For many decades, a ship’s best defence from cyber attacks was its isolation. In part-2 of our cyber risk management series, we look at how maritime organisations function and how several significant internal structure issues that exist across many shipping companies need to be addressed.
OWNERSHIP
In most shipping organisations, cyber security falls under the remit of the IT team. The IT team is usually responsible for all information technology assets onboard and ashore. But a common theme uncovered through interviews conducted as part of this research is that the IT team’s responsibility stops short of taking full responsibility for Operational Technologies.
Two types of technology are required onboard a ship for it to function: OT and IT. Operational technology (OT) is software and hardware that monitors or controls the vessel’s physical equipment. It is distinctly different from information technology (IT), which uses computers to create, store, and exchange digital information. On a ship, OT generally comprises computer systems that can control engines, steering gear, pumps, or valves. IT, however, is used to provide digital navigation interfaces, facilitate company business, and recorded compliance communication, and provide crew entertainment.
Maritime leaders neither have the complete picture of the risks throughout their technology stack nor the whole picture of the threats they face every day.
OT usually falls under the duties of the onboard Chief Engineer. While all Chief Engineers are highly trained and skilled professionals, there is currently no provision for them to become experts in OT cyber security alongside their day-to-day roles. OT used to be physically disconnected, granting it cyber protection through isolation, but increasingly that is no longer the case. The risk is that onboard networks are not particularly well-managed. According to maritime cyber security startup CyberOwl, 26% of vessels they monitor have connectivity between onboard OT systems and the shore.
As the prevalence of OT attacks on maritime infrastructure grows, the need for a unified approach to managing the security of IT and OT assets grows with it. However, there is an ownership gap for many maritime organisations between the IT security team, which is not wholly responsible for OT, and the engineering team, which is not entirely responsible for security.
This issue compounds because cyber security does not get the internal visibility it needs. Our research found that leaders in maritime organisations do not have a full overview of cyber security issues as they happen. The more senior a staff member is, the less likely it is that they are aware of their organisation being a victim of a cyber attack. 44% of employees ashore in operational roles believe their organisation has been attacked in the last three years. This drops to 37% for employees in management roles ashore and just 19% for senior leaders in C-suite roles. The study found similar results for those people who work aboard ships. 50% of ship’s officers believe their organisation has been the victim of a cyber attack in the last three years. This drops to 33% of ship’s masters, pointing to a similar pattern of under-reporting at sea. The combination of an organisational design flaw that sees no one take end-to-end responsibility for cyber risk management alongside the industry-wide pattern of under-reporting to senior leaders creates a vacuum of unnecessary risk. It also forces senior leaders to make decisions on cyber risk management in the dark. Maritime leaders neither have the complete picture of the risks throughout their technology stack nor the whole picture of the threats they face every day. Maritime leaders neither have the complete picture of the risks throughout their technology stack nor the whole picture of the threats they face every day.
AWARENESS
Last year, a ship received an email in its company inbox. The document appeared official and genuine, requesting information on the vessel’s future schedule, the cargo carried, the number of crew aboard, security personnel, and if the ship was sailing with defensive weapons aboard. The officer who opened the email clicked the link without caution and dutifully filled in the official forms as requested. Hundreds of miles away, a different ship received a similar email. An officer there responded directly to the email with the requested information and moved on with their day. The correspondence, however, was not an official email from a port official or stakeholder but rather a spear-phishing attack aimed at obtaining sensitive data from the ship’s crew. Fortunately, in this instance, these emails were sent as part of a training exercise developed by the Hamburg based maritime cyber security consultancy Waterway. Across a fleet of 100 ships, 292 “malicious” emails had been sent as part of a penetration test. Crew members across the fleet opened 269 (92%) of them. Of those that opened, a third of them (90) clicked the link in the email and half of those (44) went on to fill out the form, handing over sensitive data about the ship to the attackers. Just over 10% of seafarers that were sent the email (31) replied directly to the email with sensitive information about the vessel. Although this was a training exercise, it highlights a common tool for extracting sensitive data. Attacks of this nature can create other risks too. Beyond crew inadvertently distributing sensitive information, simply clicking on a link in an email can allow malicious files or software to be downloaded to the ship’s computer. A half-step further in poor network security management, and an attacker could critically compromise the vessel and its defences.
