Experts at the Safety first: maritime cyber security webinar discussed the challenges shipowners face, of balancing compliance, functionality and cost, preparing for IMO certification and appointing cyber security roles and responsibilities
To start, the panellists -- CyberOwl chief executive Daniel Ng, Inmarsat Maritime retail director Laurie Eve and University of Piraeus cyber security associate professor Nineta Polemi -- acknowledged the importance of bringing cyber risk management into the ISM code but said true cyber safety requires owners, operators and managers to look beyond compliance.
Discussing IMO resolution MSC.428(98) and the requirement that all shipboard safety management systems must be documented as having included cyber risk management no later than a vessel’s first annual Document of Compliance audit in 2021, Mr Eve offered an overview of the IMO 2021 guidance for shipping.
Vessel owners, Mr Eve said, should be in no doubt that they will face enforcement of the guidance by port state control authorities such as the US Coast Guard.
“Ships could be detained and owners fined for noncompliance,” he said. “Shipowners need to demonstrate they have considered the risk and what to do if there are issues."
Ships should have certification and documentation to show auditors and port state control inspectors, but compliance with IMO 2021’s cyber guidelines requires owners to understand each vessel’s cyber risk.
“There is no silver bullet, no definitive checklist,” said Mr Eve. “It depends on a ship’s cyber risk, so [owners and managers] need to have a risk management approach.”
One element of the IMO guidelines requires shipowners to identify a chief security officer both on board ships and in company offices.
Ultimately, Mr Eve said the guidance is there to improve awareness on ships of cyber risks and security, and that shipping needs to look beyond compliance for effective cyber security by getting a better understanding of vulnerabilities for onboard hardware, software (IT) and operational technology (OT), and to ensure there are back-ups of critical hardware and data. Mr Eve also advised owners to conduct third-party penetration testing of cyber security, update firewalls and antivirus and add endpoint security, such as Inmarsat’s Fleet Secure Endpoint.
“Ensure software and IT are up to date,” Mr Eve advised. “Plan to run exercises and review software continuously, especially if new systems are introduced, and continue training people, including the crew to be cyber aware.”
CyberOwl’s Mr Ng explained how his company’s recent survey of 50 fleet operators found good implementation of some of IMO 2021 requirements and cyber risk management.
He said owners, operators and managers had started training employees and set up “aspects of emergency plans” but there much still remained to be done.
“They are still struggling at incident readiness and are not monitoring for attacks on shipboard systems,” Mr Ng said.
Some shipowners do not have people in place to deal with cyber security and they are not performing drills or stress tests.
Another worrying issue is the number of onboard systems still connected to vessel satellite communications, “OT that should be air-gapped but are unknowingly connected to the vessel business network,” he said.
These include loading computers, closed circuit television systems and engine monitoring and alarm systems.
“These are critical systems with loading computers linked to the ballast system for example,” Mr Ng said. “Controls need to be in place. Engine monitoring systems should be air gapped.”
CyberOwl also examined shipboard computers looking for unwanted and potentially dangerous programs, which are regularly installed.
“The top offender is PDF editing software,” according to Mr Ng. “In shipping there are a lot of documents and often they come in PDF format, and need to be edited and sent back to offices.”
If owners have not installed official software for PDF editing, crew will seek to upload free and potentially hazardous programs “just for the job they need to do” said Mr Ng.
Other unwanted programs found in onboard computers have been gaming, image editing and messaging software.
“These do not have levels of security and could be back doors for malware,” he said.
At the end of his presentation, Mr Ng posed three questions for owners, operators and managers to ask their teams, to test their readiness for handling a cyber attack on shipboard systems: whether crew have discovered any surprising cyber risks; whether they know when a cyber risk arises; and which is the weakest part of an organisation or vessel’s incident response plan.
“Surprisingly, more than 70% rely on email for distributing information about cyber attacks, but email could be taken down if cyber risks arise,” Mr Ng said. “The answers to these three questions will tell organisations their level of preparation,” he added.
Ms Polemi covered some of the maritime supply chain’s cyber challenges during her presentation, noting the importance of collaboration across the supply chain in order to strengthen cyber security for all involved.
“There are a plethora of partners and assets, so how can we secure all these supply chain services?” she asked. “It is difficult to estimate and mitigate supply chain risk and difficult to respond if there is a cyber attack propagating through the supply chain."
Some of the challenges come from multiple sets of guidelines and standards for cyber risk management and security in various segments of the supply chain for shipping, ports and other transportation modes, Ms Polemi said.
“There needs to be holistic, step-by-step guidelines for the maritime supply chain,” she said. “We need harmonised methods and comprehensive tools to further secure supply chain services.”
All those included in a particular supply chain would need to implement cyber security to agreed standards and guidelines and share responsibility for the exercise to work, according to Ms Polemi.
“Every stakeholder needs to take their burden to securing assets and services. Vendors need to take responsibility with cyber security. There is no way maritime can deal with it all,” she noted, pointing out that this includes obtaining security verification for onboard systems and certification for supply chain services.
Ms Polemi called on regulators, such as IMO and European Union, to collaborate on guidance and compliance requirements.
“It is challenging to enhance collaboration and sharing threat intelligence and incident handling,” she said.
Asked what they thought were the biggest challenges they face while implementing cybersecurity measures on vessels, some 28% of webinar attendees said it was OT and IoT networks witih 25% thinking it was operational challenges. Another 19% said personnel, with 13% thinking it was costs, 6% administration, 6% installation and just 3% said identifying the right software.
Attendees were also asked how prepared they were for IMO 2021 cyber security requirements. Only 11% said they were completely ready and 5% thought they had not started. Some 12% said they were 10% ready, 14% said they were a quarter along the way, 40% said they were halfway prepared and 18% said they were 75% prepared.
Attendees were then asked in which areas they thought were least cyber prepared. In a tight race, 28% said their ability to identify a cyber risk in good time and 25% said an accurate view of shipboard hardware and software inventory, another 19% thought it was having a cyber risk assessment they could trust, 15% said having clear cyber security responsibilities between ship and shore and 13% said reliable contingency plans for operations.
In a final poll question, attendees were asked when was the last time cyber security training was conducted for their crew members. Surprisingly, 35% said training had never been done, another 23% said it was, but more than a year ago, 16% said it was conducted 6-12 months ago and 26% said in the past six months.
Concluding the webinar, Inmarsat’s Mr Eve highlighted that one of the keys to improving cyber security was training personnel. “Crew awareness is crucial. Training needs to be conducted, refreshed regularly and evolved to prevent malware from gaining a foothold on board,” he said.
Panellists at Riviera’s Safety first: maritime cyber security webinar were (left to right): CyberOwl chief executive Daniel Ng, Inmarsat Maritime retail director Laurie Eve and University of Piraeus cyber security associate professor Nineta Polemi.
To view details of upcoming Riviera webinars and virtual conferences use this link to the events page