The maritime security cyber threat
Insights for the Maritime Industry from the BIMCO Annual Conference
The maritime security cyber threat
An Interview with Andrew Fitzmaurice, CEO Templar Executives
Maritime security and the Cyber Threat was the focal point of the Baltic and International Maritime Council’s (BIMCO) Annual Conference held in Hamburg yesterday. CEO of Templar Executives, Andrew Fitzmaurice was invited to host the event and facilitate discussions around the “significant potential for Cyber disruption” and “malicious takeover” of systems onboard ships.
Andrew Fitzmaurice is a global thought leader in Cyber Security and Information Assurance with an expert team working with governments and FTSE 100 companies; he is regularly invited to speak at industry conferences and in this article provides us with highlights from the BIMCO Annual Conference and further insights into the wider discussion around maritime security.
Q: Firstly, how did you get involved in securing the Maritime Industry from a Cyber perspective?
A: Information Assurance and Cyber Security is something which we call ‘sector-agnostic’ – Cyber attacks permeate and affect every industry, even if the industry itself is not aware yet. The Templar team has been working closely with BIMCO advising on their Cyber Security guidelines for the Maritime Industry.
The Maritime Industry is an integral part of the world economy, as 90% of the world’s trade is estimated to be carried by ship1. The delivery of many of our essential services would not be possible without the international shipping industry. As a result, the Maritime Industry has a responsibility to secure itself against potential attacks, including Cyber.
We are all acutely aware that the Maritime and Offshore Industry is going through a period of rapid technological development. Shipping companies are becoming increasingly reliant on technology to conduct their day-to-day operations, and are driven by the requirement to seek efficiencies and further improve the safety of both on and off-board personnel and address compliancy concerns. As a result, the Maritime Industry is rapidly becoming a component of the Internet of Things (IoT) – new assets are being built as fully connected devices and older vessels are linking systems that were never envisaged being controlled or communicated with via the internet. This is opening up companies to an unprecedented amount of attack vectors which may be exploited, especially as the Threat is growing.
To mitigate against the ‘Cyber Risk’ which this opens companies up to, and ensure survival in this space, it is imperative that shipping companies start to address the Cyber Threat. At Templar Executives we have a diverse and agile team with a proven-track record in providing expertise and capabilities which can support the Maritime Industry in achieving an enhanced level of Cyber maturity.
Q: How ‘Cyber Aware’ and prepared is the Maritime Industry against attack?
A: Whilst ‘Cyber Risk’ is something which is spoken about regularly in the Financial Services and Insurance Industries, this is something which has received less traction in the Shipping Industry, despite the increasing Threat.
Events like BIMCO’s Annual Conference yesterday are succeeding in raising awareness. 91% of delegates said they would take Cyber more seriously, as a result of attending the conference. This is a great outcome but further work needs to be done to increase Cyber awareness in the Maritime Industry. The media reports on the big Cyber attacks against household names such as Sony, TalkTalk, and financial institutions including J.P. Morgan, forcing them to react and develop their education and awareness in the face of the Threat. However, the expectation is that attacks will now move to softer targets including the Maritime and Shipping sector.
A recent report by the European Union Agency for Network and Information Security (ENISA) stated that Maritime Cyber Security awareness is currently low, verging on non-existent, and that current maritime regulations only consider physical aspects of security. This low level of awareness, however, is not restricted to just the Maritime sector. Other sectors in the Transport Industry, such as the Civil Aviation Industry are also suffering from a lack of holistic awareness. From a Cyber perspective, the issue is not widely understood and in many cases not prioritised.
If the maritime community is to effectively protect its people, vessels and reputation from a determined and rapidly evolving Cyber Threat, the industry will need to drive organisational and cultural change starting with positive leadership at the Board-level.
Q: Yesterday the BIMCO Annual Conference spoke about some of the potential vulnerabilities of ships to Cyber attacks. What do you see as the big trends in this area?
A: There are a number of potential Threats which are exploiting the vulnerabilities of ships to a Cyber attack. The first and foremost being the ‘human element’. Information systems are only as good as the people who use them, and attacks can be either deliberate or accidental. A non-targeted attack could take the form of a phishing email, randomly sent to multiple email addresses – an employee or crew member, without the necessary Cyber awareness training, could activate a virus by clicking on the embedded link. The level of Cyber Risk posed by employees is significant and control measures need to be put in place.
In addition, through the sterling research of USMRC, it was found that many ships are taking unacceptable risks with their IT infrastructure. We were able to advise delegates that through the application of robust policies and procedures, coupled with expert technical advice and guidance, remediation could be quickly and relatively cheaply achieved.
Another prominent Threat is that of ‘the Insider’, those within the organisation who are able to take advantage of their access, or the organisation’s vulnerabilities. Given the international and transient nature of crews and maritime professionals, the difficulty in both vetting and monitoring personnel, and the number of third parties involved in maritime and offshore operations, the Insider Threat is of particular concern within this environment.
Lastly, there is a growing awareness of the significance of third party suppliers. Weak links in the supply chain can provide the easiest route for those who want to attack a large organisation. The importance of a resilient and secure supply chain was highlighted during the attack on Target, which cost the company $162 million to clean up2.Supply chain vulnerability will be a challenge for the
Maritime Industry, as it is a global entity which exchanges large amounts of information between different bodies, often in regions of the world with differing security standards.
Q: How should organisations who are concerned, go about addressing this Threat?
A: Understanding the issues is key and the BIMCO event yesterday was a good example of the industry raising awareness. The event highlighted the need for education and training initiatives to be at the forefront of the Cyber agenda. Upskilling your people to address all aspects of the Cyber agenda should be seen as welcome investment, rather than a cost. Creating that Cyber awareness amongst your employees is a business enabler, providing an increased ‘return on investment’, competitive edge and reputational prestige.
Based on Templar’s experience, it is clear that there are three steps to ‘smarter’ Cyber security. These are: firstly, understanding the risk and assessing the Threat landscape you are operating within; secondly, deciding what matters – what are you trying to protect? What is important to the survival of the business? Thirdly, take action by implementing proportionate control measures. But, once these steps have been taken, don’t think the job is over. This is an ongoing process which requires continuous monitoring and improvement to stay abreast of the ever-evolving Cyber Threat landscape.
The Maritime sector has a unique opportunity to Cyber-proof its business before it becomes a victim to a serious Cyber attack. Many other sectors have only taken action after a serious Cyber incident has occurred and caused unprecedented, financial and reputational damage. To put it bluntly the Maritime sector can avoid a similar crisis by taking action now.
Templar Executives will continue to work with BIMCO and other Maritime associations, in order to strengthen the Cyber resilience of shipping companies, and ensure business prospers for the Maritime and Offshore sectors.