Security needs to include firewalls, antivirus, crew training and segregating onboard OT from IT networks
Container shipping lines must bolster cyber security as hackers target the sector and companies with large fleets fall victim to successful cyber attacks.
Neptune Cyber chief executive Gwilym Lewis said cyber security “needs to be cross-functional and include input from captains, IT, engineering, legal and finance” teams.
“It must have genuine authority. If it does not have the power to change behaviours it will be useless,” Mr Lewis said at Riviera’s Cyber security: minimising cost and disruption after a cyber event webinar, on 6 August.
Heightened security is needed because of the increased frequency shipping companies are threatened by malware and hackers. “Successful maritime attacks are happening on a regular basis, even if they are not openly reported,” said Mr Lewis. These can affect companies’ IT networks, servers and customer website portals.
As more ship operational technology (OT) is connected to the internet, hackers could gain access to ship navigation, engine controls or loading computers. OT must be separated from onboard networks to reduce security breaches and prevent further damage.
In most cases, cyber attacks target the human element of organisations, which is why Mr Lewis believes training seafarers and shore staff is vital for cyber protection.
“Human factors play a key as many attacks start with crew unintentionally doing something they should not,” said Mr Lewis. One quick-fix for container ship operators is to prevent crew from charging their own mobile devices using ports in the OT. Others are upgrading firewalls, patching software, updating antivirus software and regularly changing passwords.
Operators can also provide training on how to detect potential cyber events and breaches through emailed attachments or links.
Mr Lewis said companies also need effective disaster recovery plans for when a cyber attack gets through defences. “Companies need good emergency recovery. Even the simplest plan is better than no plan at all,” he said.
“These plans cannot just be a boilerplate box-tick exercise as it is a very safe bet it will be needed one day.” These plans need to cover many possibilities. “It should assume the worst,” said Mr Lewis. “Whatever you think cannot possibly happen, probably will”.
He provided a cyber event example on a ship to illustrate how obscure attacks could be. Hackers got through the onboard refrigerators that were linked to the internet for temperature monitoring. Malware tampered with the fridge controls and the food stored within was spoiled, forcing the master to make an unscheduled stop to resupply.
Because of the constant changes in attack vectors and vulnerabilities, these response plans need to be flexible enough to adjust. “Response plans need to be a living and breathing document,” he said. “It must be constantly updated as cyber threats evolve on a daily basis, vessel systems and technology get upgraded, thus the plan needs to keep pace too,” said Mr Lewis.
Crew need to be educated on the response plan and “a cultural change needs to be implemented, such as preventing seafarers plugging devices into the ship systems,” he said. Implementing cyber security costs, but this should be considered a critical precaution compared the costs of having to recover from a successful attack that destroys IT systems and company reputations.