Ships take significant place in the maritime transport, and technological developments are rapidly reflected on ships. A wide range of equipments, such as GPS ECDIS, AIS and ARPA-Radar is utilized in this field in order to ensure safe navigation on a ship. However, several studies have also been published that show cyber vulnerabilities in navigational equipments. Moreover, cyber attacks in the maritime industry also have led to gain importance of cybersecurity at sea. When compared to other vessel types, such as dry cargo vessels and RO-ROs, tankers are more likely to pollute the environment, to cause more people to be injured or died and more economic loss after an arising accident due to the cargo they carry. Due to this known fact, inspections on cybersecurity have been started firstly on tankers through vetting programmes of TMSA, SIRE and CDI. IMO requires all maritime companies to carry out a cyber risk assessment by 2021. In this study, the potential cyber risks of equipments in the bridge, engine room and cargo control room on a tanker underway were assessed. As a result of the assessment, a total of 31 risks are identified in nine categories, and 37 procedural and technical measures that could be taken against these risks are examined. The risks either before taking measure or after taking measures are evaluated by using the Fuzzy Fine-Kinney method. Thus, effectiveness of the suggested measures is approached.
Developments in technology bring inherent risks along with convenience. Undoubtedly, cyberattacks constitute one potentially serious risk. While a stereotypical scenario involves a curious teenager sitting in front of his computer at home, a much more critical threat comes from experienced professionals, supported by states, who are specially trained and who have the necessary technological equipment to do great harm. These cyberattacks exert a negative impact on the maritime industry due to the wide usage area of both information technology (IT) and operational technology (OT) systems. On a related note, opponents of autonomous ship projects can effectively cite the weaknesses detected in navigation systems onboard ships. Examination of cyberattacks in the maritime industry as reflected in the press or in academic studies reveals claims that some of these attacks are state-sponsored. However, no country has to date accepted responsibility for such cyberattacks. Although those targeted by such accusations have neither confirmed nor rejected responsibility, the nature of the attacks – sophisticated or requiring high-cost equipment – raises the possibility that behind the attacks are countries that may have conducted research studies for defensive or offensive purposes. China, Iran, North Korea, Russia and Turkey have been named among the countries carrying out cyberattacks on the maritime industry. It is envisaged that these attacks are based on motivations such as information theft, defence research or sabotage of exploration for underground sources. Among the cyberattacks on vessels that have been assessed as state-sponsored, the most common have involved GPS jamming, rendering GPS useless, and GPS spoofing that causes the GPS to report an incorrect position for a ship at sea. This study examines the cyberattacks on the maritime industry that are asserted as state-sponsored as well as the parties involved in these attacks and the possible objectives of those parties.
Cyber security in the maritime industry became crucial due to both academic researches and incidents. There are academic studies that show vulnerabilities in various navigation equipments such as GPS, ECDIS, AIS and ARPA-Radar. Additionally, there are different cyber incidents around the world. Developments in technology, autonomous ship projects, academic studies and cyber incidents in the sector put in action IMO. As per ISM Code, all shipping companies are mandatory to add “Guidelines on Maritime Cyber Risk Management” manual to their SMS manuals until 01st January 2021. Both OCIMF and CDI failed to be indifferent to developments that are important for tanker operators as well as IMO. While OCIMF added cybersecurity-related questions to vetting programs called TMSA 3 and VIQ 7, CDI also added cybersecurity-related items in SIR 9.8.1 edition. On the other hand, RightShip provides significant vetting service for dry cargo ships. “Inspection and Assessment Report” is issued by RigthShip for dry cargo ships. Questions related with cybersecurity was added with Revision No: 11 dated on 11th May 2017 in “Inspection and Assessment Report”. In this study, cyber security related questions which are asked during TMSA, SIRE and CDI vettings which play a critical role for commercial life of tanker firms, were analyzed. Moreover, questions and efficiency of RightShip that offers vetting service for dry cargo ships, were assessed to maritime cyber security. Also, cybersecurity-related questions in vetting questionnaires were interpreted by the author. These comments rely on benchmarking meetings among tanker operators where the author personally attended, and interview with key persons. Noted observations during vettings may negatively impact both commercial life and reputation of the tanker operators. That’s why the firm names and interviewee names were kept confidential. In this study, it was seen that although IMO demanded verification of cyber security-related implementations for the ship operators until 01st January 2021, this process started earlier for tanker operators.