'Prevention is better than cure' applies in cyber security as elsewhere, and a panel debate on how cyber attacks can be prevented will form one of the highlights of the Maritime Cyber Risk Management Forum in London on 25 June.
Royal Holloway, University of London Information Security Group’s Professor Keith Martin, a member of the panel which will focus on the role of human error in cyber security, shared his views on maritime cyber risk in advance of the Forum.
Professor Martin is director of the Engineering and Physical Sciences Research Council’s Centre for Doctoral Training (CDT) in Cyber Security for the Everyday, which supports PhD students working in both technical and social aspects of cyber security and currently has an active research project focusing on maritime cyber security.
The panel is titled ‘The weakest link: The role of human error in cyber security’ and will address issues including the importance of crew awareness, what tools are available for training seafarers and shore staff, resources and capabilities of companies, collaboration with other companies, and shipowners’ legal obligations.
While Professor Martin sees the human factor as being crucial to cyber security, he does not necessarily agree that it is the weakest link in the chain, explaining “To me, this suggests that humans are at fault, when I think the bigger mistake is to design a system that does not take the likelihood of human error into account.”
He explains that while most of the core issues in cyber security are general ones that apply across all areas, there are some unique aspects of the maritime sector. “The highly heterogeneous technological environments that exist in the maritime sector make [cyber risk] a particularly difficult issue to address.
“This is accentuated by widespread use of legacy equipment and the dynamic nature of staffing on board vessels.”
Professor Martin also sees maritime as lagging behind many other sectors in appreciating cyber risk. “In the last few decades almost every sector has come to rely more and more on aspects of cyberspace.
“Phones, cars, and power stations have all become computers – it just seems to have taken us longer to realise that ships have also become computers.”
While the sector has at least started having the necessary conversations about cyber security, there is still a long way to go in Professor Martin’s view, with a lot of catching up required in developing regulations, standards and awareness, among other areas.
He has called for IMO to more effectively regulate maritime cyber security, but any such regulation will need to address questions regarding what maritime has in common with, and where it differs from, other areas, and also what stakeholders are involved. It is not as simple as looking at the approach taken in other sectors and transposing it to maritime; while the maritime sector shares some features with the aviation industry, for example, there are also many key differences, Professor Martin notes. And stakeholders involved in maritime span both land and sea, with vessels increasing reliant on land-based infrastructure and technology, he adds.
“By far the most important first step that needs to be taken is for shipowners and seafarers to become aware of how much they now rely upon cyber security,” he says.
“Cyber security needs both a "bottom up" and "top down" approach, but if the stakeholders themselves are not concerned about cyber security, it is hard to see how real progress will be made.”
The Maritime Cyber Risk Management Forum will take place in London on 25 June 2019 and provides an unrivalled opportunity for 100 key maritime industry stakeholders, including shipowners and C-level decision makers, to analyse the sector's cyber security preparedness.
Tickets can be booked online and are free for qualified personnel from shipowning companies, or available for puchase for interested parties who do not work for shipowners.