At the Maritime Cyber Risk Management virtual conference, cyber security experts from CyberOwl, Fathom5, Epsco-Ra Maritime Cyber and Wärtsilä Voyage provided advice on how shipping companies can enhance their security
As shipping comes to terms with the increasing risk of cyber threats, companies are turning to different third-party solutions for threat intelligence, vulnerability identification, response and recovery planning and crew training.
Shipowners will need to ensure they comply with IMO’s requirements to include cyber risk management in their onboard safety management systems from 1 January 2021 (IMO 2021).
Owners and managers should already have heightened security in place as cyber risks increase, as demonstrated by successful attacks in 2020 to IT networks at IMO headquarters and within major shipping companies.
During session 3 of Riviera’s Maritime Cyber Risk Management virtual conference, Fathom5 founder and chief executive Zachary Staples explained methods for shipping companies to identify risk and manage vulnerabilities.
Maritime companies should improve their knowledge of asset vulnerabilities and test protection measures, said Mr Staples. He said there were three key principles: “Build the right cyber risk team, use the right tools and do effective prototyping and onboard integration,” he said.
During an independent conversation in a conference virtual chat room, Mr Staples explained how shipowners need to make cost-effective decisions for compliance with IMO 2021 requirements.
“Shipowners need to think about proper risk management,” he said. “Owners and operators need a low-risk prototyping environment to run reliability and safety tests on their existing configurations and potential new digital tools that do not put their vessels at risk during the test phase,” he noted.
During the conference, CyberOwl chief executive Daniel Ng explained how shipowners could measure whether their cyber security investment was working using key performance indicators and metrics.
He said there were five metrics that need to be recognised and measured. “You cannot protect what you do not know you have,” said Mr Ng. These metrics cover owners’ inventory, network separation, USB restrictions, internet controls and response plans.
“These need to be measured to track your cyber resilience progress over time,” said Mr Ng, “and to ensure the crew are following cyber policies and turning training into practice.” These measurements can also be evidence for audits of companies’ cyber risk management plans.
Further information on cyber security and risk mitigation:
Epsco-Ra Maritime Cyber director of technology Gideon Lenkey demonstrated cyber risk management documentation and risk analysis in his presentation.
He said shipping companies need to assess the impact and effectiveness of their response plans and constantly reassess threats and vulnerabilities.
“You have to have a clear understanding of the risks,” said Mr Lenkey. He explained this was a constantly revolving circle of risk evaluation, protection implementation and evaluation.
This starts with identifying the hazards, then identifying people that face these risks. The next steps are to evaluate risks and then implement risk mitigation and security. The final element of this process involves reviewing this protection. Companies should then return to identifying hazards and risks.
Wärtsilä Voyage general manager for cyber security Päivi Brunou said training and supporting crew is an important aspect to reducing threat risk.
She said shipping companies need to “help employees make better security decisions with regular crew awareness training” while outlining the roles of seafarers and onshore personnel in terms of cyber hygiene and responding to potential threats.
“Cyber security requires a holistic approach and concerns the whole company, not only the vessel crew, IT or maritime operations,” Ms Brunou said.
“Cyber security needs to be fit for the context and relevant,” she added. “There is no single approach, activity, technology or process that can address all cyber-security risks.”
In an earlier session from the conference, attendees heard how one shipping group learnt valuable lessons from a major cyber attack.
AP Moller-Maersk chief information security officer and cyber security team co-ordinator Andy Powell shared his thoughts on the maritime cyber security outlook for 2021 and the likelihood the shipping industry will again be caught up in a state-sponsored cyber attack.
Danish Maritime Authority special adviser and naval architect Erik Tvedt described how shipping companies should consider cyber attacks similarly to how they tackle onboard fires.
Inmarsat director for retail maritime Laurie Eve then highlighted the importance of crew training and shore staff in cyber risk management to prevent successful attacks.
Insurance group Beazley senior risk manager Kelly Malynn said shipping companies should include third parties in their preparations and scenario training.
Norton Rose Fulbright director and head of operations for data protection, privacy and cyber security Steven Hadwin said shipping companies should be prepared for inevitable cyber breaches.
Coventry University researcher Kristen Kuhn explained how the university’s Institute for Future Transport and Cities is running scenario simulations as part of a two-year study.
Norton Rose Fulbright, CyberOwl, Fathom5 and Epsco-Ra Maritime Cyber supported Riviera’s Maritime Cyber Risk Management virtual conference, which was held on 3 November 2020