The fact is that a ship’s most significant liability for cyber risk can also be its biggest asset. The human element has the biggest role to play in allowing a cyber breach, inadvertently or otherwise. The crew are also often the first and last defence. While the role mainly pivots on those seafarers, it could also be anyone temporarily on board during a standard turnaround in port. Surveyors, superintendents, loading masters, engineers and contractors can all expose a ship to attack. Every time a device communicates with either the IT network or isolated OT equipment for maintenance, it creates new vulnerabilities. In light of this, for maritime organisations to build resiliency, there remains a significant need for improved knowledge, skills and training. The current status for skills training is relatively positive across the industry
for those in shoreside roles. 83% of shorebased personnel working for shipping companies report regularly conducting cyber security drills and training. This figure drops to 66% for C-suite leaders. 93% of shoreside personnel in shipping companies know what actions would be required of them during a cyber security incident.
Akin to physical security measures, cyber security is an ever moving target. Cyber criminals are constantly creating new attack methods and searching out vulnerabilities.
But at sea, the picture is very different. More than one in four seafarers (26%) do not know what actions are required of them during a cyber security incident. Worse yet, nearly one in three seafarers (32%) do not conduct any regular cyber security drills or training. All shipboard personnel must undertake security training as part of the requirements under the International Ship and Port Security (ISPS) Code. Under the regulation, at least one crew member must be certified through enhanced security training to fill a Ship’s Security Officer role. Similarly, at least one member of the shoreside team has to undertake enhanced training for designation as the Company Security Officer. Unfortunately, the ISPS Code, and therefore the training required, only covers physical security–there is no specific provision for cyber security. In direct line with the industry’s organisational issues, the regulatory shortcomings disincentivise any unified approach to cyber security protocol. As ships become increasingly advanced and interconnected to the world wide web, a vessel’s physical and cyber security becomes the same. Akin to physical security measures, cyber security is an ever moving target. Cyber criminals are constantly creating new attack methods and searching out vulnerabilities. As well as understanding the basics of good cyber hygiene, everyone in an organisation has a responsibility to continuously learn about the latest vulnerabilities that the cyber security community has identified. Without a continuous programme of professional development covering the latest relevant cyber threats, the industry will remain exposed to unnecessary risk.
READINESS
Even with the very best cyber security practises in place, it is nearly impossible to stop a highly determined attacker with enough time and resources from breaching a system. Undoubtedly, a breach is simply a matter of time; therefore, it is critical to establish the right contingency plans for business continuity to facilitate an efficient recovery.
A cyber security response plan is crucial to ensuring an organisation knows how to respond when an attack does happen. These plans should be shared and available throughout an organisation based on an individual’s role and seniority. Access to the most detailed and sensitive aspects of the plan should be restricted to leadership and security personnel. At the same time, basic plans that detail the actions required of an individual employee should be readily available to them.
Even with the very best cyber security practises in place, it is nearly impossible to stop a highly determined attacker with enough time and resources from breaching a system. Undoubtedly, a breach is simply a matter of time.
When a threat is detected, it needs to be thoroughly analysed to understand which systems are affected and how. From there, it is possible to contain the incident and carefully recover the affected systems. A well rehearsed cyber security response plan should be backed up by high quality intelligence to support a swift recovery.
Our research found that 38% of senior leaders in the industry either don’t have a cyber security response plan or, alarmingly, are unsure if their organisation has one. Further, 35% of senior leaders report that their organisation does not regularly conduct cyber security training or drills to ensure they are able to respond to, and recover, from a cyber attack.
Just as the industry regularly conducts safety drills, so too should organisations conduct cyber security drills that stress test cyber security response plans. Wide participation in the drills provides better assurance of the stress testing. For cyber drills in shipping, this should as far as possible include seafarers and key suppliers. Excluding those in leadership positions, 90% of industry professionals who work for shipping companies report that their organisation has a cyber security incident response plan. This figure drops to 71% for seafarers, and just 55% for industry suppliers.
A cyber security response plan should be a living document that adapts based on changing conditions, circumstances and threats. Organisations should have systems in place to gather intelligence on cyber security threats and learn from cyber security incidents, and their organisation’s response, after the fact. While 80% of industry professionals report having systems in place for learning from cyber security incidents, only 52% of industry professionals report having a process to gather intelligence on cyber security threats.
Download the full report here
CYBER SECURITY MANAGEMENT SERIES
In the last few years, the maritime industry has made great progress in improving its approach to cyber risk management, but significant gaps remain. This report developed in collaboration with CyberOwl and HFW explores the gaps that exist between the industry’s perceptions of cyber security and reality, taking into account the views of more than 200 stakeholders from across the industry, including cyber security experts, seafarers, shoreside managers, industry suppliers, and C-suite leaders.
Over the coming weeks, we will be sharing a series of articles on the state of cyber risk management in the maritime industry, and we will also uncover the great disconnects that exist across the industry where expectations and reality don’t match up, cyber risk management efforts are lacking, or risks that are unique to maritime exist.
Download your copy for free @ THE GREAT DISCONNECT
