Daniel Ng and Professor Siraj Shaikh from CyberOwl question whether shipping executives really know if they are prepared to handle a cyber attack and suggest a cyber drill to find out.
So it has happened. The screens on the business PCs in the engine control room and bridge have all locked down. The computers are simply displaying a black screen with a blank pop up window. No text. There is no ransom note (yet). One of the ECDIS systems is also no longer functioning properly and keeps restarting randomly.
The vessel has entered US waters and a pilot has boarded to bring the vessel into safe harbour. The crew have also received notification from the US Coast Guard of their intention to dispatch an inspector and are anticipating a Port State Control examination when the vessel is in port.
The master is on the phone to the Technical and IT Managers, trying to follow instructions in order to rapidly diagnose the problem. But the phone line isn’t great at the moment as the vessel is currently in a position with poor connectivity. In his mind, he is working out the best way to explain what is happening to the authorities, while trying to make up contingency plans on the fly. The pressure is on to avoid a detention.
This scenario is entirely plausible from January 1 next year when the cyber security requirements set out in IMO 2021 becomes effective and as cyber attacks on shipping operations continue to increase.
“We thought we were prepared for a cyber attack and then we got a nasty surprise when one actually occurred.” This is a common reaction of those who have lived through a cyber attack.
Based on CyberOwl’s experience engaging with nearly 100 fleet operators, less than 5% of them would be able to answer a few fundamental cyber security questions when they are under pressure during a high profile cyber incident, such as: what is actually happening to the onboard systems? Are we sure we have been cyber attacked? Will it spread and how do we stop it spreading? And how quickly can we recover operations?
This is before the more complicated questions that come later during forensic analysis, such as: what has been the full scale of the impact of the cyber attack? What systems have been compromised? How did the attack actually happen? How do we prevent the same attack in future? In fact, there are some security teams that never properly answer these latter questions.
If you’re the fleet IT manager, scrambling around trying your best to quickly put fires out during such a cyber incident is not going to be a fun day at the office. One of the key decisions you are going to have to quickly make is whether you should be reporting the incident to the leadership team. If so, when do you report it and what do you say? Then, how regularly do you update them?
This is why an effective cyber risk management approach actually starts with the leadership. Recent IMO guidelines and the guidelines on cyber security onboard ships (version 3 produced by BIMCO et al) makes it very clear that “effective cyber risk management should start at the senior management level”.
So developing emergency response plans with senior management early means you’ll already know what information they expect and when.
How does your leadership team perceive the level of cyber risk in shipping? CyberOwl is working on an initiative addressing Cyber Readiness for Boards (CRfB) to uncover this, supported by the UK’s National Cyber Security Centre (NCSC) and the Lloyd’s Register Foundation. Initial findings suggest:
- a key factor that drives a leadership team’s cyber risk perception is their trust in their organisation’s ability to respond to it. If you’re a fleet IT manager, that’s you and your team. And in many cases, this is likely to be overly-optimistic. Certainly, the ability to handle a cyber attack is rarely stress-tested in shipping, unlike in some other sectors.
- the current focus for the shipping sector is on compliance. While timely, this doesn’t suffice to actually address cyber risk.
- the responsibility for cyber risk still rests too heavily on IT or HSSEQ managers.
Instead, cyber risk needs to be owned and managed as a core business risk, with ultimate accountability at the leadership level. If you are the IT or HSSEQ manager shouldering that perceived responsibility, it is in your interest to get your leadership team to understand that.
What does a cyber-ready leadership team look like? The leadership team needs to more clearly understand the cyber risks the organisation faces, ensure there is sufficient budget to ensure cyber resilience and set clear roles and responsibilities to preserve business continuity. This includes knowing what their roles are during a cyber attack crisis.
This is where cyber drills offer a useful starting point.
The concept of a drill isn’t new to shipping. Safety drills have long been a requirement either by legislation or as part of a shipmanager’s safety management system (SMS).
A scenario-based cyber exercise provides an ideal means for leadership teams to engage with and to rehearse for an effective response to a potential cyber-attack. The scenarios offer a creative license to run through both common incidents and also simulate low probability, high impact situations (also known as black swan events). It is easy to write off the need to prepare for such black swan events. And yet, Covid-19 shows us how the lack of preparedness may pose an existential threat to an organisation. Indeed, other sectors have shown how ‘doomsday exercises’ have been important to them to cope with the current crisis.
Ultimately, the goal here is to build increased awareness and understanding of cyber risks in your leadership team. It prepares them for when (rather than if) a cyber attack occurs. The drill also helps you identify ways to improve your organisation’s ability to execute effective mitigation strategies.
How would they react?
What information would they need to make decisions?
Who do you need to communicate with and when?