Being a shipping IT professional can be frustrating. You recognise the need to invest in further cyber security, but your management team still treat it as a ’compliance problem’
This is a result of the way cyber security has been presented to leadership. The dialogue needs to change. IMO 2021 could offer a unique opportunity to reposition cyber security as an important enabler of the wider business objective.
At our recent virtual conference CyberSecure at Sea we asked approximately 120 shipping IT professionals what was holding them back from rolling out cyber security controls. About 50% mentioned the struggle to convince their management teams they are spending wisely on cyber security or that investing in additional resources to manage cyber risk is required at all. It is clear there is a misalignment between what IT professionals know is needed and what leadership believes is the risk.
Management teams in shipping believe cyber security is mainly a compliance problem
This is frustrating for the IT professional. But it is not really a surprise.
Management’s main concerns are driving up revenue and driving down costs. Maximise chartering at minimal expense. To run a tight ship, any investment that cannot visibly drive either of these twin goals is deprioritised. If the link is not clear, they do not believe it or they do not understand it, investing in it is a luxury. So the responsibility falls on the chief information officer or IT manager to help leadership understand the need and urgency.
But shipping IT professionals still find themselves stuck in a dialogue with management about how to do the bare minimum in order to comply with IMO 2021, instead of how to take steps to become properly cyber secure.
From our discussions with shipping IT professionals, we find only 20% are actively engaging with their management to align cyber security strategy. In over 65% of cases, the dialogue is either focused purely on compliance or related to purchasing specific cyber security solutions. This means for every 100 interactions IT professionals have with their management team, 65 of them are either discussing compliance or a point solution.
Interestingly, none of the shipping IT professionals we speak to have a relationship with management where they agree to an annual budget and make the day-to-day decisions around cyber security strategy and tactics. So management are making decisions on what cyber security controls to put in place on a case-by-case basis, rather than the IT professionals.
This mindset is based on false assumptions
The most dangerous one is that shipping is not a targeted sector. If you still don’t believe the threat landscape is shifting, then just look at the data – within the first five months of 2020, there were public announcements of cyber attacks on MSC, Anglo Eastern, OSM and twice on Toll Group. While the amount of losses in revenue or remediation costs remain guarded secrets, they have all admitted to significant interruptions in operations.
Another false assumption is that we can achieve vessel digitalisation and worry about cyber security later. The evidence is clear that this is not the case. To cite one example, a common assumption is that you can maintain separation of the business, crew and OT networks. So it should be impossible for an attacker to compromise a crew asset, then use that foothold to attack a critical business workstation or OT system.
In reality, in about 80% of vessels CyberOwl has been deployed on, we find assets connected to the business network that the IT manager knows nothing about. They have not identified them in their inventory, have no idea of their nature, did not sanction a connection and had no way of controlling or disconnecting them remotely. Sometimes it is not just one or two such assets, but 10s of them. In several cases, these unauthorised connections were later discovered to be OT devices linked to a bridge system, the engineroom or auxiliary power system.
The relationship between IT and management needs to change. IMO 2021 presents a window of opportunity to get ’air time’.
Management teams have no choice but to make sure their fleet has a cyber risk management system that complies. Instead of approaching the dialogue as a compliance issue, this is the opportunity to frame cyber security as a business issue – an enabler to deliver overall business priorities.
Whether this is business efficiency, vessel performance optimisation, remote control and management or crew welfare.
There are useful examples in recent history of leveraging compliance to strengthen overall cyber risk management. According to analysis by Marsh, companies successfully used GDPR as a catalyst, with 78% investing more in cyber security en route to GDPR compliance. A key finding in a 2019 UK Government report was that as a result of GDPR, there was a significant increase in the number of businesses putting in place quarterly updates with senior management on cyber security, intensifying cyber security training and enhancing cyber security policies. Essentially, where the opportunity was taken, GDPR had a positive effect in improving executive attention that prompted the related investments.