This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles
for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation: F3286 − 17
Standard Guide for
Cybersecurity and Cyberattack Mitigation1
This standard is issued under the fixed designation F3286; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope
1.1 This guide addresses the company or government orga-
nizational need to mitigate the likelihood of cyberattacks and
reduce the extent of potential cyberattacks, which can leave
sensitive personal data, corporate information, and critical
infrastructure vulnerable to attackers.
1.2 These recommendations are meant to serve as a guide-
line for corporate and government organizations to adopt for
the protection of sensitive personal information and corporate
data against hackers.
1.3 Cybersecurity and cyberattacks are not limited to the
maritime industry. With greater advancement in computer and
information technology (IT), cyberattacks have increased in
frequency and intensity over the past decade. These advance-
ments provide hackers with more significant tools to attack
vulnerable data and communication infrastructures. Cyberat-
tacks have become an international issue to all governments
and companies that interact with each other.
1.4 Cybersecurity and the safety of cyber-enabled systems
are among the most prevailing issues concerning the maritime
industry as well as the global economy. Cyberattacks could
affect the flow of trade or goods, but operator errors in
complex, automated systems may also cause disruptions that
may be mitigated with proper policies and personnel training.
1.5 This guide is meant to provide strategies for protecting
sensitive data onboard vessels and offshore operations.
1.6 This standard does not purport to address all of the
safety concerns, if any, associated with its use. It is the
responsibility of the user of this standard to establish appro-
priate safety, health, and environmental practices and deter-
mine the applicability of regulatory limitations prior to use.
1.7 This international standard was developed in accor-
dance with internationally recognized principles on standard-
ization established in the Decision on Principles for the
Development of International Standards, Guides and Recom-
mendations issued by the World Trade Organization Technical
Barriers to Trade (TBT) Committee.
1
This guide is under the jurisdiction of ASTM Committee F25 on Ships and
Marine Technology and is the direct responsibility of Subcommittee F25.05 on
Computer Applications.
Current edition approved Dec. 1, 2017. Published January 2018. DOI: 10.1520/
F3286-17.
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
1
2. Referenced Documents
2.1 Federal Standards:2
46 CFR 140.910 Equipment
3. Terminology
3.1 Definitions:
3.1.1 access control, n—practice of selective limiting of the
ability and means to communicate with or otherwise interact
with a system, use system resources to handle information,
gain knowledge of the information the system contains, or
control system components and functions.
3.1.2 application programming interface, API, n—set of
routines, protocols, and tools for building software and appli-
cations.
3.1.3 botnet, n—number of internet-connected computers
communicating with other similar machines in which compo-
nents located on networked computers communicate and
coordinate their actions by command and control or by passing
messages to one another.
3.1.4 capability, n—ability to execute a specified course of
action.
3.1.5 communications, n—means for a vessel to communi-
cate with another ship or an onshore facility.
3.1.6 compression, n—reduction in the number of bits
needed to store or transmit data.
3.1.7 cybersafety, n—guidelines and standards for
computerized, automated, and autonomous systems that ensure
those systems are designed, built, operated, and maintained so
as to allow only predictable, repeatable behaviors, especially in
those areas of operation or maintenance that can affect human,
system, enterprise, or environmental safety.
3.1.8 cybersecurity, n—activity or process, ability or
capability, or state whereby information and communication
systems and the information contained therein are protected
from and defended against damage, unauthorized use or
modification, or exploitation.
2
Available from U.S. Government Printing Office, Superintendent of
Documents, 732 N. Capitol St., NW, Washington, DC 20401-0001, http://
www.access.gpo.gov.
 F3286 − 17
3.1.9 data assurance, n—perception or an assessment of
data’s fitness and integrity to serve its purpose in a given
context.
3.1.10 data, n—quantities, characters, or symbols on which
operations are performed by a computer being stored and
transmitted in the form of electrical signals and recorded on
magnetic, optical, or mechanical recording media.
3.1.11 detection processes, n—methods of detecting intru-
sions into computers and networks.
3.1.12 encryption, n—conversion of electronic data into
another form called ciphertext, which cannot be easily under-
stood by anyone except authorized parties.
3.1.13 exposure, n—measure of a system at risk that is
available for inadvertent or malicious access.
3.1.14 firewall, n—logical or physical break designed to
prevent unauthorized access to information technology (IT)
infrastructure and information.
