Cyber incidents and risks are a never-ending challenge for the shipping industry that is sailing towards a more digitalized future, with connectivity and data exchange. Compliance has been the talk of the town, but many seem to forget that the right measures in place and a consistent check of the company’s cyber state equally play a crucial role on building a strong cyber secure image.
Redefine cyber security
Cyber security remains a great topic of concern for the maritime sector, as digitalization has led to connected ships, data sharing and critical information being exchanged. This means, that the industry has to be ready to deal with any challenge and potential attack.
Understanding what cyber security is, is the first step.
Mr. Chronis Kapalidis, Cyber Expert, HudsonAnalytix, provides a new point of view for the industry; He proposes we redefine cyber security to cyber risks and cyber-attack to cyber incident, and explains why.
In a digital discussion hosted by ICS, Mr. Kapalidis explains that when talking about cyber-attacks, people get a defensive approach. Therefore, he recommends that we should better refer to cyber attacks as cyber incidents that may occur in the digital domain.
He adds that this perspective gives a better insight of what the industry has to be protected from.
In line with the redefinition, he proposes we redefine cyber security and refer to it as cyber risk, cyber risk assessment and cyber risk management. He highlights that this “change” will be fundamental within the level of understanding the topic.
Explaining his propositions above, he notes that
talking about security in shipping is very reluctant.
Taking a leap from the possibility of redefining what we already know, the matter of box-ticking was put on the table.
Staying compliant: Avoid box-ticking
2021 marks the year that IMO’s Resolution MSC.428(98) entered into force, by January 1st 2021, which clearly states that companies are obliged to report any cyber risk in their ISM Code.
This regulation was the first step in the industry’s efforts to adapt to the digital era and try and regulate it. Yet, it has already been argued that the maritime industry is resting on being compliant, rather than being focused on effective cyber risk management.
Being compliant is one thing, but remaining vigilant and up to date with the challenges is another.
To be cyber compliant you could:
- Follow a risk penetration test, something that could be easily found online, which gives a snapshot of your company’s exposure at the time running the test.
- Be vigilant and consistent. You may implement a resilient policy that ensures you’re on top off any risk and threat.
Providing his insight to the roundtable, Mr. Phil Morgan, a Professor (Personal Chair) in Human Factors and Cognitive Science and Director of the Human Factors Excellence (HuFEx) Research Group at the School of Psychology, Cardiff University, explained that box-ticking to understand your compliance is better to be avoided. There is not a specific pattern you could follow that would ensure that for the future you would be 100% protected from any cyber threat.
one thing that protects us this month, could be something else next month,
… Mr. Morgan highlights.
Build relations with your IT team
Talking the language of digitalization will help you understand the whole digital world. One way to do it is to keep in touch with the IT team.
One of the biggest drivers of a successful business is efficiency, and the ability to automate routine tasks is a great way to increase overall efficiency. The IT department is responsible for providing the infrastructure for this automation.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
Foster connection and efficiency by mapping daily, weekly and monthly communication expectations for the team, as well as the preferred methods.
Stop under-reporting
It has been many times stated that the industry has a tendency to underreport cyber incidents that take place. There’s a gap between the number of cyber-related incidents that occur in the maritime industry and the lower number that are being reported.
In addition, if companies are only informed of ‘big’ cyber attacks they will believe that attackers only aim to big companies and will result to being sensitive victims. The denial makes companies believe that they will not be targeted because they are too small to be on the radar of a cyber-criminal.
CSO Alliance conducted an anonymous reporting facility aiming to help maritime companies report cyber incidents with absolute anonymity and confidentiality. Therefore, the Alliance helps raise awareness of the scale of the issue.
Overall, compliance is a thing to look for, but implementing the right measures and keeping in touch with your organization’s exposure could be a priority.
Thus, don’t forget to teach your employees to be STAR employees:
- STOP: Even though the message claims to be urgent, you do have time to stop and catch your breath before you act.
- THINK: What is really happening here?
- ASK: Take the time to ask a colleague, or in this specific example: your regular contact at Gard. Is this really from you? What is my gut feeling trying to tell me? Do not ask by responding to the message itself, the attackers will assure you that everything is in order and that it is safe to do what they want.
- REPORT: If applicable, report to the party the attackers proport to represent so they may follow up. In this case, we were grateful to the correspondents who alerted us to the email. Also, report to your own IT- or IT security department to help alert other users who may be targeted in your organisation. If you suspect that you may have been tricked, please remember that targeted phishing can be very hard to detect, and even the security experts have been known to fall for it. It is never too late to report and get help to reduce or even fix the damage.