Shipping has taken important steps in cyber security, but leaders must continually address cyber risks that are unique to their organisations and operating environments.
This was a clear message from all speakers at the latest ICS Leadership Insights dialogues on 10 February 20201, focusing on cyber security.
Esben Poulsson, ICS Chairman opened the discussion and stressed that cyber risk management should be high on shipping’s agenda:
“Cyber security is more than just the digital equivalent of the guns, guards and gates of the physical world. The internet is global, and attacks can spread across borders and through corporate networks.
“And cyber security is more than just an insurance policy – it is potentially all about business survival. A breach of cyber security might not just damage a business; it could bring it to a standstill causing losses of tens if not hundreds of millions of dollars.”
Paivi Brunou, Head Cyber Security, Wartsila Voyage, stressed it is important for the shipping world to capitalise on the benefits of becoming more digitally connected, ship to ship and ship to shoreto optimise operations. However, Brunou warned that as digital systems become more interconnected and complex, so too does identifying and managing the cyber risks:
“A cyber incident is not always like a massive fire; it is not always easy to see something going on with system. The 4th industrial revolution has changed how we work, where we work and the skills we need in the last decade.
In the next decade it will be even more difficult to identify and manage cyber risks due to the growing complexity, greater connectivity and an expansion of the attack surface.
Ships are carrying a plethora of people, cargo and information and we need to find new ways to protect them.”
Cyber risks for maritime are on the rise. As a result the IMO has set out Resolution MSC 428(98) which identifies cyber security as a risk to be addressed in safety management systems and to be verified in audits from 1 January 2021. However, for many, addressing cyber risk is still in its infancy. Speakers agreed shipping must step up its game.
Julian Clark, Global Senior Partner, Ince, said:
“The maritime sector is seen as soft target in relation to cyber exposure. The aviation sector, for example, are well ahead of us and the statistics speak for themselves. There has been a 400% increase in cyber incidents in the maritime sector in last 12 months.”
Speakers urged shipping not to overlook the threat of cyber criminals utilising weak points in operational technology (OT) to gain access to its IT systems; the equivalent of a burglar breaking into your poorly protected garage to gain access to your heavily protected house. Clark said there has been a 900% increase on OT cyber incidents in the last three years.
Chronis Kapalidis, Associate, International Security Department, Chatham House, warned of the sophistication of cyber criminals targeting shipping, from hackers utilising open source information on Internet of Things devices to gain access to a companies’ IT systems through Wi-Fi connected ‘smart’ lightbulbs.
In another case a shipping company was experiencing multiple pirate boarding’s in the Gulf of Aden. It was later found that the pirates were paying hackers to gain access to voyage plans to optimise their attacks.
Promisingly, it is shipping’s own workforce that can be part of the solution. Contrary to popular belief, Phillip Morgan, Professor of Human Factors and Cognitive Science, Cardiff University & Airbus, said, “Humans can be the strongest line of defence against cyber incidents.”
Morgan added that it is vital not to assume what the human vulnerabilities are in a company, but rather to measure it at an organisational level.
“Human cyber vulnerabilities are not always obvious. Impulsivity, gender, an extrovert personality are not always good measures of who will be a more successful target. Threat appraisal, security self-efficacy and an affinity with the devices we use are often more key.”
Morgan stressed there is a need not only for traditional surveys to assess human risks but also “cutting edge” research on how people use and interact with technology by tracking eye movements, pupil dilation, pulse and heart rate. “We need toolkits and to be more specialist in the realms of sociotechnical cyber security,” he said.
Shipping must also address existing gaps in international conventions and regulations and the impact it has on insurance, noted Clark. If a cyber incident means a vessel is deemed unseaworthy, for example, issues of due diligence will arise. “What happens if there is a cyber incident in a new build and it is found that it arose due to a defect in a ship’s system? It could be arguable that is within the owners scope of due diligence and if it is what does the owner have to do?”
Clark put forward the notion of a cyber security kitemark for shipboard systems that can be regulated and recognised as a trusted standard.
Ultimately, the message is that shipping must not take its eye of the ball as cyber risks continue to increase and evolve.
“We need to be prepared to change. What protected us one week may not work the next. We need to be aware and appreciate how great we are as human beings at being adaptive, and there is no reason we shouldn’t be adaptive for cyber security. It is the only way we can win,” Morgan concluded.