3.1.15 file transfer protocol, FTP, n—standard network
protocol used to transfer computer files between a client and
server on a computer network.
3.1.16 flaw, n—unintended opening or access point in any
software.
3.1.17 human system, n—interaction and contact between a
human user and a computer system.
3.1.18 hypertext transfer protocol, HTTP, n—primary tech-
nology protocol on the web that allows linking and browsing.
3.1.19 hypertext transfer protocol over secure socket layer,
HTTPS, n—protocol to transfer to encrypted data over the web.
3.1.20 information technology, IT, n—equipment or inter-
connected system or subsystem of equipment that is used in the
automatic acquisition, storage, manipulation, management,
movement, control, display, switching, interchange,
transmission, or reception of data or information.
3.1.21 internet of things, IoT, n—internetworking of physi-
cal devices, such as vessels, vehicles, buildings and other items
embedded with electronics, software, sensors, actuators, and
network connectivity that enable these objects to collect and
exchange data.
3.1.22 information security management system, ISMS,
n—set of policies with information security management or
IT-related risks.
3.1.23 local area network, LAN, n—computer network that
interconnects computers within a particular area and does not
connect to the internet; this applies to onboard ship networks.
3.1.24 machinery control systems, MCS, n—IT systems that
report operating parameters or control operation of equipment,
which commonly use programmable logic controllers (for
example, fuel tank level indicators or throttle control systems).
3.1.25 network, n—infrastructure that allows computers to
exchange data by wireless or cable wireless network interac-
tions.
3.1.26 operational technology, OT, n—information system
used to control industrial processes such as manufacturing,
product handling, production, and distribution.
2
3.1.26.1 Discussion—Industrial control systems include su-
pervisory control and data acquisition (SCADA) systems used
to control geographically dispersed assets, as well as distrib-
uted control systems (DCSs) and smaller control systems using
programmable logic controllers to control localized processes.
3.1.27 original equipment manufacturer, OEM,
n—company that makes parts or subsystems that are used in
another company’s end product.
3.1.28 phishing, v—sending e-mails to a large number of
potential targets asking for particular pieces of sensitive or
confidential information.
3.1.28.1 Discussion—Such an e-mail may also request that
an individual visits a fake website using a hyperlink included
in the e-mail.
3.1.29 programmable logic controller, PLC, n—digital com-
puter used for automation of industrial electromechanical
processes.
3.1.30 ransomware, n—malware that encrypts data on sys-
tems until the distributor decrypts the information.
3.1.31 remote desktop protocol, RDP, n—proprietary proto-
col developed by Microsoft that provides a user with a
graphical interface to connect to another computer over a
network connection.
3.1.32 resilience, n—characteristics that enable a system to
resist disruption and adapt to minimize the impact of disrup-
tions.
3.1.33 risk, n—potential or threat of undesired conse-
quences occurring to personnel, assets, or the environment as a
result of vulnerabilities in systems, staff, or assets.
3.1.34 risk assessment, n—process that collects information
and assigns values to risks for informing priorities, developing
or comparing courses of action, and informing decision mak-
ing.
3.1.35 risk management, n—process of identifying,
analyzing, assessing, and communicating risk and accepting,
avoiding, transferring, or controlling it to an acceptable level
considering associated costs and benefits of any actions taken.
3.1.36 router, n—device that forwards data from one net-
work to another network regardless of physical location.
3.1.37 scanning, v—procedure for identifying active hosts
or potential points of exploit or both on a network, either for
the purpose of attacking them or network security assessment.
3.1.38 sensitive information, n—any digital data that can be
classified as private or corporate not meant for public access.
3.1.39 social engineering, n—nontechnical technique used
by potential cyberattackers to manipulate insider individuals
into breaking security procedures, typically, but not
exclusively, through interaction via social media.
3.1.40 social media, n—computer-mediated online tools
that allow people, companies, and other organizations, includ-
ing nonprofit organizations and governments, to create, share,
or exchange information, career interests, ideas, and pictures/
videos in virtual communities and networks.
 F3286 − 17
3.1.41 software, n—intellectual creation that represents the
real world as data and uses logic, that, when translated into
electronically readable code and run on a computer, processes
the data, allowing the requirements placed on the software to
be realized in the real world.
