circulate them among staff and easily integrate

26 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

them into a vessel’s safety management manual, or FLEET SECURE ENDPOINT - THE COMPLIANCE
show port inspectors that steps have taken steps CHECKLIST
to protect the vessel and its assets. Even if a vessel
1. As a ship owner/manager, to defend your IT set-
has not been the target of an attack, Inmarsat
up you MUST:
recommends that these reports are periodically
reviewed to steer ongoing improvements to a – Know what you have: all IT systems/systems
vessel’s cyber risk management plan. Any Cyber controlled by IT - including Main Engines and
Review in the Change Management Process should Navigation Systems, etc.
– Defend what you have: to fight off basic threats
– Include ICT staff when making major changes in
to your organization, systems should be designed
ship’s system
to guard against failure, using Software /
– Ensure Cyber Security is considered in the end-to-
Hardware / Ship’s Systems redundancies.
end process when supplying new equipment
– Be able to recover: workarounds and recovery
processes must be in place for ICT and Ship’s
systems, with crews trained and at least Yearly
MANAGEABILITY Incident Drills for Cyber Security.
Using the Fleet Secure web portal the ship 2. However, IMO 2021 Compliance is NOT just about
operator/owner can remotely upload configurations defending ICT against cyber threats. It is about
to be implemented onboard so that Fleet Secure Total IT Best Practice on a ship’s
Endpoint can be configured remotely. The user can
– IT system AS WELL AS
also configure alerts to reflect owner/operator
– Technical, Navigation, Safety and Mechanical
preferences, so that events such as virus detections
Systems.
or blocked network attacks are also flagged up.
3. Therefore, as an IMO 2021-compliant cyber
In common with any proposed solution, Fleet
secure ship owner/manager, you MUST:
Secure Endpoint will only assist in reaching IMO
compliance when correctly implemented: this – Know what they have – Establish and record all
means the risk assessment needs to have been the systems (ICT and Technical) used on your
completed, while the Fleet Secure Endpoint monthly ships (including make, model, version, software
report will included in the Safety Management updates, supplier, etc.).
Manual. – Defend what they have - Ensure that steps are
being taken to harden ICT and Technical systems
against cyber threats.
– Be able to recover – update all documentation
onboard to include guidance on what to do in
case of IT or Technical system failures on ship,
including IT Policy in ISM Manuals, Training for
Crew, Workarounds Process and Drills.
4. Fleet Secure Endpoint helps you, as a ship
owner/manager to:
– Step 1 Know What you have: Fleet Secure
Endpoint includes a module logging any new
hardware added to your network.
– Step 2 Defend what you have: via strong AV,
WebControl, Network Monitoring.
– Step 3 Recover – Fleet Secure Endpoint’s crew
training module covers a significant part of the
training needs demanded for IMO 2021
Compliance.
inmarsat.com 27
White Paper
Cyber security requirements for IMO 2021

FLEET SECURE ENDPOINT KEY FEATURES AND

BENEFITS":
– No additional hardware is required. Protections
are primarily introduced at the network level,
with ‘lightweight’ software installed on the
end-user machines to handle updates and
communicate system status back to the server
PC
– Multi-layered security. In addition to anti-virus,
Fleet Secure Endpoint features anti-phishing,
anti-spyware and botnet protection among other
features
– Enhanced network oversight: Fleet Secure
Endpoint includes sophisticated remote network
monitoring of endpoints
– Remote monitoring and auditing: Shore-based
portal lets in-house IT teams keep track of all
security events, set up alerts and remotely roll-
out configuration updates
– 24/7 Security Operations Centre: Fleet Secure
Endpoint is supported by a dedicated team
of trained cyber security experts and marine
engineers, with engineers having been onboard
vessels and so fully aware of the environment
– Low bandwidth consumption: Averages only
7Mb data per vessel per week, with lower options
available on request (for vessels that are at
always-on connection with no data limit the data
usage is higher)
– Tailored for maritime: One server located on the
vessel to manage all endpoints

