Discussions at the 8th Singtel Maritime ICT Roundtable, which were moderated by Tanker Shipping & Trade editor Edwin Lampert, confirmed that cyber security is no longer a marginal issue
To get the ball rolling on the 8th Singtel Maritime ICT Roundtable, participants were invited to rank the maritime cyber security threat on a scale of 0–10 and to offer general comments on ‘industry awareness.’ BIMCO’s general manager in Singapore Maite Bolivar Klarup put industry awareness between five and six. “In the past 12 months, we have seen the emergence of an industry that is more aware, more vigilant and more alert to the risk of cyber-attack,” she said. But she cautioned that “even though we are more aware, as an industry we don’t fully understand the financial or security implications of a severe cyber-attack.” Closing this knowledge gap is now a focus for BIMCO.
Eastern Pacific Shipping’s joint head of IT, Max Wong, put industry awareness at about seven. He said this high score was partly explained by industry’s focus on ‘connectivity.’ What is key, he added, is that in focusing on ship connectivity, and ship-to-shore connectivity, industry does not lose sight of the fact that crew can set up individual connections between ship and shore, such as by buying a SIM card while on shore leave. This means there should be increased emphasis on having “a proper process to identify such risks, proper measures to counter them, and the ability to do close-incident measurements.”
Deputy managing director of Bernhard Schulte Shipmanagement (Singapore) Capt Raymond B Peter agreed that industry awareness had increased, but said ship staff and visitors to ships were vulnerable. Another concern is coping with the volume, speed and different angles at which operations can be subject to cyber-attack. He cited software updates for electronic engines as a potential vehicle for attack, and referred to “the dysfunctional relationship between hardware and software vendors.” Capt Peter added: “At a recent seminar, I heard there are two types of people in our industry: one who is being hacked and the other who is waiting to be attacked.”
The argument that there are different levels of cyber-security consciousness and preparedness in the industry led Singapore Maritime Academy deputy director Capt Lim Yuon Fatt to rank industry awareness around four. He highlighted the importance of training in this area to educate staff and heighten their awareness of the dangers of cyber threats. He encourages organisations to educate staff and put in place measures to minimise risks.
Striking a positive note, Mr Wong said that thanks to the emergence of data analytics, things are a lot safer than they were two years ago. “In 2014 we implemented a new-generation firewall and that is doing its job, although there are no grounds for complacency. Services and satellite providers needed to paint a clearer picture of whether your web traffic is hygienic. As an industry, we could do more to share our operational experiences of hacking for the greater good.” To benchmark internal cyber-security awareness, Eastern Pacific Shipping sent fake emails to its ship and shoreside staff and monitored click-throughs. “After each email, we would do an awareness campaign and then repeat the fake email exercise. It worked: we did see the click rates come down,” Mr Wong said.
An interesting view from the floor was that crew – perhaps because of their working environment – did tend to be more responsive when told not to download or visit a site.
Shore-side staff could be a little bit more blasé. Singtel’s head of satellite communications Lim Kian Soon said that ensuring that customers did not have to field cyber-security risks was the focus of Singtel’s strategic tie-up with Inmarsat. Here Singtel, through its cyber security arm Trustwave, is integrating its unified threat management software with Inmarsat’s high-speed broadband solution, Fleet Xpress. Mr Lim reminded those present that developing systems came with a financial cost, and that advanced services such as high-speed broadband must be paired with high-speed security. “That said, because we have critical mass we expect to deliver a scalable service that will allow customers to access our services at the right price point for them.”
In wider discussion, the audience called for a better definition of training. Everyone has their own idea of training, but what does cyber-security training actually mean? For Capt Peter, an important component is ensuring that the quality of the trainers can be independently verified. OSM Ship Management’s Steffen Tunge cautioned against subjecting staff to long classroom-style training sessions. “One way to get awareness on board is to have a downloadable app for crew, with perhaps a questionnaire that crew can use to benchmark their awareness,” he said.
Capt Raymond B Peter, deputy managing director, Bernhard Schulte Shipmanagement
Lim Kian Soon, head, Satellite, Singtel
Edwin Lampert, editor, Tanker Shipping & Trade (Moderator)
Too Shiun Jye, chief executive officer, Asean Cableship Pte Ltd
Max Wong, co-head of IT, Eastern Pacific Shipping
Capt Lim Yuon Fatt, deputy director, Singapore Maritime Academy
Maite Bolivar Klarup, general manager, BIMCO
Freddy Tan, director, Enterprise Architect (Security), NCS
Riviera Maritime Media will be holding a European Maritime Cyber Risk Management Summit on 20 June 2017 in London. This will be a one day event that addresses cyber security management in the maritime industry from operational, technical, training, insurance, regulatory and legal standpoints.