3.1.42 Subchapter M, n—U.S. Coast Guard (USCG) regu-
lations that legally define rules for the inspection, standards,
and safety policies of towing vessels.
3.1.43 transportation worker identification credential,
TWIC, n—provides a tamper-resistant biometric credential to
maritime workers requiring unescorted access to secure areas
of port facilities, outer continental shelf facilities, and vessels
regulated under the Maritime Transportation Security Act of
2002 (MTSA) and all USCG credentialed merchant mariners.
3.1.44 water holing, v—establishing a fake website or com-
promising a genuine site to exploit visitors.
3.1.45 wide area network, WAN, n—network that can cross
regional, national, or international boundaries.
3.1.46 wi-fi, n—all short-range communications that use
electromagnetic spectrum to send and receive information
without wires.
4. Summary of Guide
4.1 The maritime industry is globalized. Shipping occurs
across the world, transporting goods to different nations and
continents. Technology integration onboard seagoing ships and
vessels has increased the quality and reliability of
communications, data recording, navigation, and record keep-
ing. Wherever ships and marine craft go, there is a potential for
cyber-enabled systems to impact ship operations and crew
safety. At times, these impacts can emerge from human error or
deliberate actions.
4.2 Commercial pressures and demands for efficiency and
speed, as well as more control over shipboard systems, create
the need for integrated systems that may be subject to misuse,
abuse, or illicit access. Table 1 provides an overview of the
motivation and impacts of a cyberattack.
4.3 Companies and governments that operate or own sea-
going vessels should adopt measures and practices that will
shape personnel and system access according to job require-
TABLE 1 Impacts of CyberattackA
Group Motivation
Activists (including disgruntled employees) • Reputational damage
• Disruption of operations
Criminals • Financial gain
• Commercial espionage
• Industrial espionage
Opportunists • The challenge
States • Political gain
State-Sponsored Organizations • Espionage
Terrorists
A
Courtesy of BIMCO, Guidelines on Cyber Security Onboard Ships, February 2016.
3
ments and need to know. For good practice, human and
machine access to sensitive information should be kept to a
minimum level. Access needs for third parties (for example,
maintenance personnel, consultants, service engineers, and any
non-crew personnel) should be addressed in company or
government policies and procedures, or both.
4.4 Companies and governments may use cybersecurity
training programs to educate the shoreside employees and
mariners of the organization. Training programs and materials
should provide useful tools and strategies to:
4.4.1 Reduce or prevent human errors in automated systems
operations that could affect safety, correct system function, or
ship data; and
4.4.2 Identify when a cybersecurity event occurs and how to
stop or prevent one from happening.
4.5 Any implemented training program should apply to all
members, shoreside employees, and mariners of a government
or company operating seagoing vessels. Training programs
should begin at the top of an organization and work through to
the bottom thus following a hierarchical approach and response
to cyber-system events and their impacts on the company, ship,
or organization.
4.6 Training programs should focus on and follow a general
procedure including the following steps:
4.6.1 Risk identification,
4.6.2 Risk detection,
4.6.3 Protection of personnel and vulnerable or critical
infrastructure,
4.6.4 Mitigate effects of cyberattack,
4.6.5 Recover stolen or lost data, and
4.6.6 Restoration of systems to fully operational status.
4.7 Ship systems have become increasingly integrated with
navigation, communications, recordkeeping, logistical data,
corporate data, personal data, and ship-operating systems.
These systems may be running on the same information
infrastructure. With this interconnectedness comes complexi-
ties and interdependencies that can result in unexpected vul-
nerabilities. Even systems that use air gaps for security, such as
machinery control systems, may be vulnerable to errors and
attacks because of contamination with malware or malicious
Objective
• Destruction of data
• Publication of sensitive data
• Media attention
• Selling stolen data
• Ransoming stolen data
• Ransoming system operability
• Arranging fraudulent transportation of cargo
• Getting through cyber security defenses
• Financial gain
• Gaining knowledge
• Disruption to economies and critical national infrastructure
 F3286 − 17
code from diagnostic equipment. Vulnerabilities that present
openings to outside connections can become weaknesses. So, it
is vital for organizations to understand the origins of system
vulnerabilities and likely means of attack.
