In an exclusive interview to SAFETY4SEA, Mr. Ian Bramson, Global Head of Cyber Security, ABS Group of Companies Inc., highlights the importance of putting cyber security at the center of our attention, noting that the fact alone that IMO made cybersecurity part of the safety management audit underscores its importance for the industry.
Living in a digital world, cyberattacks are more frequent, more severe, and more far reaching than ever. Continuing digitization is the biggest challenge because digitization and cybersecurity go hand in hand, he states.
SAFETY4SEA: Where is the industry standing with regards to cyber security?
Ian Bramson: Cyberattacks are more frequent, more severe, and more far reaching than they ever have been, and that has made cybersecurity a business imperative for the maritime industry. The number of connected devices and systems is growing exponentially, which means the cyberattack surface is growing. At the same time, hackers are becoming more sophisticated. Cyber risk management has moved to the forefront of operations because the consequences of a successful cyberattack can be catastrophic. Safety and security are top priorities, but things are changing quickly, and it is hard for companies to keep up with those changes even though there is a clear understanding that having an established cybersecurity program is a necessity.
S4S: Is shipping safe & secure with regards to cyber risks?
I.B.: Establishing safety and security in terms of cyber risks is a moving target because operations change as new technologies are adopted. Digital advances introduce opportunities for improved efficiencies and better decision-making, but they bring with them new challenges. Simply put, the increasing reliance on smart technology to gather operational data introduces more cyber risk. Systems that used to function separately are talking to each other now, and every point of contact between those systems is a potential entry point for a cyberattack. Fortunately, there are ways to manage cyber risk, but cybersecurity programs can’t be developed in isolation, and there is no off-the-shelf solution.
S4S: What are the biggest challenges in terms of cyber safety & security up to 2030 for the industry?
I.B.: Continuing digitization is the biggest challenge because digitization and cybersecurity go hand in hand. Operations are becoming more connected, data-driven and autonomous, and as we introduce new technologies to operations, we increase our exposure to cyberattacks. The interface is growing between information technology (IT), which focuses on data, and operational technology (OT), the computing and communication systems that manage, monitor, and control physical devices and industrial operations. In simple terms, expanding connectivity creates more vulnerability. There is a myth that some systems cannot be breached by attackers, but the fact is that if there is a single entry point – a connection with another system – there is a way for a hacker to get in.
Cybersecurity relies on visibility and control. On one hand, this means knowing who is onboard a vessel and what systems they have access to. On the other is the ability to recognize when a cyberattack has occurred and limit exposure. A single successful attack jeopardizes the entire interconnected system because when someone gets access to one area, they can get access to every area. Companies need to develop comprehensive plans, policies and protocols that will help them ward off cyberattacks and mitigate damage after the fact if an attack succeeds.
S4S: What is the weakest link with respect to cyber security onboard and ashore?
I.B.: People make up the largest part of the cyber ecosystem and usually are the weakest link. Training is critical, but for long-term success, cybersecurity requires behavioral change. Cybersecurity has to be top of mind for crewmembers as they carry out everyday tasks. Everyone has to develop new habits, and that takes time. Even after behavioral changes are implemented, somebody on every ship needs to oversee operations and the basic cyber hygiene of the entire crew. Without oversight, there is no way to recognize and address dangerous behavior and no way to identify a cyberattack quickly to minimize damage and prevent a similar attack in the future.
S4S: Have you noticed any alarming trends with regards to cyber threats since the COVID-19 outbreak where shipping accelerated its path towards digitalization?
I.B.: Removing people from places where they are forced to have a lot of interpersonal contact has led to more automation and more interconnectedness among systems. A lot of these systems used to be isolated, so cybersecurity was never even a consideration. Legacy networks are not designed for cyber resilience because when they were built, no one thought they would be connected. Hook up an old system to the internet, and you run the risk of unintentionally exposing it to a whole host of cyber risks.
COVID-19 carries with it its own latent cyber risk. With the sudden and unexpected onslaught of the pandemic, companies had to move fast to protect their workers. For some, converting to an almost fully remote working environment meant stretching networks way beyond their normal limits. As entire workforces switched to working from home, work networks mingled with home networks, people emailed sensitive work documents to personal accounts and USB drives were used to help move and share files like never before.
Because of the pandemic, the attack surface—the exposure points that attackers can exploit— has dramatically expanded. Add to that the scams related to COVID-19 that persuade employees to unwittingly click on bad links, and there is a perfect environment for cyber malware and other types of exploitation to grow.
S4S: What should we keep as we move forward from the COVID-19 pandemic with regards to digitalization?
I.B.: Moving forward, it’s important that we remember the lessons we’ve learned about good cyber hygiene. Ship owners and operators need to plan for cybersecurity. It needs to be a daily part of operational and safety risk management. Companies that are working now to develop a strong cyber program need to be sure they account for assessment, planning, protection, defense, detection and response. The solutions need to be comprehensive, or they will fall short when they’re put to the test.
S4S: How can we enhance cyber awareness to seafarers and ship owners/ operators and manage risk? What is your organization doing towards that end?
I.B.: Understanding that cybersecurity is not a one-size-fits-all solution is very important. There are multiple cyber technologies, services and solutions that can help protect your networks, so it’s important to make sure you are making smart choices and implementing those that best suit your needs. The easiest and best way to do that is to find partners with expertise in both IT and OT environments who can work with you to build a program that meets your specific requirements.
ABS Group has been in this business long enough to understand the intricacies of developing comprehensive maritime cybersecurity solutions. Our process begins with an assessment that includes IT and OT capabilities, and we build on that assessment to help companies develop and implement every stage of the cybersecurity program, including cybersecurity awareness training, documenting the OT system, creating change management programs and managing OT cybersecurity and incident response. Once the program is up and running, we provide 24/7/365 cybersecurity monitoring services to prevent cyber incursions and identify successful cyberattacks early on to manage and minimize their repercussions.
S4S: What is your key message to operators with respect to IMO 2020 Requirement regarding cyber security?
I.B.: The fact that IMO has made cybersecurity part of the safety management audit underscores the importance of cybersecurity for the industry. Making cybersecurity a priority is the first step. Every company needs a cybersecurity plan that is reasonable, appropriate and executable, but not every company has the expertise to develop a comprehensive plan without help. It is critically important to build a repository of cybersecurity capabilities that address the relevant risks, can be executed through clear processes and protocols, provide strong defenses against attacks and bolster operational resilience. The cyber threat is real, and safeguarding assets, people and the environment isn’t something that should be compromised.
The views presented hereabove are only those of the author and do not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
