Regularly training employees on cyber security best practice can help shipping companies stop hackers from infiltrating their networks, servers and onboard IT
A panel of technical experts debated how shipping employees and third parties can be prepared to face cyber threats during Riviera’s The weakest link: the human factor and maritime cyber security webinar.
This event, sponsored by Inmarsat, was held on 16 March 2021 as part of Riviera’s Cyber Security Webinar Week. The panel consisted of Wilhelmsen Group director of security, governance, risk management and compliance Morten Drægni, Inmarsat senior vice president for global cyber security Graham Wright, Grant Thornton UK partner for digital forensic group Vijay Rathour and Wärtsilä Voyage head of cyber security and technology Paivi Brunou.
They discussed how people are the weakest link hackers can use to unpick company network security and covered the challenges shipping companies face in keeping IT and operational technology (OT) cyber secure.
Mr Rathour described the main routes for hackers to infiltrate shipping companies’ IT systems. “Attackers have time and motivation to penetrate your systems,” he said. “Malware and phishing continue to be leading forms of system penetration, typically through social engineering,” Mr Rathour added.
As more companies implement cloud-based storage, data analysis and remote communications, this is a growing issue. There have been several incidents of container shipping companies’ IT systems being penetrated and data either stolen or disabled.
“It is easy to break passwords,” said Mr Rathour. “This shows humans are at risk and attacks happen.”
He said shipping companies need to plan for when cyber attacks occur and ensure they can recover. “Plan for the inevitable. It will happen,” he said. “Know how to recover, train and make sure it does not happen again.”
Mr Wright said Inmarsat had implemented high levels of cyber security and personnel training to prevent billions of penetration attempts from getting through. “There are around 50Bn events on our internal systems every month,” he said.
Common maritime cyber security challenges include remote access to third-party networks, poor physical security controls, limited segmentation of networks, use of unsecured wireless networks and lack of cyber security awareness.
“There is lack of understanding of all systems and devices on the OT network across a fleet or operation,” said Mr Wright. He encouraged maritime companies to improve their cyber awareness, safety culture and training.
Ms Brunou said cyber security was everyone’s responsibility and there needs to be more awareness of the threats and their consequences. “It is all-hands-on-deck for cyber security,” she said. People need to be aware of how their errors of judgement can lead to cyber attacks. “80% of cyber attacks are not from malicious attacks, but from mistakes we make,” said Ms Brunou.
These mistakes can lead to data loss, access issues, loss of cargo information or exposure of these systems to others.
It can be worse if hackers are able to enter vessel systems because OT is not segregated from IT. “Failure to properly address cyber security on vessels can lead to undesirable situations and cyber security-related incidents,” said Ms Brunou.
This could include accidental or inadvertent exposure and compromise of sensitive systems, applications or data to unauthorised users, loss of resilience or system redundancy and emergent failure modes that result in the cascade or catastrophic failure of critical systems or processes.
“These types of failures can also have significant financial and reputational consequences,” said Ms Brunou.
Mr Drægni highlighted the importance of establishing a culture of cyber awareness and sharing intelligence of the latest cyber threats to shipping. “Sharing and collaborating is the way forward for cyber security awareness,” he said.
This is why he applauds introduction of national cyber security centres for sharing intelligence across the maritime ecosystem. “Cyber centres of excellence are the way forward in maritime,” said Mr Drægni.
And he said cyber security training should not just be once or twice a year. “Cyber security training should not be a one-time event,” he said. “It should be continuous, and you should aim for repetition as this is much better for long-term retention of information.”
Wilhelmsen provides regular training through video, email, courses and other media. “Cyber security is no laughing matter, but we try to make it a bit fun,” said Mr Drægni.
For example, Wilhelmsen took the analogy of a cupcake on the floor for a discarded USB storage device. Mr Drægni said people would not consider picking up and eating the cupcake, but they do pick up USBs and plug them into their computers to view what is on them.
“It is important to increase safety culture,” he said. “It is not just a tick-off for compliance. It is about improving cyber security, sharing information, learning from mistakes and working together.”
Awareness or cyber security, human factors and training were high priority for attendees of this webinar. Almost all of the attendees (98%) who responded to poll questions said they would be supportive of annual mandatory training and regular training and awareness.
Indeed, three-quarters (75%) had participated in cyber security awareness training within the past 12 months, according to their answers.
When they were asked how often they run a cyber security awareness programme in their organisations, 46% said it was once a year, 44% said it was a continuous focus of the company and 10% thought it was two to four times a year.
This training typically includes information on how to report events as 84% of those responding said they knew how to report cyber security incident or suspected issues.
But not much of the training involves exercises in dealing with cyber incidents. Only 18% of attendees said they had participated in cyber security related table-top exercises, drills or simulations within past 12 months, with 82% saying they had not.
Training does involve simulation of potential email attacks as 41% of attendees said their company runs phishing attack simulations at least once a year, while 59% said they did not.
Attendees were then asked if their organisation had dedicated people working with cyber security awareness and culture. 78% of those who responded said they did and 22% selected no as their answer.
Poll questions also asked attendees about their opinions on cyber security. They were asked how seriously cyber security is taken in the maritime sector. Only 4% of respondents said it was top priority. 60% thought there was awareness, but cyber security was not the highest priority. 34% were conscious it was out there, but attacks happened to someone else and 2% were oblivious to cyber issues.
They were then asked what the key to an effective maritime cyber security culture was. 62% said it was awareness of best practice procedures, 21% thought it was up skilling IT and technical staff, 15% said awareness of information security policies and just 2% thought being up to speed with recent cyber attacks.
On Riviera’s The weakest link: the human factor and maritime cyber security webinar panel were (left to right): Grant Thornton UK partner for digital forensic group Vijay Rathour, Wilhelmsen Group director of security, governance, risk management and compliance Morten Drægni, Wärtsilä Voyage head of cyber security and technology Paivi Brunou and Inmarsat senior vice president for global cyber security Graham Wright
To view details of upcoming Riviera webinars and virtual conferences use this link to the events page