A special webinar on cyber-security was staged for Nautilus members in September 2018 in partnership with Appsecco and its specialist maritime division, ShipSecure. Gwilym Lewis, the company's CEO, offered some thoughts ahead of the event…
The recent successful cyber-attack at COSCO has once again shone the spotlight on cyber-security in the shipping industry and raised the question 'What happens when this happens to shipboard systems?'
The bad news is that with ever-increasing methods of mounting cyber-attacks, and the ease with which even technically unsophisticated individuals can use them, the reality is that everyone should expect that they will be 'hacked' at some point and thus this will happen to vessels.
One of the most common misconceptions about cyber-attacks is that they are all consciously targeted events; that there's a hooded hacker sitting in a shadowy room specifically attacking an individual or organisation. Whilst this is true in some instances - and there's a significant amount of money to made from doing so - most cyber-attacks are more random in nature.
Many attacks are started by automated programs looking for vulnerable systems online, rather than target X specifically, and then either flagging back to the hacker that they've found something interesting or completely autonomously completing their attack. It was the latter that caused havoc for Maersk in 2017 where its entire global IT infrastructure was destroyed as collateral damage in a cyber-attack tied to users of a Ukrainian accounting software package.
The good news is that it's a relatively straightforward process to quickly improve the baseline level of security on vessels to guard against many forms of cyber-attack without the need to bar crew from accessing things like the internet whilst onboard or purchasing expensive technology solutions.
This has long been the case for other industries - and the lessons, processes and experience from them can readily be applied to the maritime sector too. The key when looking to improve cyber-security, particularly when there is a low initial base, is to focus on the fundamentals; get the basics right first, rather than see it as a binary problem that needs to be resolved in one go.
Acting to address the basics today makes strong commercial and operational sense and doesn't need to be wildly expensive. Even a modest increase in investment in training crew and implementing simple steps to test and secure systems will help ensure that the risks are reduced and the damage from a successful cyber-attack, if it happens, better mitigated allowing normal operations to continue.
It's a relatively straightforward process to quickly improve the baseline level of security on vessels to guard against many forms of cyber-attack without the need to bar crew from accessing things like the internet Gwilym Lewis, Appsecco CEO
Three simple steps that can be taken today:
- Empower crew to be the front line of cyber-security whilst at sea rather than see them as part of the problem. Regularly train them about the cyber-risks they face, both as individuals and as employees of a company, the potential consequences of a successful attack and the responsibility they have on a daily basis to keep a vessel safe and secure
- Carry out cyber-security testing of vessels and onboard systems to properly understand how vulnerable they are to attack. Use this knowledge to make informed decisions on what needs to be done to make things more secure when balanced with your individual risk profile
- Internalise that no matter how good your cyber-security controls and processes are you still may fall victim to an attack. Take steps to configure onboard systems to minimise the damage an attack can do and ensure that there are clearly communicated processes for crew to follow in the event of an incident too
Tags