Shocking statistics published yesterday show just what a soft target shipping is for for hackers.
A survey of nearly 6,000 active seafarers carried out by consultancy Futurenautics has shown 47% of repondents said that they had sailed on a vessel that had been the target of a cyber attack. Moreover, only 15% of seafarers had received any form of cyber security training. Just as alarming only 33% of seafarers said the company they last worked for had a policy to regularly change passwords onboard and just 18% of those polled said the company they last worked for had a policy to change default equipment passwords onboard.
The results were published yesterday and carried in Futurenautics’ latest 52-page Crew Connectivity report.
“The survey reveals once again that seafarers are a highly IT-literate workforce, but they are being hampered by lack of training, policies and leadership from industry stakeholders around cyber resilience and security. Properly resourced our seafarers could be a formidable line of defence, but too few are being given the right tools to keep themselves and the wider maritime ecosystem safe,” Roger Adamson, CEO of Futurenautics Maritime, told Splash today.
Commenting on the survey, Splash columnist Kris Kosmala said: “Unfounded belief that ship’s systems are so disconnected so as not to pose risk of a serious hack will only prolong laissez-faire attitude among shipowners and managers toward training and response testing.” Kosmala, vice president at software firm Quintiq, added: “Attitude change will take time and maybe some unexpected dramatic hack that will drive the point home.”
The detailed survey also carried plenty of interesting data about how connected ships are becoming.
More seafarers than ever before have access to connectivity and communications. Seafarers who can now use the internet at sea has increased by 527,000 since the last survey in 2015, and those who can access it for free has increased by more than 200,000.
Also of note, 53% of seafarers are now reporting that crew communications have led to a decline in social interaction onboard.
“Whilst connecting crew is unquestionably a good and smart thing to do, offering unlimited Internet access is not a panacea,” wrote Futurenautics’ K D Adamson in a foreword to the report.
The survey also found that more than half of all seafarers had seen at least one element of their role automated in the last two years. 98% said this had had a positive impact on their role.
75% of seafarers said the level of connectivity provided onboard did influence which ship operator they worked for. 92% said it had a strong or very strong influence on who they worked for—a rise of 14%.
The crew communications services most wanted by seafarers, and not currently provided, were free in-port WiFi, a global low cost roaming SIM card and a low cost satellite phone.
How do you define an attack?
The Futurenautics report raises some valid points about the shipping industry’s susceptibility to a malicious cyber-attack. Yet while the human factor is arguably one important element, it is not the only contributing factor here. There are other dimensions that need to be addressed, such as the lack of systems capable of detecting suspicious activity in real-time and blocking an internal or external attack.
Admittedly, acknowledging that humans are not infallible and will always make mistakes, no matter the level of investment in cyber awareness training, is a first and important step. But only by removing the human element altogether can we really start to protect PC-based systems from a cyber security incident. Any effective and reliable solution therefore must be one that completely extricates the human element. There should be zero human intervention.
Cyber-attacks can be carried out from external sources, through the internet, cellular devices, cloud-based servers, for example, and internally, via technical repairs, downloads/uploads, USBs, charging of cell phones and other devices. The attack itself might be dormant and occur hours, days, months after systems have been infected. So, any defence mechanism has to cover all breach eventualities, while providing a consistent level of protection – even when the systems onboard are not connected to the internet or cellular device.
Any defence system must be operate in real-time, block the threat and provide an immediate alert to the vessel’s crew and HQ when anomalies are detected. This will mitigate against the risk of system failure or data tampering, and enable immediate response. It also removes the human element.
As an aside, it is interesting that while industry association BIMCO has begun to investigate the need for a cyber security clause in Charter Party agreements, there is currently no cyber attack reporting scheme, where shipping companies can anonymously report such incidents. Like the CHIRP system for the confidential reporting of safety incidents, such a scheme for cyber security breaches would be invaluable in understanding the true scale of the problem, better our defence mechanisms and allow us to predict what the next virus may be.