If you want smart shipping to be adopted broadly in the industry, we need to look at three elements. The first is effectiveness: It needs to look at profit margin and, by looking how to contribute to increasing the profit, then it will become adopted in the industry. The second element is trustworthiness: Shipowners and everyone within the industry need to know that the systems are being introduced by several companies or consortiums as we have seen already are trustworthy and they will not cause business interruption events. And the third one is safety and security: That is a key issue. Most of these ingredients have the technology embedded in them.
Cyber security has been over the last years the first non-natural threat to the global risk landscape according to the World Economic Forum. This is only going to get worse because of rising cyber dependency. Everything that we do has a cyber element.
But it is important to understand how we conceptualize cyber security, what do we think cyber security is? Cyber security touches us, because we are the weak link. All of us have smartphones and they know everything about our personal life and professional life. So, we need first of all to understand how we will be protected and then how we will protect our industry. How many of us use our date of birth or our daughter’s name as password? And because the hackers know all the information about us then they take advantage of it and cause issues to us and our professional life. And because there are other technologies coming into place over the years to come, this is only going to get worse.
The industry is not very aware of the issue. The industry needs at least one to become more proactive because it has to understand one thing: How cyber security affects everyday operations and how you should start to look at cyber security as an internal investment. Investing money on cyber security will benefit your organization.
But is the industry a target? Well, there are several examples out there. From 2010 to 2011, a Greek shipping company suffered the most successful pirate attacks in Somalia. Out of 11 attacks conducted, 8 were successful. And they did some research within the organization. And it turned out that the pirates in Somalia hired hackers to gain access to the company’s systems to identify the most valuable targets. Do you know how these hackers gained access to the company’s systems? They went in the systems from WiFi light bulbs. The shipping company in Greece wanted to have the latest gadget, so they installed WiFi light bulbs in their offices, but they never bothered to change the username and password which were admin and admin. So, through that vulnerability, the hackers were able to gain access to all the information they needed.
Also, the USCG recently issued a warning that cyber adversaries – we have an indication that they are probably nation states- are targeting the shipping industry not only by trying to send phishing emails, but also they have actually created malware designed to attack ship-based systems. So, it is not only the IT, it is not only emails that we get, but it is actually malware targeting specifically the systems onboard the ships.
There is a variety of factors. Up to now, we knew that the industry was primarily attacked for financial gain, but we are seeing that this is evolving, and people are looking to cause business interruptions apart from financial gains.
Of course there are new digital trends that are coming to the industry, starting from e-platforms to advanced analytics with augmented reality to even autonomous vessels which is a huge discussion and of course, Blockchain. All of these elements have a cyber ingredient that we need to focus on to protect ourselves. The best one to do is by adopting the cyber security by design. When you start conceptualizing these new technologies, take cyber security into consideration from the very beginning. Even when building new ships, try and see how cyber security can become part of the whole design.
In order to illustrate what the actual threats are, Hudson assisted a research that I conducted at Chatham House, a Research Institute in London. We tried to identify what is actually at stake when we talk about cyber security in ships. We did a system-of-system analysis, we identified the important components within a ship, and we examined their vulnerability against a cyber incident, the potential consequences and the affected fields. We did the same thing for ports. What I want you to see is that we were initially impressed because the number of high vulnerability components on a ship is relatively lower now. But if you take into consideration the digital trends that are coming into the shipping industry, I can tell you for sure that this number is only going to increase in the future. The other important part when we look at the affected fields -data, physical, environment and people- is that most of the components if they do get affected will have an imminent effect on the physical element of the ship or the port. So, when we talk about cyber security is not only about protecting the information part of it that we don’t see, but we need to focus on cyber because this will have some sort of a physical consequent event and it need to be well protected for that as well.
The IMO has said that as of January 2021, the industry should implement cyber security policies in the ISM Code and they need to do that by adopting risk-based approach. But who owns this cyber risk? I can tell you for sure that is everyone within the organization. It is not the IT’s responsibility. It starts from the very top and goes down to the last employee within an organization. Everyone has a role to play in this and understanding what the risk entails is the first step.
It is important to identify why you should invest in cyber security. And the first reason for that because you will minimize your technology risk. But the second and most important one is that you will minimize your insurance risk. We are now working together with AON not only to look at a cyber product but also to focus on incident response, because it is not a matter of if you will be attacked but when you will be attacked. So in this case, the point is to see how you will be able to recover and continue your normal business operation. To do that, you need to have a concrete contingency plan in place.
It is time for cyber security to become a key point on the agenda of the sea suite members.
Above text is an edited article of Chronis Kapalidis’ presentation during the Hellenic American Maritime Forum 2019. You may view his presentation herebelow
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
Chronis Kapalidis, Cyber Expert, Hudson Analytix
Chronis Kapalidis is the European Representative of Hudson Analytix, promoting the company’s synergies in Europe on issues related to security, both physical and cyber. He recently concluded a fellowship at the International Security Department, Chatham House, on maritime cybersecurity, where he now stands as Academy Associate. He also stands as visiting research fellow at the Dartmouth Centre for Seapower and Strategy at Plymouth University, and as a board member in several academic and scientific bodies.
Chronis was an officer at the Hellenic Navy for 20 years. He was specialised on operations, communications, intelligence and IT infrastructure, while participating in several NATO, EU and UN operations. His research interests include cybersecurity, defence studies, international and maritime security.
He has published widely for Foreign Affairs, Chatham House, International Affairs, the Academy for Strategic Analyses, has been interviewed by The New York Times, the Independent and The Wall Street Journal and has participated in several maritime and cybersecurity related conferences and forums. Chronis has competed several projects at Chatham House on Cybersecurity for Critical National Infrastructure, in general, and the maritime sector specifically. He recently created the first digital learning course on maritime cybersecurity for Lloyd’s Maritime Academy.
He is currently based at the University of Warwick, where he is pursuing his doctoral degree on cyber risk quantification for the maritime sector. He holds an MA in International Relations and Global Security from Plymouth University, a PGCert in Defence Management and Leadership from the Hellenic Naval War College and BSc in Naval Warfare from the Hellenic Naval Academy, along with several professional certificates.