Shipping warned not to overlook people’s role in cyber defence

The roundtable at SMM
The roundtable at SMM

If you could build a cyber-resilient vessel from scratch, what would be your ideal approach? This question was posed to shipping industry experts at a roundtable held at SMM in Hamburg, Germany, on 6 September to discuss the findings of the 2018 IHS Markit/BIMCO cyber survey.

The answer could have been a lengthy one, but was quickly boiled down to: standardisation of onboard systems and ensuring cyber security is built into onboard operation technology (OT) from the onset.This ideal scenario is just that: ideal. Instead, most vessels sailing today are ageing and using legacy OT that, whether shipping admits it or not, is opening companies up to cyber threats.

Despite more than half of the 350 respondents to the 2018 IHS Markit/BIMCO cyber security survey working in ship operations, the majority (93%) said IT systems are most affected by cyber incidents, with OT only being seen at risk by 7% of respondents. While IT system breaches and loss of functions or corporate data are a real risk, this is true of any industry. What makes shipping unique in its cyber-security needs is its OT.

Several voices at the roundtable expressed concerns over the lack of understanding and attention being given to the unique cyber threats OT can pose. Cris DeWitt, senior technical advisor for marine/offshore cyber security at ABS, said that he has visited 40 ships in the last couple of years and is in the unique position of starting at the critical systems before reaching the IT systems that “float around the assets”. He added that “anything connected to the internet we look at as another threat”.

It is also important to note that a system is not protected from cyber breaches just because it is not connected to the internet. It only takes a USB port with a virus to be connected or someone deciding to override manufacturers’ specifications and connect two disparate systems to spread a virus or malware.

As DeWitt pointed out, while an IT cyber breach of company information can cause financial loss or reputational damage, an OT cyber breach could cause a “physical event to happen where someone gets killed, a ship is damaged, or things are dumped into the ocean”. These kinds of large-scale events come with high financial and reputational costs, not just to a company but potentially to the entire industry and those in its supply chain.

Aron Sørensen, head of maritime technology and regulation at BIMCO, said that to highlight the importance of this issue, the third version of BIMCO’s cyber-security guidelines will have a strong OT focus.

Concerns regarding OT expressed at the roundtable included companies failing to take simple precautionary measures such as changing default factory passwords. Furthermore, the wide range of onboard systems available to owners from a multitude of vendors, made possible by broad industry specifications, was said to be making onboard cyber security too complex. Frank Coles, former chief executive officer (CEO) of Transas, said shipping should learn from industries such as aerospace where cockpits are standardised and there is minimal variation of systems to reduce risk.

If an owner is getting its electronic chart display and information system from one manufacturer, its thumb drive charts from another, and hardware satellite communications from a third, cyber risks are increased, said Coles. “Many of the fragmented purchasing managers don’t appreciate the problem and they are doing very little to combat it,” he stressed, adding that companies might be investing money to make their logistics and IT systems resilient but have “outdated” attitudes on how to navigate a vessel safely from a cyber perspective.

With disparate legacy systems on board, technological solutions such as segregating networks can improve resilience but will not necessarily stop a crew member from plugging in a USB or tampering with systems. As a result, and with most legacy systems unlikely to be suddenly replaced or standardised any time soon, the focus, according to those at the roundtable, should be on changing people’s attitudes and actions.

In last year’s IHS Markit/BIMCO cyber survey, people were identified as the main cyber risk to companies. This appears to have prompted action, with more than half (55%) of companies in this year’s survey declaring they have invested in awareness training to better protect against threats. Meanwhile, 58% said they have incorporated cyber guidelines, with BIMCO’s the most commonly used, and 66% have undergone cyber-security training.

While most at the roundtable agreed that taking an approach to cyber security akin to that of the US Navy, with a heavy emphasis on training, was a good way to improve resilience, the current maritime approach is not fit for purpose. Scepticism was expressed on whether owners are doing the bare minimum – putting awareness posters on vessels (one of the most common ways crew said their company provided cyber awareness in last year’s survey) and incorporating guidelines – and are not adequately filling the gaps in their companies. Others called into question the quality of training currently being provided to crew, maintaining that current options can be “not very helpful and dry”, with costs too high per head.

Cyber preparedness has become a popular phrase in the maritime industry, particularly for insurers, who, if theoretically providing coverage for a cyber incident, would look at what steps an owner had taken to increase resilience before paying out on a claim. This could involve checking whether a company has carried out penetration testing, provided training, or has firewalls in place – although currently, there is no magic formula for how an owner could prove it is cyber-prepared. However, once again, ‘people’ was cited as a key element in being cyber-prepared for those present at the roundtable.

Peter Schellenberger, managing director of OSM Maritime Group, said, “There is not a technology-only solution” to cyber and any automated system that detects a breach will require cyber specialists, ideally ones who are available 24/7, to “jump in immediately when something happens to shield and cordon off systems and try to maintain or resurrect whatever you can”.

He added that OSM aims to provide a complete “A-to-Z” of cyber solutions, using a technology partner from the banking sector that has “had the most exposure” to and experience with cyber attacks.

The six-step approach for cyber begins with penetration testing, fixing and patching gaps, securing ship-to-shore communications, having cyber specialists on contract to respond to an issue, as well as a PR organisation to handle any post-incident communications, while the final step – insurance – has so far proven “extremely challenging” to include in the package.

Having a single point of contact for owners or crew to call during a cyber emergency was stressed as vital by attendees including Lars Lange, secretary-general of the International Union of Marine Insurance. This was based on testimony from Maersk CEO Søren Skou at Singapore Maritime Week regarding how the company dealt with 45,000 of its computers crashing because of the NotPetya virus. “If there is a fire on board, you know what number to call. If there is a casualty, you know what number to call. This is not yet true for cyber,” said Lange.

Chris Gibson, director of the Maritime Cyber Emergency Response Team, a collaboration between UK-based cyber security firm Templar Executives and Wärtsilä, has set up what he hopes will become the default emergency contact for shipping during cyber incidents. The goal is to create a place where the maritime sector can share knowledge, collaborate to counter cyber threats, and have expert advice and real-time support for members. Having worked on a similar model for the UK government, he stressed that such collaboration and information sharing is vital to counter cyber threats “and people could not bare their souls enough” when it comes to cyber.

Ultimately, the message from the roundtable was clear: ignoring OT threats will not make them disappear and investing in people and quality training is vital to counter these risks.