John Boles and James Bickley from Navigant Consulting provide Splash readers with some useful advice.
Last year, the International Maritime Organization (IMO) released its interim cyber security guidelines, and earlier this month, The Baltic and International Maritime Council (BIMCO) published its own recommendations based on the IMO directives. These alone are concrete signs that the maritime industry is finally taking steps to secure its computer networks. Recent attacks like WannaCry and Petya have impacted the industry, showing this move can’t come soon enough. As we have seen with the recent Maersk breach, hackers will only become more sophisticated and more disruptive in the future, and the fact ships afloat can be directly affected magnifies the need for shoring up maritime cyber defenses.
The maritime industry remains somewhat behind others, likely as a result of a number of reasons, including:
- The notion of securing entire networks and systems can be daunting, leaving owners/operators to wonder where to start.
- Cyber security can be a bit mystifying.
- Onboard operational technology (OT) often relies heavily on supervisory control and data acquisition systems (SCADA), which are historically vulnerable.
- The perceived costs of implementing the updates can be intimidating.
For most, where to start is the obvious barrier to building and implementing a robust cyber security program. Technology touches every aspect of business today, and the enormity of bringing a 20+-year-old system up to date can lead to inaction, which on its own intensifies the already significant cyber risks.
Four easy steps to begin developing an action plan:
- An assessment of your current cyber state.
- A review of your policies and procedures.
- Create a data map of the network and how your data interacts.
- A review of the systems will help identify priorities. Are they outdated/unsupported, and are they configured correctly?
Furthermore, for industries that have been around as long as shipping and transport, cyber risk is sometimes difficult to quantify or assess. It needn’t be. The business risks associated with cyber are simply that – risk. Risk management is nothing new to the maritime industry; cyber is just a new form of risk to be assessed, prioritized and managed. Once the cyber security assessment is complete and translated into standard business terms and concepts, it becomes measurably easier to incorporate recommendations into the go-forward business plan and strategy. Especially when you consider cyber risk as a compliance spend and part of your organization’s annual budget.
Much of the technology used in shipping, sailing, loading, transport, port services, etc., is legacy, meaning older systems that are no longer supported by the software provider, and as a result are particularly vulnerable to exploitation. Software updates are often issued to close security gaps when vulnerabilities are found, but they don’t necessarily solve the cyber risk. Additionally, many critical onboard systems are SCADA, meaning security wasn’t built into the system at the time of installation, and they remain easy targets for exploitation. Systems like propulsion, power management, and cargo management are frequently exposed, meaning ship’s safety and operations are at risk.
Finally, the perception of significant expense can be daunting when one considers the cost of system updates, upgrades, and the expenses and lost profits when ships incure when they remain in harbour. However, the same cyber security assessment can be used to develop a layered defense, protecting the highest priorities first. Much of cyber security is about doing the basics, and starting with the greatest need and building outward will enhance a ship’s security as well as keep expenses focused on the priorities.
As the IMO is set to release its new guidelines for cyber security, now is the time to take action to bring industry information security up to standards. With some planning and a strategic approach, becoming cyber secure is not as complicated as it might seem, and the benefits protect your business, customers, and shareholders alike.
The article is referring to WannaCry and Petya, which were cyber attacks that didn’t affected vessels afloat.
Thanks for the mention but we are now simply BIMCO, not The Baltic and International Maritime Council. Our guidelines (along with our joint working group) are actually an updated second version as we launched the first guidelines in January 2016.
Lars, WannaCry and Petya are examples of a new trend in cyber threats – untargeted mass attacks. Ships, because of their legacy systems and open architecture, have considerable potential to be affected by these and other types of attacks. Being at sea only compounds the potential impact because help is so far away and may not be able to be contacted. A “wiper” virus like Petya that attacks navigation or propulsion could have significant impacts.
But the point here isn’t specifically WannaCry or Petya, but the fact the industry as a whole is vulnerable and some basic, cost-effective steps can be taken now to prevent costly issues in the future.