4.8 As technology advances, IT systems require greater
attention and resources to sustain and maintain them for
continued operations and system reliability. Many older IT
systems, especially in the maritime industry, use outdated
technology that can endanger the confidentiality, integrity, and
availability of data, therefore, creating previously undetected
cyber risks and vulnerabilities.
4.9 In the United States, recent cybersecurity legislation
passed by Congress and authorized by the President has begun
to address the rapidly growing concerns for cybersecurity and
points towards the development of new technologies for
government agencies and private industry in the years ahead.
4.10 Governmental regulations, such as Subchapter M, 46
CFR 140.910, now permit and encourage the use of electronic
records in addition to or in lieu of manual logging. The move
to electronic recordkeeping and the sensitivity of the informa-
tion these records contain impose new challenges to the secure
access of the information, the sharing of the information with
inspectors and auditors, the media to which this information is
securely stored and backed up, and the methods required to
access the information in a secure manner.
5. Significance and Use
5.1 To maintain the integrity of potentially vulnerable in-
formation systems while the vessel is at sea or in port,
strategies and procedures can be used by every company,
organization, and ship. Mitigating potential cyberattack events
will allow for a better economic environment through secure
consumer, employee, and corporate data. Informational infra-
structure between ships, platforms, and onshore facilities are
more interconnected today than a decade ago. The long-term
health and economic viability of ship owners and operators
depend on establishing and maintaining security that can
measured and monitored.
5.2 With the increase in cyberattacks in recent decades,
maritime-based companies and governments have cited a need
to update and train their workforce to mitigate the loss of data
or intellectual theft from onboard systems.
5.2.1 Vulnerable onboard systems can include, but are not
limited to:
5.2.1.1 Cargo management systems;
5.2.1.2 Bridge systems;
5.2.1.3 Propulsion and machinery management and power
control systems;
5.2.1.4 Access control systems;
5.2.1.5 Passenger servicing and management systems;
5.2.1.6 Passenger facing public networks;
5.2.1.7 Administrative and crew welfare systems;
5.2.1.8 Communications systems;
5.2.1.9 Distributed computing devices that support an inter-
net of things (IoT)-enabled ship; and
5.2.1.10 Onboard sensors that facilitate wheelhouse
automation, alerting, and IoT transmission.
4
5.2.2 Many of these systems are critical to mariners while at
sea. If any of said systems failed or were compromised while
at sea because of a cyberattack, then the ship and its security
could be compromised.
5.3 By adopting these practices, mariners and shoreside
employees at all levels of the organization should be able to
identify potential threats or risk factors, as well as the abnormal
indications that show a cyberattack underway.
5.4 Cyberattacks can occur in multiple forms including, but
not limited to, the following practices:
5.4.1 Social engineering,
5.4.2 Phishing,
5.4.3 Waterholing,
5.4.4 Ransomware,
5.4.5 Scanning,
5.4.6 Spear-phishing,
5.4.7 Deploying botnets, and
5.4.8 Subverting the supply chain.
5.5 These suggested strategies extend to all individuals of a
corporation, government, or organization. By adopting a basic
and developed capability to defend from cyberattacks, mari-
ners can continue proper practices out at sea while feeling
confident that safety critical systems, business-critical data,
personal data, and records are safe.
5.6 In the event of system error, or in the case of cyberattack
or infection, any files required to rebuild or repair a personal
computer (PC)-based onboard system shall be on the ship
already rather than from off-board sources using satellite
communications systems. Most vessels currently do not have
operating system disks on board, let alone proprietary software,
drivers, or patches. This connectivity constraint and lack of
multiple failsafe outputs also provide a single point of failure
and vulnerability. In the future, system software and firmware
may be kept current with over-the-air updates, which shall be
encrypted.
5.7 There are cross-system considerations that shall be
considered for cyber-enabled ships. They may include such
factors as:
5.7.1 Human-system interfaces;
5.7.2 Software availability, versions, and licensing;
5.7.3 Network and communications, including remote ac-
cess methods;
5.7.4 Data trustworthiness and availability (that is, data
assurance);
5.7.5 Diagnostic and evaluation equipment that may be
required to diagnose system problems;
5.7.6 Cybersecurity, especially as it applies to safety critical
and ship critical systems; and
5.7.7 Onboard sensors and IoT infrastructure that provide
data for ship operations and command decisions.
