Hyper connected shipping: mitigating the cyber threat
Cyber is a threat that should be on every business’s risk register, including those in the shipping industry, says Sharif Gardner, Head of Training at Novae.
To date the shipping industry has experienced less attacks than other sectors but this does not mean it is immune or less at risk. Today’s onboard operational technology (OT) and information technology (IT) systems are becoming connected like never before and the reliance on smart and interconnected systems will grow as shipping companies strive to be faster, cheaper and more efficient. This hyper-connectivity greatly increases the risk of critical systems, such as safety, propulsion, or navigation, being exposed to cyber-threats.
Additionally, shipping companies and their vessels are not immune to the relentless threat from cyber-criminals seeking financial rewards, as well as sensitive company or employee information, by using common social engineering techniques such as phishing, business email compromise (BEC), and other basic scams. Whilst certainly not as catastrophic as the loss of a ship’s navigation systems, the loss of money and/or critical information can have a significant financial, legal, and reputational impact on the company.
Cyber security awareness across most industries is still relatively poor but according to recent research, it is particularly low in the shipping industry and this needs to change.
Building a strong cyber security awareness culture is the first step. Shipping companies need to recognise and prioritise cyber security in their risk registers and assign accountability for this risk to appropriately qualified senior executives. Contrary to popular opinion, this is NOT an IT issue, it is a business risk and as such it is the executive management team’s responsibility to provide all necessary support to effectively develop and promote a culture of awareness.
This is where education becomes important and it is something that needs to happen across every level of the business. Employees are one of the biggest cyber security vulnerabilities and considered a “soft target” by criminals, due to their lack of understanding of the risks faced. Instead of using highly technical and time consuming hacking methods to breach a company’s systems, cyber criminals often prefer to target the employees themselves in order to get access to information and systems.
Raising awareness of the cyber threat needs to be a constant process, not a one off box-ticking exercise. We are seeing an alarming rise in business interruption from technology disruptions on board. This is caused largely by untrained crew, or non-malicious insiders as they are known in cyber speak, not recognising unsafe emails which, when opened download viruses onto the system. Company executives, managers and team leaders need to be regularly communicating the cyber security message, supported by ongoing awareness courses, awareness campaigns, and regular testing.
Heightened awareness will greatly improve a company’s ability to effectively manage the cyber security risk, when at sea and onshore. Part of this awareness comes from understanding how the IT and OT systems are connected and where the vulnerabilities lie. Companies need to assess their exposure, explore measures to manage the risk, such as cyber insurance, and develop an incident recovery response plan.
Be Cyber Aware at Sea educational campaigns can help crew in preventing cyber related incidents, however mistakes are inevitable. When this happens, cyber insurance can assist in ‘steadying the ship’ and keeping an organisation operational during uncertain periods of downtime.
Cyber insurance can provide the necessary peace of mind to shipping companies and their vessels.
It can cover broad first and third party coverages arising from a computer attack, operational error or accidental damage including cyber extortion and ransomware, customer attrition and transactional e-theft. These insuring agreements offer much wider coverage than traditional P&I policies and are broader than that of just malware and intentional breaches.
Additionally insurers have the advantage of working across a broad range of industries and business types and deal with hundreds of events a year. This allows firms to take advantage of insurer’s crisis management vendor relationships to quickly respond to their incident in the most efficient and effective way possible.
With the rate of new malicious software (viruses) and different attack methods increasing every day, and the shipping industry’s growing interconnectivity, a cyber-attack is no longer a matter of “if” but “when”. The business, financial and reputational impact experienced by a company following an attack will be completely dependent on the measures they implement today to adequately manage the risk. This is a boardroom issue and companies need to act now to educate their employees on the cyber threat, implement a culture of awareness and resilience throughout their organisation and explore other ways to mitigate the risk, such as investing in cyber insurance.
Cyber security basics: measures that individuals and organisations should take to reduce exposure
- Secure the human. Educate end users, managers and executive leaders on understanding the most basic of techniques to prevent incidents in the first place. Train your crew to be the human firewall and identify common online threats such as phishing and email scams.
- Always have up to date anti-virus protection on IT systems and mobile devices, this will filter most of the known threats.
- Always update operating system and application software when instructed to do so by the vendors when possible. They have important security updates and bug fixes. This is not always possible when at sea, so it is important that crew are aware of which systems aren’t updated and avoid introducing risks to those systems.
- Restrict access to important IT and OT systems and ensure technical and procedural measures to restrict administrator rights. Only those who ‘need to know’ or be able to change information should be able to do so. This protects the confidentiality, integrity and availability of information.
This article first appeared in the February 2017 edition of Phish and Ships.