MADE

Addressing Cybersecurity Threats to Maritime Autonomous Surface Ships (MASS)

Trung Nguyen¹

Maritime Autonomous Surface Ship, or ‘MASS’, is situated at the crossroads of the new Industry 4.0 and the seaborne transport business, dating back thousands of years. The advancement in artificial intelligence, machine learning and big data has made it possible for crewless ships to roam the sea, prompting changes to a 14 trillion US$ shipping industry. Autonomous vessels can reduce human-based errors in ship operation, thus, potentially decreasing the risk of collision at sea. However, they are prone to cybersecurity attacks that can either target ports, remote operator centres (‘ROCs’) or the ship itself, leading to loss of money, delay in logistics and increased threats to maritime security. Ironically, while most ship operators view cyber-attacks as high risks, few have provided basic protection for their systems from cyber threats.

This article will look at the development in addressing cybersecurity threats to MASS. In doing so, it will (i) present the regulatory development of MASS and cybersecurity at the International Maritime Organisation (‘IMO’); (ii) identify cyber threats relating to MASS; and (iii) suggest recommendations. As a caveat, this article only addresses commercial shipping and does not deal with warships or government vessels, which belong to a different category under international law.

I. MASS and cybersecurity under the IMO

The IMO is the competent UN agency on international shipping matters with an almost universal membership. Since its establishment in 1948, it has adopted over 50 international agreements and over 1000 non-legally binding guidelines that cover different aspects of commercial shipping, including safety and security, marine pollution and compensation and liability. Since 2017, the IMO has initiated its work on MASS, including a regulatory scoping exercise and the establishment of a Joint Working Group to develop the MASS Code (JWG-MASS).

According to the IMO, MASS is defined as ships “which, to a varying degree, can operate independent of human interaction” and can be divided into four categories depending on their level of automation:

• Degree one: Manned ships with some automated systems and human crews on board.
• Degree two: Remotely controlled ships with human crews on board.
• Degree three: Remotely controlled ships without seafarers on board.
• Degree four: Fully autonomous ships that can make decisions and determine actions by themselves.

Given that degree one and two MASS still have a human presence on board to maintain, supervise and be ready to take control of the ship when necessary, the real concern focuses mostly on degrees three and four, where there are no crews on board. As such, the main discussion at the JWG-MASS focuses on potential issues that could arise from regulating these crewless ships in the future, including maritime cyber risk.

Regarding cybersecurity, the IMO adopted an open-ended Guideline on Maritime Cyber Risk Management that provides general recommendations on a risk management approach that aims at identifying cyber risks and avoiding or mitigating such risks to an acceptable level. The Guideline also includes reference to best practices for addressing cyber-attacks by the shipping industry (The Guidelines on Cyber Security Onboard Ships), ship classification societies (IACS Recommendation on Cyber Resilience) and states (the US’ Framework for Improving Critical Infrastructure Cybersecurity), etc. Together, these documents identify different areas of a modern maritime vessel that could be the subject of a cyber-attack (for example, bridge systems, cargo handling, access, control systems, communication systems, etc.) and different modes of attack (phishing, malware, denial of service, etc.), and develop protection and response plans to respond and recover from incidents.

II. Threats of cyber-attacks on MASS

With a 400% increase in attempted cyber-attacks targeting the maritime industry since 2020, cybersecurity threats to the shipping industry remain prominent. Given that MASS will require, at a minimum, some kind of information technology (IT) and operational technology (OT) on board, there will always be a risk of a cyber-attack when a MASS is in operation. In this sense, there can be several types of cyber threats that may affect a modern ship, such as using malicious software and taking control over a device’s operations to shut down the IT server or steal, encrypt or delete data without the user's knowledge or permission.

For the time being, cyber-attacks that can cause a complete takeover of MASS are unlikely to happen. Most recent cyber-attacks happened in port facilities and did not affect the control and manning of ships. Moreover, degree one MASS, in which OT systems are not connected to the internet, is still the standard in the shipping industry. As such, when a cyber-attack happens, there would be crews on board to intervene and override the system to prevent a complete takeover.

Nevertheless, the risk of cyber-attacks remains imminent and will likely increase when more autonomous ships roam the sea in the near future. Moreover, since the person conducting the cyber-attack does not necessarily need to be in the same jurisdiction where the attack takes place, it can be extremely difficult to trace the offender and bring the group or person to justice. The global NotPetya malware that affected Maersk, the world’s largest shipping company, causing hundreds of millions of dollars lost and gridlocks in maritime logistics, remains a glaring reminder of how vulnerable the modern shipping industry is to cyber-attacks and the difficulty of holding offenders reliable for the damage.

III. Recommendations for addressing cyber-attacks on MASS

There have been little attention and study paid to the protection of MASS from cyber-attacks (but see here and here). Given that MASS will likely be a game-changer for the shipping industry, protecting MASS against all forms of threats, including cyber-attacks, should be at the core of the discussion. The future development of a cybersecurity policy and procedures in case of a cyber-attack on MASS or ROCs should consider the following recommendations:

• The discussion of common issues in developing the MASS Code at the IMO only refers to cybersecurity in passing. Given the growing trend of cyber-attacks on the maritime industry, the development of adequate cybersecurity policy should be at the heart of future discussions in building the MASS Code. In the past, IMO documents have served as important guidelines for the shipping industry. There is no doubt that the Organisation can take the lead in developing baseline security policies to address cyber-attack on MASS.
• Current literature and guidelines discussed cybersecurity policy for MASS in a vacuum without considering different degrees of MASS. In recognising that different degrees of MASS entail different degrees of automation, future guidelines should focus on building a cyber-resilient policy according to each degree of MASS. In other words, the level of cybersecurity developed for a crewless MASS (degrees three and four) should be more comprehensive than that for degrees one and two MASS, where there are crews onboard.
• As autonomous ships with crews on-board will still be the preponderance standard of shipping in the near future, governments and the shipping industry should focus on training their employees and developing response plans to address cybersecurity threats. Initiatives, such as the ASEAN CERT Incident Drill Tests CERTs’ Preparedness Against Disruptive Cyber-Attacks, could play a key role in training and raising awareness for crew and staff as well as developing best practices for containing, investigating, and recovering from a cyber-attack.
• Private industries involved in shipping, such as ship classification societies and maritime insurance companies (P&I club), can play a key role in making sure that MASS is resilient to cyber-attacks. In the past, shipping service companies have played a pivotal role in promoting safety standards of shipping, such as the requirement of an Automatic Identification System (AIS) onboard ship to broadcast the ship’s location. Similarly, by incorporating cybersecurity resilience as a standard in the classification process and as a condition to issuing ship insurance, the private industry can play a key role in addressing threats of cybersecurity when MASS becomes more populated.

¹ Research Fellow, Ocean Law and Policy, Centre for International Law (NUS). This article is supported by the MPA-CIL Oceans Governance Research Programme 2023 funded by the Singapore Maritime Institute (SMI-2023-MA-03).