5.8 By adopting these practices, companies and govern-
ments will notice the benefits of better cybersecurity. Some
benefits may include, but are not limited to:
5.8.1 Better business performance;
5.8.2 Increased bandwidth efficiency provided by modern
satellite communications;
 F3286 − 17
5.8.3 Better crew performance during drills or operations;
5.8.4 Reinforcing a healthy safety and security awareness
culture onboard seagoing vessels;
5.8.5 Enhanced quality of life for ship crews;
5.8.6 Better adherence to increasingly stringent regulations
and the preservation of electronic records and logs;
5.8.7 Tighter security controls and access to objective evi-
dence using biometrics, such as fingerprinting and a company/
government (that is, TWIC) issued personal identification card;
and
5.8.8 Resilient systems that can minimize the impact of
cyber disruptions.
6. Procedure
6.1 Access:
6.1.1 Companies, governments, and organizations should
adopt policies for appropriate use of, and access to, automated
systems aboard ships, vessels, and offshore assets. System
access policies should address access to, and use of, general-
purpose systems (for example, PCs) as well as automated
utility systems (for example, cranes and cargo-handling sys-
tems) and control systems (for example, ship control,
machinery, propulsion, and so forth). At a minimum, the
company policy set should include an IT security policy and an
acceptable use policy to ensure that employees and users
within each company understand how company resources and
data should be used. These policies ensure that standards are
consistent, understood, and enforced.
6.1.1.1 A company should only grant access privileges
according to employee roles and responsibilities and the
employee’s need to know.
6.1.1.2 Access policies should limit individual access to
critical or sensitive system, data, and records onboard seagoing
ships starting from the top of the organization down. By
restricting access to job description requirements and need to
know, fewer people will have the credentials to access infor-
mation onboard ships with less possibility for credential theft
by hackers.
(1) Local administrative privileges can allow mariners too
many rights for ordinary work, and they can provide cyber-
intruders a way to move through a ship’s network. The
reduction of administrative privileges can make the difference
between a single system and user account being compromised
versus the entire organization’s computer systems being cor-
rupted.
(2) The system administrator privileged accounts are the
most sensitive access levels. Careful control of privileged
accounts can make the difference between a simple perimeter
breach and a significant cybersecurity event. Organizations are
expected to ensure that they continuously audit and discover
privileged accounts and applications that require privileged
access, remove administrator rights where they are not
required, and implement two-factor authentication methods to
prevent easy compromise of user accounts when attacked.
6.1.2 Networks that provide suppliers with remote access to
navigation systems or software, and to any control systems or
other operational technology (OT) system software on ship-
board equipment should be controlled. Such networks may be
5
necessary for suppliers to allow upload of system upgrades or
perform remote servicing.
6.2 Partnerships:
6.2.1 Maritime companies and vessels should partner with
their respective governments to adopt cybersecurity measures
to defeat threats against safety- or ship-critical systems. With
the sharing of information among law enforcement, maritime,
and military cybersecurity programs, ship owners and opera-
tors can enhance the effectiveness of their cybersecurity
operations for deterring, mitigating, and responding to mali-
cious activity.
6.2.2 Companies and vessels should join the Department of
Homeland Security’s (DHS) Automated Indicator Sharing
(AIS) initiative. By sharing unclassified cyber threat indicators,
the DHS enables the detection, prevention, and mitigation of
cyber threats. The AIS initiative is available to:
6.2.2.1 Partners in critical infrastructure;
6.2.2.2 Private sector;
6.2.2.3 State, local, tribal, and territorial governments;
6.2.2.4 Federal departments and agencies;
6.2.2.5 Information sharing and analysis centers (ISACs);
6.2.2.6 Information sharing and analysis organizations
(ISAOs); and
6.2.2.7 Foreign partners and companies.
6.2.3 For more information, see the AIS initiative.3
6.3 Policies:
6.3.1 Cyber Assessments—Ship owners, operators, and
stakeholders should include in their cybersecurity program
policies the necessity to conduct a baseline assessment before
making amendments to or developing a cybersecurity program.
The baseline assessment serves as a platform for taking
inventory and mapping of assets and systems and creating an
understanding of vulnerabilities and the associated potential
business and operational impacts that may ensue from unpro-
tected or vulnerable systems.
6.3.2 Information Security Management System (ISMS)—
Based on the configuration and systems onboard, each compa-
ny’s ISMS policy should include the concept of cybersecurity
and the potential damages that could occur.
