Riviera Maritime Media is hosting the Maritime Cyber Risk Management Summit on 21 June in London, in association with multinational law firm Norton Rose Fulbright. Marine Electronics & Communications is the media partner for the event, which will cover the types of threats that shipowners and managers face, as well as methods for mitigating the risk. During the summit cyber security specialists will discuss the latest best practices and technologies used to reduce the risks of a cyber security breach, and what to do in the aftermath of a successful cyber attack. Norton Rose Fulbright partner Philip Roche and Riviera’s group managing editor Edwin Lampert will co-chair the summit.
During the opening session, DNV GL subsidiary Marine Cybernetics principal specialist Mate Csorba will explain the opportunities and threats posed by the Internet of Things. Norton Rose Fulbright partner Ffion Flockhart will present the legal aspects. There will also be a panel discussion on how to mitigate the risk of cyber attacks. The panellists will be international re-insurance broker CKRe’s chief executive Martin Wright, Norton Rose Fulbright partner Chris Zavos and specialised risk management firm Stroz Friedberg’s vice president Vijay Rathour. Together they will also discuss incident response planning, data privacy, security policies and cyber risk mitigation procedures.
During the fourth session, Waterfall Security Solutions chief executive and co-founder Lior Frenkel will present the best practices for securing the perimeters of IT and communications networks. He will explain why firewalls and software-based solutions may not be effective against modern threats. There will also be an interactive session taking delegates through three cyber security scenarios. These will involve a narrative description of the incident, with various decision points at which the audience will be asked to cast votes on how they would respond, using an automated system. The results will be reviewed in real-time during the session.
In an afternoon session, maritime cyber security expert Ken Munro of Pen Test Partners will discuss the threats facing the shipping industry. In May he spoke to Mr Lampert, who asked: “Is the maritime industry slumbering when it comes to cyber security and the cyber threat?”
Mr Munro said that the security of supervisory control and data acquisition (SCADA) and control networks on board ships was generally poor. “Until recently ships had air gaps around their networks. However, ships are becoming internet connected, and passengers and crew expect to have internet access. Combine that with legacy systems – as most ships have a 30 year lifetime, and difficulty in updating software on a continuously moving target – and you have a perfect storm for security issues.”
Mr Lampert asked: “Would you agree that regulators have woken up to the threat and are going to introduce, and botch, legislation?” Mr Munro replied: “Whilst regulation can help improve security, it is not going to solve all the problems. Ships last a long time, and regulation is unlikely to apply to both existing ships and newbuilds.”
He continued: “That leaves older ships open to problems. Security is constantly evolving, and regulation can rarely keep up. Look at payment card industry regulation. By their very nature, written standards will always lag behind real-world threats and best practice by some time.”
To the question: Would you agree the biggest threat to a maritime company’s systems is not external, but its staff? Mr Munro answered: “Certainly staff are one of the biggest threats, whether they be malicious or simply victims. Phishing attacks, malware, ransomware and so on could all hit a ship or shipping company hard. Consider a staff member bringing in a memory stick, perhaps with the honourable intention of updating a system to the latest software version. That stick could contain some hidden malware, and then the ship control systems could become infected.”
Mr Munro was asked: What are the greatest maritime cyber security vulnerabilities? He replied that it was difficult to point them out. “But fixing the root causes and providing defence-in-depth strategies means that you can protect against many threats, even ones you may not currently be aware of.”
He continued: “Build in layers of defence and ensure you can spot a breach of the outermost layer quickly. Segregate the networks, making sure that systems only have the bare minimum of network (and internet) access explicitly required to function. Any extra connections increase the attack surface available to the hacker.” He added: “As always, people are going to be the biggest threat to any system.”
Mr Munro said ships present unique challenges to cyber security because of their long life in service and their complex interconnected systems, as well as the lack of dedicated IT staff or control system expertise on board them. “One of the first aspects of cyber security will be convincing shipping companies that there is a real risk before anything bad happens,” Mr Munro commented. “Manufacturers need to integrate security from the design stage onwards. Systems need to be secure and stay secure – currently we are not very good at doing that with industrial systems. Many things we thought secure 10 years ago no longer are.”
Cyprus-based EPSCO-Ra is a partner of the Maritime Cyber Risk Management Summit. It recently unveiled a daily maritime security assurance service, bringing 25 years of experience in cyber security and maritime services to deliver a full suite of managed cyber security network services.
The EPSCO-Ra Maritime Cyber Security System includes network monitoring, security information and event management (SIEM), the latest generation of firewalls, penetration testing, and vulnerability management and reporting. EPSCO-Ra also provides system maintenance and updates, and incident response and recovery services. “These will dramatically improve office and fleet network data security now and in the future,” said managing director Lance Savaria.
