Shipping’s awareness of cyber security lies somewhere between ‘low’ and ‘non-existent’. We have all heard of it, we know we should be doing something about it, however as yet there’s no appetite in a weak market to tackle issues that probably won’t affect us. Senior management isn’t taking it seriously, and there are very few reports in the media of competitors being hit. So let’s wait until there’s a bit more certainty, and a lot more money in the bank, until we put cyber at the top of our agenda.
It’s true: there haven’t been many reports – and there’s a good reason for that. To admit you have been victim of a cyber attack leaves your company vulnerable to copycat attackers, as well as giving signals to charterers, insurers, potential financial backers, and even employees that security systems are less than robust in some way. Even a small breach can damage reputation so, to avoid questions, push it under cover.
However, there are hundreds, perhaps thousands, of attacks known to the security experts – oil and gas installations, bank accounts, personal data at telecommunications firms. On one occasion, a ship in New York harbour had its ECDIS affected by a virus that emerged from a seafarer’s cell phone on charge. Elsewhere, a hospital in Hollywood was hit by ransomware, a type of malware that restricts access to a computer until the user pays a ransom to have it removed. Airline booking systems have been brought down, and business operations software systems broken into. It’s global, indiscriminate, and anonymous. No wonder Somali piracy has gone quiet.
Sokratis Katsikas from the Norwegian Centre for Cyber Information and Security told an excellent conference in Nicosia on 11 April that the top vulnerability was lack of cyber security awareness and training among employees. Then came remote working, followed by limited cyber culture among vendors, suppliers, and contractors. And it’s not just recent employees; senior managers were warned that pushing cyber security down the chain to IT specialists instead of making it a boardroom responsibility would lead to cyber issues being given second-level attention. Few chief executives appear to recognise the threat these attacks can pose to finances, operations, and reputation.
About one-quarter of attackers are thought to be disgruntled employees, breaking into known systems to cause limited, although inconvenient, damage. The rest are a range of malcontents from teenagers testing the metaphorical doors to see if they open to cyber terrorists with an armoury of malware, hacking techniques, and phishing scams. Few of us know about Smurf or Ping of Death attacks, or zombie computers and zero day viruses. However, cyber criminals do, and they have little regard for who they hurt in the process.
So what can be done? The first step must be widespread education about the problem – by which I don’t mean the breadth and depth of cyber crime, rather the failure of the maritime sector to take it seriously. The next step is to acknowledge that a great deal of the answer lies in restricting access to critical systems, building layers of protection, and upgrading protection as often as is necessary. This conference was told several times that there is no such thing as a fully secure system, however hackers won’t waste time attempting to break into well-defended companies when there are softer targets unaware of their vulnerability. It takes just a single weakness in software to jeopardise a company’s entire business-critical systems.
A good third step should be to admit that a cyber attack has taken place, but only after the victim has invested in much-improved security. Until that happens there is little chance that others will follow. A director of the US Federal Bureau of Investigation said there are two types of company: those who have been hacked and those who will be hacked. The real vulnerability is not software, rather it’s executives who ignore cyber security warnings.