Cyber risk management is needed at the central office as much as it is on vessels in a fleet
With many vulnerable systems such as the navigation equipment and the office networks on shore, cyber risks are present everywhere unless addressed. Therefore, cyber resilience needs to be for the entire business, across all shore sites and fleets.
“Successful cyber attacks not only damage the maritime industry financially, but they also interrupt business operations and cause long-lasting damage to a company’s reputation,” said Speedcast cyber security product manager Santiago Jaramillo.
This has been clearly demonstrated with security intrusions in major shipping lines and ports in the past few years.
Following an accelerated digital transformation, the maritime industry saw a 400% increase in cyber attacks in the first few months of this year. These attacks range from ransomware to malicious viruses trying to take control of systems.
These are costly, with the average damage of a single ransomware data breach estimated at US$3.9M and rising. This is small in comparison to the major attack on Maersk Line in 2017, which is thought to have cost the group around US$200M to recover from.
“The maritime industry must defend against constantly evolving cyber attacks,” Mr Jaramillo told Maritime Optimisation & Communications. “It is not only remote ships that are being affected, but shore-based networks too.”
Vessels are deeply integrated with connected systems to operate and communicate. The vast networks across shore and ship provide multiple backdoors for hackers to attempt entry.
“With today’s sophisticated attacks, cyber criminals only need to find one weakness in a company’s system and its operations can be shut down in a matter of seconds,” Mr Jaramillo added.
IMO incorporated these risks into ship security and safety management systems as it published Guidelines on Maritime Cyber Risk Management at the beginning of this year. Shipping needs to comply with these new requirements, but cyber risk management should go beyond them.
IMO 2021 recommends taking several measures to mitigate cyber risks such as identifying responsibilities, improving how incidents are responded to and ensuring the welfare of crew is protected in a cyber incident.
“IT departments need formal documentation, a managed asset lifecycle, change management and escalation for incident response,” said Mr Jaramillo.
“Although IMO compliance significantly supports cyber-security resilience, just meeting the requirements alone is not necessarily enough to mitigate the unique risks across the whole business,” he continued.
“Vessel operators need to take a top-down approach to manage their cyber-security risk. To create end-to-end integration of security across the whole business.”
This needs to be a strategic approach considering all the business needs and risks, to assess an organisation’s shore-based and fleet operating environments.
“The methodology needs to be collaboration-based and facilitate cyber-security design and implementation,” said Mr Jaramillo.
“With so many systems within the business to defend, you need to know how best to deploy resources, people, processes, tools and funding, to address cyber-risk management requirements on the vessel and in the office environments.”
But there are challenges. There is a global shortage of cyber-security experts with specific knowledge of the maritime industry, which is making it costly to seek advisory support on improving security practices.
In addition, there is no single technology solution that can defend against all threats, “which means training staff, putting proper security procedures in place and utilising best-in-breed technology,” said Mr Jaramillo.
“With the right measures in place to identify and cover potential weak spots, it becomes far easier to deliver a standard of cyber-risk management care which both creates cyber resilience and complies with IMO requirements,” he explained.
“This also prepares the business for IMO-required activities such as internal audits, inspections and post-incident investigations.”
It is not just one individual who oversees information security – cyber security requires everyone’s participation.
Speedcast’s approach is to help support organisations to drive awareness, engagement and cross responsibility across various areas of the business to ensure there are no weak spots.
“It is important to understand that no vessel owner or operator will be required to comply with every listed IMO 2021 requirement,” said Mr Jaramillo.
“Each company is unique in its operations, geographic reach and technology. Certain guidelines and requirements will apply to a company’s situation, yet others will not. What IMO strives for is that fleet and vessel owners and operators find where their gaps are and work to close them.”
Speedcast introduced its CyberInsights solution earlier in August, in co-operation with HudsonCyber. This was designed as an adaptable and dynamic cyber-security solution that integrates industry-leading standards, frameworks, and standardised practices.
This cloud-based tracking platform provides detailed reviews of security architecture design, implementation and operation, including network devices, servers, desktops, web applications and related IT infrastructure.
Riviera Maritime Media will provide free technical and operational webinars in 2021. Sign up to attend on our events page