6.3.2.1 The ISMS should identify the critical systems
aboard that have computer controls and cyber-enabled func-
tions.
6.3.2.2 The ISMS should prioritize critical systems in ac-
cordance with their importance to the ship.
6.3.2.3 The ISMS should predict the extent of damage that
could occur if the ship’s critical systems were jeopardized,
either through human error or cybersecurity issues.
6.3.2.4 The ISMS should describe, in detail, the recovery
steps for each failure or breach type and any notifications,
alerts, or actionable items that should occur in the event of a
breach.
6.3.3 Personal Devices—The use of personal devices, such
as a crew members’ smartphones or wireless hotspots, presents
3
Available from Department of Homeland Security/United States Computer
Emergency Readiness Team (DHS/US-CERT), ATTN: NPPD/CS&C/NCCIC/US-
CERT, Mailstop: 0635, 245 Murray Lane SW Bldg 410, Washington, DC 20528,
https://www.us-cert.gov/ais.
 F3286 − 17
an unknown but significant variable in the overall security of a
ship. Also, the popularity of mobile apps and social media
expose additional vulnerabilities that are unique to the particu-
lar app, site, application programming interface (API), or
service. For that reason, a company should adopt policies
pertaining to the usage of personal devices. Such policies
should include whether those devices are allowed to connect to
onboard services (that is, wireless network) and whether those
devices are allowed to be used to contain or manage company
data.
6.3.4 Communication-Capable Systems—All communica-
tion devices onboard, such as a router, satellite phone, laptop,
PC, or smartphone, should be restricted to use secure protocols,
such as hypertext transfer protocol over secure socket layer
(HTTPS) instead of hypertext transfer protocol (HTTP). All
protocols not used should be disabled, such as remote desktop
protocol (RDP) or file transfer protocol (FTP).
6.3.4.1 All applications, devices, or systems transmitting
data to or from the vessel should encrypt and compress the data
before transmittal. This process could include software
systems, IoT devices, and original equipment manufacturer
(OEM)-enabled sensors.
6.3.4.2 Operators may use OEM equipment installed by
third-party integrators on their vessels. The operator may think
that cybersecurity is the responsibly of the OEM manufacturer
and integrator, whereas the OEM manufacturer and integrator
may think it is the responsibility of the operator. This miscom-
munication often leads to a false sense of security and
increased vulnerabilities. Operators should:
(1) Communicate and discuss cybersecurity concerns with
the OEM and the integrator during the planning stage and
before installation;
(2) Request from the OEM detailed information as to the
types of threats associated with the equipment and what
mitigation techniques are available;
TABLE 2 Cyberattacks Reporting ScaleA
Potential
Definition
Impact
Low The loss of confidentiality, integrity, or availability could be
expected to have a limited adverse effect on company and
ship, organizational assets, or individuals.
Moderate The loss of confidentiality, integrity, or availability could be
expected to have a substantial adverse effect on company
and ship, company and ship assets, or individuals.
High The loss of confidentiality, integrity, or availability could be
expected to have a severe or catastrophic adverse effect
on company and ship operations, company and ship
assets, or individuals.
A
Courtesy of BIMCO, Guidelines on Cyber Security Onboard Ships, February 2016.
6
(3) Consider the interface between the OEM and vessel
network, including any special considerations to protect both
the OEM gear and the vessel network;
(4) Request from the integrator a statement of conformance
to the manufacturer’s stated policy and installation best prac-
tices; and
(5) Consider the impact equipment or configuration
changes have on the overall cybersecurity strategy of the
vessel.
6.3.5 Organizations—Companies, governments, and organi-
zations should consult the National Institute of Standards and
Technology (NIST) cyber security framework, which can help
companies quantify the approach being taken to cybersecurity
using common principles and standards.
6.3.5.1 Maritime companies and organizations should de-
sign their programs around an objective that ensures and
creates a protective infrastructure concerning a ship’s onboard
IT and OT systems.
6.3.5.2 Companies, governments, and organizations should
adopt a general and advanced list of procedures to promote
good cybersecurity practices and address situations and meth-
ods to minimize the extent of cyberattacks. These lists of
procedures may vary by the entity but should follow USCG
and DHS recommendations.
