At the Maritime Cyber Risk Management virtual conference, cyber security experts from Norton Rose Fulbright, Beazley and Coventry University discussed how shipping company boards and vessel crews should practice their responses to cyber breaches in training scenarios in preparation for the real event
Norton Rose Fulbright director and head of operations for data protection, privacy and cyber security Steven Hadwin said shipping companies should be prepared for inevitable cyber breaches. “It is really important to plan for incidents to happen as it would not be possible to prevent everything,” Mr Hadwin said.
“It is better to have plans in place for communications, engage with service providers for external support and educate your people,” he said, with panellists noting that executive-suite level personnel should be involved in simulated cyber incidents so companies can test their strategic responses, communications with third parties and authorities and mitigate potential malware damage most effectively.
“Humans are the first line of defence and people need to understand the cyber risks,” he said.
Mr Hadwin said this was increasingly important as companies and shipping become more vulnerable to cyber incidents due to greater levels of remote working.
Engaging with maritime company boards to test their preparations for cyber attacks, Coventry University’s Institute for Future Transport and Cities is running scenario simulations as part of a two-year study. Coventry University researcher Kristen Kuhn said these follow maritime-based scenarios ranked according to BIMCO standards, within Guidelines on Cyber Security Onboard Ships-Version 3.
“Not only can effective games emulate reality, but they provide an environment where participants – decision makers – can prepare strategy and response to plausible cyber incidents, in turn building muscle memory to effectively react,” said Ms Kuhn.
Coventry University is halfway through its two-year programme and has run one set of scenarios with 47 participants. “They were divided into four random groups, each with participants from various countries, with mixed work experience and cyber security expertise,” Ms Kuhn explained. “Each scenario included distinct cyber incidents in the maritime domain according to BIMCO impact levels.”
Insurance group Beazley senior risk manager Kelly Malynn said shipping companies should include third parties in their preparations and scenario training, such as experts in crisis management, insurance, contingency communications, public relations and cyber forensics. “Owners should engage crisis management and legal support and have a public relations strategy,” Ms Malynn said. “Forensics experts can detect and analyse attacks and advise on recovery.”
Ms Malynn said shipping companies need communication lines in place in advance in case a cyber attack disables a means of communication and connectivity.
“They should have dedicated off-network communications," she said. "If shoreside systems are down, how will [companies] communicate with [their] ships?”
In an earlier session from the conference, attendees heard how one shipping group learnt valuable lessons from a major cyber attack.
AP Moller-Maersk chief information security officer and cyber security team co-ordinator Andy Powell shared his thoughts on the maritime cyber security outlook for 2021 and the likelihood the shipping industry will again be caught up in a state-sponsored cyber attack.
Maersk Group estimated the Notpetya ransomware attack that hit the company in June 2017 cost between US$200M to US$300M in loss of revenue and recovery costs.
Also during the virtual conference, Danish Maritime Authority special adviser and naval architect Erik Tvedt described how shipping companies should consider cyber attacks similarly to how they tackle onboard fires.
Inmarsat director for retail maritime Laurie Eve then highlighted the importance of crew training and shore staff in cyber risk management to prevent successful attacks.
Shipping companies have been victims of criminal-backed cyber attacks, shutting down IT networks and web portals.
Recent victims include IMO’s headquarters in London; the world’s second, third and fourth-largest container lines – Mediterranean Shipping Co, Cosco and CMA CGM, plus the world’s largest cruise shipping group Carnival Corp.