Turning IMO 2021 into an opportunity instead of a burden

Management teams in shipping believe cyber security is mainly a compliance problem

This is frustrating for the IT professional. But it is not really a surprise.

Management’s main concerns are driving up revenue and driving down costs. Maximise chartering at minimal expense. To run a tight ship, any investment that cannot visibly drive either of these twin goals is deprioritised. If the link is not clear, they do not believe it or they do not understand it, investing in it is a luxury. So the responsibility falls on the chief information officer or IT manager to help leadership understand the need and urgency.

But shipping IT professionals still find themselves stuck in a dialogue with management about how to do the bare minimum in order to comply with IMO 2021, instead of how to take steps to become properly cyber secure.

From our discussions with shipping IT professionals, we find only 20% are actively engaging with their management to align cyber security strategy. In over 65% of cases, the dialogue is either focused purely on compliance or related to purchasing specific cyber security solutions. This means for every 100 interactions IT professionals have with their management team, 65 of them are either discussing compliance or a point solution.

Interestingly, none of the shipping IT professionals we speak to have a relationship with management where they agree to an annual budget and make the day-to-day decisions around cyber security strategy and tactics. So management are making decisions on what cyber security controls to put in place on a case-by-case basis, rather than the IT professionals.

This mindset is based on false assumptions

The most dangerous one is that shipping is not a targeted sector. If you still don’t believe the threat landscape is shifting, then just look at the data – within the first five months of 2020, there were public announcements of cyber attacks on MSC, Anglo Eastern, OSM and twice on Toll Group. While the amount of losses in revenue or remediation costs remain guarded secrets, they have all admitted to significant interruptions in operations.

Another false assumption is that we can achieve vessel digitalisation and worry about cyber security later. The evidence is clear that this is not the case. To cite one example, a common assumption is that you can maintain separation of the business, crew and OT networks. So it should be impossible for an attacker to compromise a crew asset, then use that foothold to attack a critical business workstation or OT system.

In reality, in about 80% of vessels CyberOwl has been deployed on, we find assets connected to the business network that the IT manager knows nothing about. They have not identified them in their inventory, have no idea of their nature, did not sanction a connection and had no way of controlling or disconnecting them remotely. Sometimes it is not just one or two such assets, but 10s of them. In several cases, these unauthorised connections were later discovered to be OT devices linked to a bridge system, the engineroom or auxiliary power system.

The relationship between IT and management needs to change. IMO 2021 presents a window of opportunity to get ’air time’.

Management teams have no choice but to make sure their fleet has a cyber risk management system that complies. Instead of approaching the dialogue as a compliance issue, this is the opportunity to frame cyber security as a business issue – an enabler to deliver overall business priorities.

Whether this is business efficiency, vessel performance optimisation, remote control and management or crew welfare.

There are useful examples in recent history of leveraging compliance to strengthen overall cyber risk management. According to analysis by Marsh, companies successfully used GDPR as a catalyst, with 78% investing more in cyber security en route to GDPR compliance. A key finding in a 2019 UK Government report was that as a result of GDPR, there was a significant increase in the number of businesses putting in place quarterly updates with senior management on cyber security, intensifying cyber security training and enhancing cyber security policies. Essentially, where the opportunity was taken, GDPR had a positive effect in improving executive attention that prompted the related investments.