6.3.5.3 Cyberattacks should be reported to the proper au-
thority on a scale of low, moderate, or high regarding the
potential impact (see Table 2). Also, any anomaly should be
reported to the shoreside management staff trained in the field,
as per company governance. Any disruption to computer-based
systems that threatens the safety of the crew and the vessel, or
is a factor in a near-miss or marine casualty, should be reported
to the company shoreside management and the proper port
state control authorities (such as the USCG) in accordance with
the latest guidance.
In Practice
A limited adverse effect means that a security breach might: (1) cause a
degradation in ship operation to an extent and duration that the
organization can perform its primary functions but the effectiveness of the
functions is noticeably reduced, (2) result in minor damage to
organizational assets, (3) result in minor financial loss, or (4) result in
minor harm to individuals.
A substantial adverse effect means that a security breach might: (1) cause
a significant degradation in ship operation to an extent and duration that
the organization can perform its primary functions but the effectiveness of
the functions is significantly reduced, (2) result in significant damage to
organizational assets, (3) result in significant financial loss, or (4) result in
significant harm to individuals that does not involve loss of life or serious
life-threatening injuries.
A severe or catastrophic adverse effect means that a security breach might:
(1) cause a severe degradation in or loss of ship operation to an extent
and duration that the organization is not able to perform one or more of
its primary functions, (2) result in major damage to organizational assets,
(3) result in major financial loss, or (4) result in severe or catastrophic
harm to individuals involving loss of life or serious life-threatening injuries.
 F3286 − 17
6.4 Protection:
6.4.1 Overall, companies, organizations, and governments
should enact a cyber-threat indicator onboard their vessels,
whether it is an adopted procedure or installing software and
programming that monitor and alerts employees to a potential
attack.
6.4.2 The company should define a distinction between how
the informational resources onboard a ship are used (that is,
personal and work systems, business resources, and so forth).
6.4.3 Operations—Vessels should install software recom-
mended by the DHS, the International Maritime Organization
(IMO), and the Baltic and International Maritime Council
(BIMCO) to update and protect all onboard information
systems. Updating IT and OT systems will allow for evaluation
and analysis as well as provide a measurable response to
potential or active threats for the 21st century. These updates
should be viewed as a vessel’s first line of defense when a
human does not detect a cyberattack.
6.4.4 Companies should, where possible, secure digital
assets using a two-factor authentication biometric access, such
as a fingerprint scanner, and/or a company/government (that is,
TWIC) issued personal identification card. Such access is
superior to the traditional username/password architecture, as a
password is more easily compromised and does not require a
physical presence.
6.4.5 Client certificates or cookies used to cache access
credentials should be set to low expiration periods and fre-
quently renewed as needed. While this may slightly increase
data consumption, if a credential is ever compromised, a short
expiration period limits the exposure to a small window of
time.
6.4.6 All I/O connections to PCs, laptops, programmable
logic controller (PLC) boards, and so forth should be contem-
plated in an overall security strategy and only those that are
necessary should be enabled. That could include disabling
things such as USB ports, CD/DVD drives, Bluetooth, wi-fi,
VPN, built-in modems, and related I/O points.
6.4.7 Companies and organizations should continuously
update their IT and control systems with each generation of
newly developed software while carefully tracking software
versions and adhering to their business or organizational
management of change policies and procedures.
6.4.8 Companies and governments should adopt perimeter
defenses and protections for their databases and onboard
recordkeeping systems through local access networks.
6.4.9 Companies and organizations should adopt and imple-
ment a technology solution that records when mariners and
officers are on and off the vessel. This software can allow
correlation of personnel accesses to critical systems in cases of
system issues, cyber intrusions, and so forth.
6.4.10 Companies and organizations should control their
systems and software deliberately. No third party (for example,
7
supplier, maintenance organization, and so forth) should be
allowed to make software changes to critical systems without
direct permission from the owner and master of the vessel.
6.5 Training:
6.5.1 All employees, regardless of seniority or experience,
should subscribe to the training program adopted by the
company, agency, or international governmental body on the
risks, approach, and prevention of cyberattacks.
6.5.2 Employee training programs should educate mariners,
shoreside employees, and administrators on the normal oper-
ating characteristics of their cyber-enabled systems to help
them understand when they may have a system malfunction or
cybersecurity incident occurring. Abnormal conditions, when
recognized, may indicate that a cyberattack is underway.