This suite is a scalable cyber threat protection service that can be delivered across a fleet of vessels. It offers 24/7 protection and incident response. EPSCO-Ra can also offer third-party validation of a cyber security programme. “Unlike a traditional consulting firm, we provide day-to-day security assurance through a combination of data and behavioural analysis, threat prevention, human intervention, and actionable intelligence,” said Mr Savaria.
“Our excellent reputation is based on success helping large and small maritime companies, banking, law enforcement, government agencies, and commercial businesses to improve their operations and deliver cost savings. We deliver a smart combination of cyber expertise services and maritime knowledge that is adaptable and always proactively changing to meet new threats and risks.” The company is a partnership between USA-based cyber security group Ra Security Systems and Cyprus based maritime services company EPSCO.
Mr Csorba of Marine Cybernetics will outline the technical threats during what is expected to be a lively discussion on emerging cyber risks. He will present the opportunities and threats coming from linking onboard systems to the internet, and will explain the extent and nature of the technical threats and strategies available to shipowners for mitigating the risks. He will also present interactive case studies that contextualise current and future challenges. Part of the discussions will revolve around the technical terror threat: its evolution, present realities and future direction.
Port-IT is one of the exhibitors at the Maritime Cyber Risk Management Summit. It has introduced the Port-IT Remote IRIS service for scanning e-mail attachments for viruses. It scans e-mails against a database of more than 55 antivirus products free of charge for shipowners. It then replies back to the recipient, within 10 minutes, reporting on whether the e-mail can be trusted.
Port-IT managing director Youri Hart said ship masters can use Remote IRIS to be sure that attachments are safe. He added: “With the current rapid growth of crypto-viruses it would be good for shipping companies to add this procedure to the vessel to avoid infection of their onboard and onshore computers.”
The introduction of Remote IRIS is the beginning of a new suite of secure products that Port-IT is unveiling. The IRIS main service will be an application installed on existing maritime e-mail programs such as Globe Email, AmosConnect, SkyFile Mail and others. It will analyse messages, mail and attachments against the antivirus database. The Port-IT Remote IRIS will be free for all users, while the full Port-IT IRIS service will be free for existing Port-IT Antivirus customers, or could be purchased as a single product if a customer is using another antivirus solution.
GTMaritime is another exhibitor at the event. It has introduced an upgrade to the GTMail shipboard e-mail solution. The company designed GTMailPlus to reflect the recent evolution in maritime communications and shipowners’ focus on cost control. It provides seafarers with optimised access to online messaging as it uses a web-based platform.
Seafarers using GTMailPlus can message their family and friends from ships at low costs. Superintendents can access e-mail via an intuitive webmail dashboard, with simple configuration, policy and rule management. Owners and managers can see connection status across their fleet, including vessel position mapping, GTMaritime managing director Rob Kenworthy explained.
“GTMailPlus brings together the experience, knowledge and understanding gained over 18 years with GTMail to deliver enhanced functionality with a recognisable interface,” he added. “Shipowners and managers understand the importance of high quality shipboard e-mail and whatever satellite network they choose, they can be assured that GTMailPlus delivers a safe, secure and reliable connection.”
Seafarers could be in the firing line, or the first line of defence, when it comes to system cyber attacks. The crew could be victims or instigators, accidental or malicious, of cyber attacks or virus infections. The same could be said for engineers that come on board for updating system software.
The easiest point of entry for malware, digital viruses or hacking programs would be through a memory stick, via a USB port. These are found on almost every computer and mobile device, such as smartphones, tablets, and so on. They are also on bridge systems such as ecdis for uploading software upgrades, or electronic navigational chart updates.
Ecdis USB ports certainly should not be used for any other reason. But we hear accounts of seafarers using ecdis to upload their own images from memory sticks, thus putting these critical navigation systems under malware threat. It could be the same for computers that are linked to an onboard network – they need to be protected from malware attack. Thus, seafarers could be responsible for infecting ship systems and networks without any knowledge of the act.
It should be good practice to protect onboard systems, networks and computers with firewalls, web address and content filters and regularly updated antivirus software. Shipowners should ensure that satellite communications are cyber-secure and that onboard WiFi cannot be used, or interact outside the confines of the ship. But owners should not forget the crew. Investment in general cyber security training would go a long way to reduce the risk of cyber attacks from within the company. It would certainly minimise the possibility of accidental viral infections.
© 2023 Riviera Maritime Media Ltd.