The maritime industry is becoming increasingly reliant on technology and data which brings increased cyber risks
Cyber security will only get the organisational attention needed once attitudes align to acknowledge cyber threats as a business risk.
To address the key issues facing shipowners, Riviera Maritime Media is organising the 4th Maritime Cyber Risk Management Forum, in association with and hosted by Norton Rose Fulbright, in London, 25 June 2019.
Attendance at this year's Maritime Cyber Risk Management Forum is free for qualified personnel from shipowning companies – those responsible for cyber security, compliance, IT, legal or finance functions. There are a limited number of VIP places, allocated on a first come, first served basis.
The conference programme includes sessions on regulations, compliance and risk management, shipowner and operator perspectives, threats to cyber security in ports and preventing cyber attacks. The roster of speakers includes representatives from AP Moller–Maersk, IMO, the UK Department for Transport, Tallinn University of Technology, the Estonian Maritime Academy, Norton Rose Fulbright and cyber security companies including F-Secure, Pen Test Partners and Darktrace.
AP Moller-Maersk chief information security officer Andy Powell will present a session on how to implement lessons learned from a major cyber attack. Focusing on Maersk’s experiences during and after the NotPetya cyber attack in June 2017, Mr Powell will address how the attack happened, how it was dealt with and what steps were taken, what the consequences were, what the cost implications were, and what form the follow up to the attack took in terms of cyber threat contingency planning.
A highlight of the day will be a simulated cyber attack exercise with Tallinn University of Technology cyber emergency response team head Kieren Niĉolas Lovell. Through the scenario, participants will engage, learn and discuss solutions to improve cyber resilience and security incident response plans.
Incubator and accelerator programmes have revolutionised tech innovation in other sectors, and they are now making waves in maritime.
London now rivalls San Francisco as a hub for startup innovation. A recent City AM report highlighted that seven fintech unicorns – companies valued at more than US$1Bn – are based in London, compared to nine in the Californian city. As a world centre for finance and maritime business, London is well placed to promote innovation and support for startup projects.
Maritime Digitalisation & Communications' publisher Riviera Maritime Media is therefore hosting a startup session at the Maritime Cyber Risk Management Forum.
Example focus areas for eligible projects include cyber engineering, security, cyber security, software services, digital content, information security, and internet of things.
Up to four selected projects will:
Andy Powell - CISO - AP Moller-Maersk
Mr Powell has been chief information security officer at AP Moller-Maersk since June 2018 and is accountable to the chief information officer and the chief executive officer for assuring all aspects of information security and cyber security across the group’s brands.
Prior to this, he was head of the cyber security business for consultancy and technology services firm Capgemini and for IT services company CSC. In both roles he was responsible for delivering cyber security solutions for clients across all sectors.
For much of his career, Mr Powell served in the Royal Air Force as an engineering officer. He served as CIO/CISO for the RAF and was head of cyber defence operations for the UK’s Ministry of Defence.
He holds an MA in defence and strategic studies with distinction from Kings College London, an MSc in electronic systems engineering from Cranfield University, and a BSc in electrical and electronics engineering from Salford University.
Kieren Nicolas Lovell - Head of CERT - Tallinn University of Technology
Mr Lovell is head of the Tallinn University of Technology’s cyber emergency response team and works with government and companies in conducting real-time cyber exercises. He also conducts realistic exercises with the Estonian Maritime Academy to make the strategic, tactical, and operational layers of organisations understand the importance of cyber security within the maritime sector.
Prior to this, he was head of CERT at the University of Cambridge for three years, and was a lieutenant commander in the Royal Norwegian Navy, serving as a chief information security officer and as one of the Battlewatch Captains, protecting shipping from pirate threats in the Gulf of Aden. He has been on operations for more than seven years, serving on nuclear submarines, mine warfare vessels, aircraft carriers and frigates.
Cyber security is vital to ferry owning group DFDS as it introduces a new communications system on its passenger ships. In March, DFDS chose Sweden-based Nowhere Networks as its strategic supplier of fast broadband on cross channel ferries working between the UK and France.
DFDS is rolling out Nowhere Networks’ wireless antenna tracking solution on all six vessels operating the Dover-Calais and Dover-Dunkerque routes. This is after a successful evaluation of the technology and validation that it enhances passenger and crew communications, says DFDS vice president and chief information officer Gert Møller.