Relevant training should include recognition signs of the four
stages of a cyberattack that include the following:
6.5.2.1 Survey/Reconnaissance—Using different strategies
to find a weakness in the critical infrastructure of a ship;
6.5.2.2 Delivery—This can be done through the ship or
company while connected to the internet;
6.5.2.3 Breach—While it may not be obvious, breaches can
attain critical information such as cargo manifests and passen-
ger lists; and
6.5.2.4 Effect—The motivation and objectives of the at-
tacker will determine what effect they have on the company or
ship system and data. An attacker may explore systems, expand
access, and ensure that they can return to the system. Some
potential outcomes may be that attackers access confidential
data, manipulate crew or passenger lists, or disrupt systems by
overloading them or taking them offline.
6.5.3 Officers and crewmembers onboard vessels should
perform at least one cybersecurity risk assessment training
exercise or course during a three- or six-month voyage. This
exercise should be done before entering international waters.
6.5.4 When conducting exercises, crews and administrators
should practice worst-case scenarios in which sustainable
damage is taken by a cyberattack against ship safety critical,
mission-critical, or function systems, as well as thinking of the
response to cyberattacks as a process that has multiple ways to
approach the problem.
6.5.5 These exercises will vary from organization to
organization, but may include the following:
6.5.5.1 Safety management system/ISO procedures,
6.5.5.2 MTSA required security plans,
6.5.5.3 Operations manuals,
6.5.5.4 Continuity of operations/continuity of business
plans, and
6.5.5.5 Company training programs and policies.
7. Keywords
7.1 cyberattacks; cybersecurity; maritime industry
 F3286 − 17

BIBLIOGRAPHY

(1) ABS, Guidance Notes on The Application of Cybersecurity Prin-
ciples To Marine and Offshore Operations, September 2016.
(2) BIMCO, Guidelines on Cyber Security Onboard Ships, February
2016.
(3) DHS, Automated Indicator Sharing Initiative.
(4) DNV, Integrated Software Dependent Systems (ISDS).
(5) ENISA, Methodologies for the identification of Critical Informa-
tion Infrastructure assets and services, December 2014.
(6) ESC Global Security, Maritime Cyber Security White Paper.
(7) IMO, Interim Guidelines on Maritime Cyber Risk Management.
(8) Lloyd’s Register, Cyber-Enabled Ships, First Edition, February 2016.
(9) National Institute of Standards and Technology (NIST), Frame-
work for Improving Critical Infrastructure Cybersecurity, February
2014.
(10) NIST, Guide to Industrial Control Systems (ICS) Security, Special
Publication 800-82 rev2, May 2015.
(11) Recommended Practice: Improving Industrial Control Systems
Cybersecurity with Defense-In-Depth Strategies, DHS, October
2009.
(12) United States Coast Guard (USCG), Cyber Strategy, June 2015.
(13) United States Coast Guard (USCG) Cyber Risks in the Marine
Transportation System.
(14) United States Coast Guard (USCG) Policy Letter CG-5P, 14 De-
cember 2016, Reporting Breaches of Security and Suspicious Activ-
ity.

ASTM International takes no position respecting the validity of any patent rights asserted in connection with any item mentioned
in this standard. Users of this standard are expressly advised that determination of the validity of any such patent rights, and the risk
of infringement of such rights, are entirely their own responsibility.

This standard is subject to revision at any time by the responsible technical committee and must be reviewed every five years and
if not revised, either reapproved or withdrawn. Your comments are invited either for revision of this standard or for additional standards
and should be addressed to ASTM International Headquarters. Your comments will receive careful consideration at a meeting of the
responsible technical committee, which you may attend. If you feel that your comments have not received a fair hearing you should
make your views known to the ASTM Committee on Standards, at the address shown below.

This standard is copyrighted by ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959,
United States. Individual reprints (single or multiple copies) of this standard may be obtained by contacting ASTM at the above
address or at 610-832-9585 (phone), 610-832-9555 (fax), or service@astm.org (e-mail); or through the ASTM website
(www.astm.org). Permission rights to photocopy the standard may also be secured from the Copyright Clearance Center, 222
Rosewood Drive, Danvers, MA 01923, Tel: (978) 646-2600; http://www.copyright.com/