28 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

inmarsat.com 29
White Paper
Cyber security requirements for IMO 2021

– How long the system has been running

08 – Device hardware, such as remaining hard drive
space, type of processor, etc.
FLEET SECURE ENDPOINT - – Which operating system the device is using
The portal has two versions, namely ship and shore.
INSTALLATION AND USE With the ship version, all activities performed
onboard can be accessed, including holding
Despite its superior scope and functionality, Fleet
download files for clients manuals and mapping out
Secure Endpoint is as straightforward for the
of all endpoints onboard the vessel. However, the
user’s ICT team to install as conventional anti-virus
shore side portal holds detailed information such
software developed by Inmarsat to protect ship
as events and alerts for the fleet and also for each
systems (AmosConnect AV and Globe AV).
vessel. The IT team of the vessel or fleet will have
access to the shore side portal.
FLEET SECURE ENDPOINT INSTALLATION It is also possible to view the results of the network
scans performed onboard and see which devices
For a standard vessel network and under normal do or do not have Fleet Secure Endpoint installed.
circumstances, and taking account of safety For the devices that have Fleet Secure Endpoint
guidance offered by vendors, the installation can be installed advanced logging is available, allowing
expected to be completed on clean computers in users to see things such as (but not limited to):
approximately two hours.
– Firewall logs (when an attack or an event
The clean computer provides the optimum case for happens which triggers the firewall)
any anti-virus software installation. However, pre- – Device control logs (when USBs were inserted,
existing anti-virus software can present challenges whether they were blocked)
and the user’s ICT team will need to remove it – URL blocker logs (whether sites were blocked)
before Fleet Secure Endpoint is installed. Inmarsat
provides user guides/scripts to support the removal
of third-party anti-virus software.
DASHBOARD AND ALERTING
Even so, it should be emphasised that there is no
The Fleet Secure Endpoint web portal can be
requirement for the ship network to stop working
used to view events that occur on the vessel and
in order to install or operate Fleet Secure Endpoint.
configure alerts based on those occurrences. Alerts
Fleet Secure Endpoint has a built-in firewall, where
will notify the user or multiple users via E-mail. The
ports can be opened for the most commonly used
user can configure alerts for events such as (but
applications on board.
not limited to):
The Inmarsat Security Operations Centre offers
– Virus threats (receive a notification if a virus is
oversight for internet-connected ships to support
detected)
installation and the removal of old systems.
– Firewall events (receive a notification when an
attack/event happens which triggers the firewall)
– When a new device has been detected on
FLEET SECURE ENDPOINT IN USE the network that does not have Fleet Secure
Once installed on a device, Fleet Secure Endpoint Endpoint installed
will start reporting to the web portal. The web – Software version control (receive an alert when a
portal can then be used to view elements such as new version of installed software is available)
(but not limited to): – User intrusion detection (receive an alert when a
failed login occurs)
– Installed software
– Running windows services Multiple OS Fleet Secure Endpoint supports

30 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

multiple operating systems. For Windows operating Scenario: a crew member opens a phishing email
systems, Vista and up is supported. OSX, Linux and
The Fleet Secure Endpoint response:
their mobile counterparts IOS and Android are also
supported. – Scenario 1: If Fleet Secure Endpoint is fully
updated then it should detect that virus.
Fleet Secure Endpoint is distinguished from
– 1.1: The Inmarsat Security Operations Centre is
Endpoint Detection & Response (EDR) packages.
notified of this activity.
While these solutions are highly effective, they
– Scenario 2: Fleet Secure Endpoint is not
demand strict ship networking setup to ‘signature’
updated, the virus is not detected, and the
and check every file on the vessel, consuming huge
ransomware process is not stopped.
amounts of data. Fleet Secure Endpoint addresses
– 2.1: The Inmarsat Security Operations Centre is
attacks and infections without needing to signature
notified of this activity.
each file, saving on costs and data usage. In fact,
– Scenario 3: The firewall in Fleet Secure Endpoint
Fleet Secure Endpoint frequency and control
introduces segmentation of the network so that
reporting times can be adjusted, with data usage
the virus cannot spread to other PCs as they
as low as 7MB a month. Where ships have internet
block the incoming attack.
connectivity, Inmarsat recommends more frequent
reporting of network status so that its security Fleet Secure Endpoint handles all of these
operation centre can take swift action when scenarios automatically. An option is also available
malicious traffic is detected. to block out an endpoint from the network
remotely.
In addition, Fleet Secure Endpoint can be used
onboard vessels using FleetBroadband as their
connectivity solution. In this case, trench rules
need to be set correctly and onboard firewalls
(if any) must be updated to accommodate Fleet
Secure Endpoint IPs and port numbers.

