There has been a 400% increase in attempted maritime cyber attacks in the past year – but only 15% of seafarers receive training in this area
Training is key to reducing the human factor in cyber security risks – this was the main conclusion of Riviera Maritime Media’s Human factors in cyber security webinar.
Held on 10 June as part of Riviera’s Maritime Cyber Tech & Ops Webinar Day and sponsored by Neptune Marine Cyber Security, the panel consisted of Grant Thornton UK digital forensic partner Vijay Rathour, Neptune Cyber Inc chief executive Gwilym Lewis and University of Plymouth industrial researcher Rory Hopcraft.
Mr Rathour kicked off discussions, stating “The human factor is one of the hardest ones to govern. Cyber threats are on the increase in the maritime sector. There has been a 400% increase in attempts to attack the maritime space over the past year and a tenfold increase in attacks focused on those working from home.”
He added that a surprisingly low percentage – in the region of 15% – of seafarers received training. Indeed, he pointed out that the level of training in the maritime sector is “demonstrably lower than many other industries”.
He said “A multi-layered security approach supplemented by a strong training programme is needed.”
He singled out the threat of the social engineering risk. “How do you account for the social engineering risk, specifically a lack of concentration and awareness and training, which can bring down an entire global infrastructure?”
Explaining how to mitigate human threats, he said it starts with designing a secure infrastructure. Other factors to consider include minimising the access humans have and segregating systems.
Meanwhile Mr Lewis said “You need to mitigate an attack to understand what might have gone wrong and how to recover from it. A key thing with the human factor is not how to prevent – this is very important, but even more important is that when something does go wrong, have you given people the tools to recover?”
He said it was key to ensure steps are clearly understood, straightforward and as simple as possible. “It is really important to train people and that training has to be relevant, done at the right level and something that is repeated.”
Singling out the threat of phishing attacks and how to defend against these, he said technology must be set up correctly, including segregating the network and where possible, completely separating the network the crew uses to access the internet.
Also important to protect against a phishing attack is training. Mr Lewis said “Training is massively important, but it must be contextual, relevant and make sense to those receiving it, so don’t let it be a box-ticking exercise, it needs to be at the right level for the right person.”
Mr Hopcraft said “There needs to be a multi-layer approach to risk management; people, technology and procedures interlink and that is where training is crucial, so that people understand how all these pieces work together to make a safe and secure environment.”
He explained that training needed to be targeted at different groups of people. Support level staff need a more basic, broad level, while the operational level, which have more responsibility, need training that is more specialised, including which systems are working with which and how they interact with other systems. While those at manager level need to understand all systems in a ’holistic’ way, so that if something happens they can react almost instantly.
Mr Hopcraft underlines the fact that one size does not fit all for training. “The company needs to think about their IT systems, the vessels they run, their specific conditions… all these things affect how digital systems work and how to react to cyber incidents.”
He warns “Attackers are going to be specific, if you have something they want, you will be a target for them. If you carry high-value cargo you could become a target, if you deal with a lot of data, you will be a target for a different set of attackers.
“There is no silver bullet for training, it needs to be specific for the company, people and operations.”
The panellists gave their key conclusions. Mr Rathour said “My takeaway is train your people as it is inevitable people will try to break into your systems and whether or not they are successful is very much down to you. It is unfair and irresponsible to leave staff without the skills they need to respond in a considered and reasoned way.”
Mr Lewis said “It is important for everyone to consider the holistic view of cyber security… Ask the question, have we thought about cyber security?”
Mr Hopcraft summed up “Training needs to be adaptable and specific to your people and operations.”
The webinar’s audience was asked in a poll if they plan to allow staff to work in a hybrid teleworking fashion. A huge 69% said yes, while 16% were undecided and 15% said no.
Asked if their remote working security was as safe as office security, 55% said yes and 45% said no.
Asked: do you plan to undertake a risk assessment for teleworking given the new risks? 26% said that had already been done. 58% said it was planned but not done. 16% said they had no plans.
The audience was asked if they were aware of a cyber incident taking place in the past 12 months. The majority of respondents said in someone else’s shore-based systems on someone else’s vessel, with only 8% having experienced a cyber incident on their vessel.