Just why has the maritime and shipping industry met with almost ceaseless cyberattacks?
The straightforward answer is that ports, warehouses, ships, ECDIS etc altogether combined are where the vital nodes of the global supply chain lie. Therefore, there is huge dilemma to confront, something that shipping has yet to come to grips with.
By Jaya Prakash.
But the key question to ask is why security is fundamentally, a non-negotiable criterion for ships and ports? The nature of attacks on ships is such that even an off-duty seafarer when communicating with his colleagues or his higher-ups on land, can be tripping up an opportunity for cyber criminals and cyber attacks. Thus, it is a ‘trip wire’ whether on land or at sea for the maritime industry in general, and maritime cybersecurity protection, in particular.
The commonest form of attacks is those relating to ransomware, a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access unless a ransom is paid, followed by denial of service etc.
To begin with, ships just must need digital tools. There is no question about that and again, there is nothing to negotiate about. Just for that reason and that reason only, ships must be automated. Ship compasses are digital along with gyroscopes, the ECDIS and GPS.
But the real sore point about ships and the maritime industry, is that infrastructure tends to be old, somewhat antiquated, hard to track when out in the open seas with seafarers still not used to understanding all the implications behind a cyberattack.
What has come to fore, is the lack of trained IT professionals on board ships? That now entails STCW courses to be amended to reflect ‘new realities. Just as well it also requires a new kind of software sophisticated enough to detect approaching attacks on IT and operational technology (OT) systems; and neutralising ransomware demands such that ship operators get to know where the offending attack originated from?
Importantly, there is also scope for P&I clubs to insist on cybersecurity protective cover in vessels before the issuance of insurance cover.
In the words of GARD, a company dealing in insurance for the maritime industry, cover an era of cyber everywhere, with more technological transformation, use of cloud, and broader networking capabilities towards vessels, the threat landscape continues to increase. Cyber-criminals will look to attack operational systems and backup capabilities simultaneously in highly sophisticated ways leading to destructive cyberattacks. Cyber security depends not only on how company and shipboard systems and processes are designed but also on how they are used – the human factor.
CYBER RISKS MAY NOT BE EASY TO IDENTIFY
Criminals trying to exploit the maritime industry, the vessels and their crew are well organised and continuously evolve in the way they operate. This reflects the constantly evolving nature of cyber risk in general. Approaches to cyber risk management need to be company- and vessel specific but must also be guided by requirements contained in relevant national, international and flag state regulations.
Shipowners and operators who have not already done so, should undertake risk assessments and incorporate measures to deal with cyber risks in their ship’s safety management systems (SMS) and crew awareness training. Shipowners and operators should also embed a culture of cyber risk awareness into all levels and departments in the office and on board the vessels. The result should be a flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
Most Classification societies (Class) and several marine consulting companies have issued guidelines and recommendations on cyber security onboard vessels. Class, as a Recognized Organization on behalf of Flag State authorities, may now also deliver ISM audits which include cyber risk.
Class is also offering a voluntary cyber secure class notation for verifying secure vessel design and operation and cyber secure type approval to support manufacturers with cyber-secure systems and components. As an advisor, Class may also offer cyber security risk assessment, improvement, penetration testing and training support both on board and in the office.
MANAGING THOSE ATTACKS
Just what we do with those attacks and how to spot them before they materialise, is one of the biggest ‘headaches’ for maritime handlers. But considering attacks that can shut down a system is one way of forging ahead. In other words, pay careful attention to those systems and probably hire IT experts for their guidance.
Having a cybersecurity action plan will certainly lend assurance and confidence to insurance professionals wishing to indemnify claims from companies reeling from a cyberattack. Importantly, is the need for smart tools that can sniff out potentially malicious conduct in maritime networks. Yet another as how this author suggests is to have constant networking and intelligence sharing sessions to educate owners and operators of the dangers of cyber security attack and to share best practices.
Make no mistake attacks on the information systems are attacks on supply chains. They must be contained, or we will be.