FLEET SECURE ENDPOINT USE IN

CONTEXT
As noted earlier, Fleet Secure Endpoint installation
provides a route towards IMO 2021 compliance,
rather than offering a complete compliance
solution. However, in summary IMO 2021 can be
achieved using Fleet Secure Endpoint and its cyber
security reporting/response functionality covers
all of the IMO 2021 guidelines into the ship’s Safety
Management Manual.

inmarsat.com 31
White Paper
Cyber security requirements for IMO 2021

Secure Endpoint at a discounted rate. Using a

09 combination of video modules, transcripts and a
concluding test, the course has been developed
CYBER SECURITY, CREW TRAINING in accordance with BIMCO, IMO, ICS and IACS
guidelines and has been approved by the Institute
AND AWARENESS of Maritime Engineers, Science and Technology and
the University of Sunderland, UK. It is also in line
Cyber attacks are constantly evolving and with the provisions of TSMA self-assessment.
becoming more devious in their workings and,
Uniquely, the course is deliverable by an app for
while technical countermeasures will stop the vast
download through Google Play and AppStore to
majority of attempted attacks, they are intrinsically
smartphones, tablets and laptops, after which it
reactive in their operation.
can be accessed offline. Guidance based on the full
The remainder of the protection relies on extent of IMO Cyber Awareness expectation can
staff vigilance, preparedness procedures and therefore be learned during voyages without the
understanding. Weak cyber security in any one of need for scheduled classroom training during busy
these areas may undermine robustness elsewhere. port stopovers, or even connectivity whilst at sea.
Crew education is therefore an indispensable
Focusing on the basics of cyber security for
component in a well-rounded security strategy: a
the maritime user, the course is suitable for all
small investment in training and awareness can
levels ashore and at sea, enabling seafarers to
prove enormously valuable.
familiarise themselves with attacks they are likely
Alarmingly, a 2018 Futurenautics survey that to encounter in their day-to-day duties. It also offers
recorded 47% of vessels as having come under practical tips on how to avoid becoming a victim or
cyber attack and 80% of cyber breaches as endangering their vessel.
resulting from individual errors also saw 85%
Each 30-minute training module covers:
of crew reporting that they had never received
any cyber training. Some estimates suggest that Š Digital threats using personal information
50% of ship system disruptions are the result Š Digital threats using IT devices
of USB ‘abuse’, where infected memory sticks or Š The physical and human threat
mobile devices (including secondhand phones) Š Final competency test and completion
are plugged into the port. Other common cyber certificate
weaknesses include easily guessed passwords and Subject to achieving a score of 80% from 20
responsiveness to phishing. randomised questions, seafarers receive a
In bringing Cyber Risk Management into the ISM certificate valid for four months from the University
Code, MSC 428 (98) follows the September 2019 of Sunderland and a certificate of Continuing
edition of the Tanker Management Self-Assessment Professional Development from the Institute of
(TMSA) scheme and the latest Ship Inspection Marine Engineering, Science and Technology.
Report Programme (SIRE) questionnaire to include By completing this course, all personnel will be able
cyber awareness training in IMO guidelines to further understand the principles and actions
mandatory requirements. they must adhere to, thus ensuring that they are
Inmarsat has been one of the partners contributing fully compliant with the TMSA and IMO regulations.
to a Maritime Cyber Security Awareness training It will also help allay the fears of many within the
course developed for Stapleton International by sector and ensure that they remain cyber safe at
MLA College, which is available to users of Fleet sea.

32 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

inmarsat.com 33
White Paper
Cyber security requirements for IMO 2021

10
FLEET SECURE ENDPOINT - REAL CASE
STUDIES
CASE 1
CASE 2
Vessel type: Undisclosed
Vessel type: Liquid Ethylene Gas Carrier
Assailant: Multiple infections with normal anti-
virus installed Assailant: Emotet trojan, causing vessel
operations to stop
The customer was using Palo Alto cyber security
software when the vessel was hit by multiple Emotet is well-known as a trojan in banking circles
infections, including Trojans, Worms and data but was detected as infecting the majority of
exfiltration viruses infesting the system. The machines onboard a LEG Carrier, becoming active
customer decided to install Fleet Secure Endpoint whenever a PC was switched on. The virus can
as part of a shipboard trial. Inmarsat’s engineer intercept and exfiltrate data transmitted and
found 79 infections that had not previously been saved when the user is browsing banking websites,
detected. resulting in leakage of sensitive data and malicious
use of the user's banking details.
Among the significant findings, the HTTP Filter
detected users onboard unknowingly visiting As part of a Fleet Xpress agreement, the ship was
websites serving malicious code. The connection equipped with two Fleet Secure Endpoint security
was dropped, and the user informed accordingly. modules, installed across all PCs onboard:
Again, the Fleet Secure Endpoint email filter caret-right Advanced Memory Scanner – This detected
detected infected attachments, including: Emotet in the memory, terminated and blocked it
– CoinMiner.T trojan (A trojan which uses system from recurring.
resources to mine cryptocurrency for its caret-right Heuristic Intrusion Prevent System (HIPS) – This
distributor) detected the malicious code being executed and
– TrojanDownloader.Agent.OJL trojan (a trojan stopped the execution of this code.
capable of downloading and executing other The virus was successfully cleared from the
malicious code) memory on all infected devices.
– Agent.AQ trojan (A trojan agent template
frequently used as a starting point for malicious
code that can be modified to do whatever the
malicious actor wants)
The Fleet Secure Endpoint email filter disposed of
these infections, preventing further infections.