He tells Maritime Digitalisation & Communications that this secure radio link only works in the waters between Dover, Calais and Dunkerque, which means when these ferries sail outside these routes, such as for regular maintenance dockings, satellite communications are required.
“When sailing 40-50 km away from the ports, the radio link will fail,” he explains. “Our ferries must then rely on the VSAT.”
When DFDS ferries use Nowhere Networks’ wireless broadband there will be no detrimental impact on cyber security. “This new solution will not impair ship security,” says Mr Møller.
“We still maintain a closed satellite link for the ships operations, so only passenger communications will use the new radio link.” Nowhere Networks’s wireless services will provide high quality broadband at a considerably lower cost compared to satellite communications to passengers.
“The radio link is terminated on a separate network, which passengers access via onboard wifi,” Mr Møller explains. “But of course, there are also the usual security measures on the radio link, such as Blue Coat filtering and we will still need to retain the secure VSAT link.”
Nowhere Networks will start installing its technology on DFDS ships to deliver high-speed internet connectivity to passengers. “We will install ship trackers on the vessels and we will place land trackers ashore in different locations,” says Nowhere Networks vice president and sales director C G Sänne. “We will complement the land trackers with offload sector antennas in the ports.”
He says management of these radio links and vessel tracking is managed by secure and intelligent cloud-based software. This service can be extended to more ferries in the future. “Our aim is to deliver high-speed broadband on all DFDS vessels in the English Channel before the end of Q3 2019,” says Mr Sänne.
While the maritime sector has traditionally stood apart from developments in cyber security, this is set to change and an effective cyber security policy is essential.
Traditionally, the majority of critical functions and assets in the maritime sector were physically isolated, with limited or non-existent connectivity, remote monitoring and control capabilities. This meant the need to secure maritime resources against cyber threats seemed similarly limited, or even non-existent.
The convergence of various technology trends is resulting in the maritime world experiencing an accelerated process of digitalisation. Vessels can increasingly be seen as digital ships, with a whole host of connected systems including navigation, communication, propulsion and steering – virtually any system could be connected.
Such connectivity and applying technological developments can result in benefits including reduced costs, increased operational efficiencies, enhanced safety and sustainability and reduced environmental impacts. However, increased ability to access assets remotely and increased networking creates new kinds of vulnerabilities and leads to maritime cyber risks that require addressing.
A proactive, risk-based cyber management approach is required, according to Lloyd’s Register senior surveyor Spyros Dellas.
In a presentation given to IMarEST, he explained how prescriptive approaches do not work because no two organisations in the maritime industry are the same. Cyber security approaches will therefore be company- and ship-specific, but should be guided by appropriate standards and relevant national regulations.
Even if not directly targeted, maritime organisations can end up as collateral damage – for example the significant cost Maersk suffered after being caught up in the NotPetya ransomware attack in 2017.
Threats come from a range of different actors. These include activists, criminals, opportunists, state-sponsored organisations and terrorists. Attacks can be specifically targeted or untargeted.
Companies establishing a cyber security policy must consider how much risk is acceptable, and at what cost, as Mr Dellas sees it. There are too many cyber risks for an organisation to protect against them all, so the questions that must instead be asked are which counter measures are appropriate, what is affordable to implement and what the marginal benefit per unit cost is of doing more, or less.
When it comes to protection and detection measures, senior management engagement is vital and this is where effective cyber risk management should begin, Mr Dellas notes.
Existing safety and security management practices such as Safety Management Systems and Ship Security Plans should be extended to include security.
Vulnerabilities should be identified on both the shipboard and shore-based sides of the organisation. On the shipboard side this could include:
On the shore side the ship-to-shore interface needs to be assessed, as well as the various shore-based IT support systems.
Organisations must consider both protection and detection in terms of risk mitigation measures such as defence in depth and breadth, technical and procedural protection measures, and utilising third-party services such as cyber threat intelligence services and cyber security operation centres.
And for response and recovery, procedures should be established to ensure an effective response to incidents through response and recovery plans, including investigating cyber incidents, handling losses arising from incidents, and insurance against these.
The human factor is also key, and efforts must be directed toward training personnel and developing an organisation-wide cyber security culture. Mr Dellas cited a statistic from Verizon’s 2015 Data Breach Investigations Report that 90% of all successful cyber attacks are able to succeed because of human error.
Another key takeaway is that no organisation is 100% safe, and that cyber security should be seen as a continuing process rather than a reachable goal.