Ship and port owners, operators, managers and authorities need to do their utmost to implement cyber security as the industry incorporates greater integration and connectivity
There are many layers to cyber security that organisations and companies can adopt, but it must not be just for compliance sake, said Maritime Transportation System - Information Sharing and Analysis Center (ISAC) executive director Scott Dickerson.
He explained how ports and ship operators can secure their assets from cyber threats in answers to questions raised during Riviera Maritime Media’s Where port security meets cyber security webinar. This was held at the beginning of Riviera’s Maritime Cyber Security Webinar Week in August.
He said ships and ports “must be a safe and secure location and multiple stakeholders play a role in keeping it that way. This needs to be a priority.”
But organisations’ risk management investment and responses should not be purely to cover regulatory requirements or industry guidance.
“No regulation, directive, or guideline is accurately depicting what the current risk profile is for an organisation,” said Mr Dickerson. “Compliance does not equal security or effective risk management, so please be wary of taking a compliance approach to any directive.”
There are requirements from IMO and regional authorities, such as the EU, and guidance from industrial organisations, such as BIMCO. But these should be seen as the minimum for cyber security.
“Be careful about wanting to check a box against a guideline, as that may or may not be sufficient from a risk management standpoint for the organisation,” said Mr Dickerson.
He elaborated on what organisations and companies need to implement to mitigate risks from cyber attacks. Firstly, know your IT and operational technology vulnerabilities to cyber threats.
“Every organisation should understand their IT, OT, and internet of things (IoT) risks, revenue generation and business models, and manage each risk to within the defined acceptable limits of the organisation,” said Mr Dickerson.
Thorough risk assessments are needed to select methods of enhancing cyber defences and planning responses to security breaches.
“The fundamentals of cyber security – including patching, asset and configuration management, security software, access controls and building a culture of security awareness, must be tackled,” said Mr Dickerson. “Meaningful security efforts can have positive meaningful impacts for risk management.”
He recommended that organisations “consider a mix of controls that cover people, processes and technology” for full cyber security, especially as employees and other personnel are potential conduits for malware and hackers.
“This is not just a technology issue, as users play a vital role in risk management,” Mr Dickerson explains. “Whether it is responding to phishing, the secure use of technologies like USB sticks or thumb drives that are commonly still used in maritime, people play a large role.”
Cyber attacks often begin with human error, sometimes in reaction to a message, or access to an unsecure internet link.
“Attacks often start out via social engineering or scanning public facing internet connections,” said Mr Dickerson. “Once a foothold is gained on a network, it is often possible to pivot across the network to OT segments and equipment. Given the convergence of OT, IT and IoT, these risks are not just hypothetical in nature, they have happened.”
For this reason, an important aspect is keeping an air gap between IT and OT, and segregating connectivity networks to mitigate the risk of malware spreading.
“Network segmentation and one-way/unidirectional communication paths are the best options,” said Mr Dickerson. “It is important to monitor activity between and within segments for signs of potential unauthorised access.”
He acknowledged there are issues to overcome and problems to avoid in implementing successful defences. “Cyber security is challenging for large and small organisations alike,” said Mr Dickerson. “After all, with greater scale there are more challenges, particularly when you start factoring in third-party risk and the exposure and complexity of some of the world’s largest port environments.”
Therefore, the size of an organisation does not matter. Each one is at risk of cyber threats and needs to understand its vulnerabilities and strengthen them.
“No organisation out there, government or civilian, to my knowledge has successfully prevented all attacks,” said Mr Dickerson.
“Organisations have pivoted their strategy from trying to prevent an attack, identify and recover, to be more resilient and limit the impact,” he said.
Part of the remedy is sharing of information on cyber threats and attacks in shipping and ports. Maritime Transportation System ISAC is a platform for sharing data anonymously, with its website www.mtsisac.org.
“When customers share information with us, we typically strip out all organisational identifiers before sharing information with the community,” Mr Dickerson explained.
“There are relatively few incidents that we share information on. Most shares are proactive, actionable sharing regarding phishing, failed login attempts, scanning activity that is being seen before an incident or breach has occurred.
“This, along with information on best practices, allows limited cyber security resources to be focused to counter current attack patterns,” he concluded.
Information, viewpoints and answers to questions on cyber security can be accessed from Riviera’s webinar library