34 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

CASE 3 CASE 4
Vessel type: Undisclosed Vessel type: Bulk carrier
Assailant: Sohanad worm Assailant: CoinMiner
A USB memory stick infected with the NCB worm The vessel in question had trialled Fleet Secure
Sohanad was connected to an endpoint onboard Endpoint. After the trial’s conclusion, the ship ran
ship. Sohanad spreads via removable media and for two months without Fleet Secure Endpoint. On
shared folders: once it has infected any part of re-installation of Fleet Secure Endpoint, all devices
the network, it tries to replicate itself by infecting onboard that were tested were found to have
applications and files. been infected with a CoinMiner. CoinMiners use a
device’s processing power to mine cryptocurrency
Two Fleet Secure Endpoint security modules were
for the attacker without the user’s knowledge.
implemented:
Fleet Secure Endpoint was able to neutralise all
caret-right Real-time file system protection – Detected that
threats.
files were being infected and automatically
halted the process from accessing files so it
could be investigated by the engine.
caret-right Heuristic Intrusion Prevent System (HIPS) -
Detected the malicious code that was causing
the replication and stopped the execution of this
code.
Fleet Secure Endpoint was able to stop the infection
from continuing, cleaning 17,000 infections in the
process.

inmarsat.com 35
White Paper
Cyber security requirements for IMO 2021

11
NEXT STEPS - HOW TO PROCEED
CYBER RESILIENCE FOR IMO 2021 – NEXT STEPS
HOW TO PROCEED WITH FLEET SECURE ENDPOINT

APPOINT Appoint a person on board for cyber security planning for IMO requirements

Angle-Down
Review and check Cyber Security Plan against guidance on onboard ICT covering
REVIEW communication and ship networks for business/crew
Angle-Down
PURCHASE FLEET SECURE
Purchase Fleet Secure Endpoint – one month free trial available
ENDPOINT
Angle-Down
PREPARE Remove any existing anti-virus software on each endpoint

Angle-Down
DOWNLOAD Download and run the installer

Angle-Down
SET-UP Set-up dashboard, manage reports

Angle-Down
CREW TRAINING Crew to complete MLA e-learning module, records kept for compliance purposes

Angle-Down
Repeat crew cyber awareness training annually – periodic threat intelligence
REPEAT offered via Fleet Secure Endpoint

36 NOVEMBER 2020
White Paper
Cyber security requirements for IMO 2021

For further information and questions, please contact the Inmarsat Maritime Security Services team:
Maritime.Security@inmarsat.com

inmarsat.com 37
inmarsat.com
While the information in this document has been prepared in good faith, no representation, warranty, assurance or undertaking (express or implied)
is or will be made, and no responsibility or liability (howsoever arising) is or will be accepted by the Inmarsat group or any of its officers, employees or
agents in relation to the adequacy, accuracy, completeness, reasonableness or fitness for purpose of the information in this document. All and any such
responsibility and liability is expressly disclaimed and excluded to the maximum extent permitted by applicable law. INMARSAT is a trademark owned
by the International Mobile Satellite Organization, licensed to Inmarsat Global Limited. The Inmarsat LOGO and all other Inmarsat trade marks in this
document are owned by Inmarsat Global Limited. In the event of any conflict between the words of the disclaimer and the English version from which it is
translated, the English version shall prevail. © Inmarsat Global Limited 2020. All rights reserved. Cyber Security Requirements for IMO 2021 White Paper.
November 2020.