In an exclusive interview to SAFETY4SEA, Daniel Ng, CEO, CyberOwl notes that still many shipping companies make cyber risk management an “IT problem”, which is not a sustainable option. In order to change that, he suggests to find ways to empower others beyond the IT teams to take responsibility. In this regard, it is vital to make the crew take cyber security as seriously as they take safety measures, considering that the industry is witnessing an increase of cyber attacks the last months.
SAFETY4SEA: Where does the industry stand with regards to cyber security? Is shipping safe & secure from cyber risks?
Daniel Ng: There is still a long way to go, but we have seen a real positive shift in behaviour of companies improving their cyber risk management during 2021. The vast majority of cyber attacks on shipping companies appear to be untargeted attacks by criminals motivated by profit. Such cyber criminals will either focus on the targets they think they can make profit on the quickest, or indiscriminately attack any system until it hits a target that pays. Multiple factors make shipping an easy, attractive and complicit target and may explain the rise.
#1 Shipping is an easy target. The sector has become a victim of its own neglect. By not investing sufficiently in cyber risk management, shipping companies have allowed themselves to be an easy target compared to other sectors. It has also rapidly adopted technology and connectivity without investing sufficiently in skilled teams that understand cyber risk.
#2 Shipping has also become an attractive target. Many shipping segments, like boxships and dry bulk are experiencing record profits. The recent trends around supply chain difficulties and the cost of major incidents such as the Suez Canal blockage has been persistently in the news over the last year or so. The cost of disruption to shipping operations has never been more obvious, even if the cyber criminals knew little about the sector before this.
#3 Finally, shipping in many ways is also a complicit target. The sector is secretive by nature. Shipping organisations resist, or at least do not wholeheartedly support, sector-wide initiatives to share information around cyber risk. There is no single body that takes responsibility for receiving and disseminating threat intelligence reports. In addition, many shipping operators I have spoken to would be willing to pay the ransom on a ransomware attack. This kind of mindset encourages cyber criminals to target the sector.
S4S: What are the biggest challenges in terms of cyber safety & security up to 2030 for the industry?
D.N.: Two large challenges are emerging – one internal and one external.
A major internal challenge relates to resourcing. There has been an increasing volume of cyber breaches in shipping. Now that cyber criminals have discovered the sector as a lucrative way to make profit, the frequency of attacks is likely to rise quickly. Shipping companies are not set up to deal with this rate of change and frequency of attacks. A fundamental reason is that most shipping companies still make cyber risk management an “IT problem”. This is no longer sustainable. Shipping operations now demand more, frequent and richer data, remote support and increased connectivity in order to make better decisions to achieve cost reduction, revenue maximisation and net zero. This is going to keep vessel IT teams very busy. We need to find ways to empower others beyond the IT teams to step up and take responsibility. For vessel cyber security, this includes helping the crew take cyber security as seriously as they take safety measures.
Another huge external challenge relates to supply chain cyber risk. This is a direct consequence of the desire for vessel modernization. It is no longer easy for fleet operators to work out what data flows to and from their shipboard systems across the supply chain. This is driven by a sharp rise in applications such as cloud-based ERP, cloud-based compliance systems, vessel performance optimization, remote support and remote management applications. As marine operations become more reliant on such systems, it makes it attractive for cyber criminals to attack suppliers in order to maximize their potential for extortion, rather than attacking individual ship owners. Examples of cyber attacks on suppliers to the shipping sector in the last 12 months e.g. the Solarwinds and Danaos attacks indicate how serious and widely-affecting this could be.
S4S: What should we keep as we move forward from the COVID-19 pandemic with regards to digitalization?
D.N.: Covid has been a huge catalyst for remote support, crew connectivity and the rise of cloud applications in shipping. These have all improved shipping operations immensely and are here to stay.
S4S: Have you noticed any alarming trends with regards to cyber threats since the COVID-19 outbreak where shipping accelerated its path towards digitalization?
D.N.: As explained above, the supply chain risk. This is quickly becoming the most worrying trend in cyber risk for shipping. If we are going to be successful in digitalization and remote support in shipping, we need to make sure the supply chain enabling such change is secure and safe.
S4S: What is the weakest link with respect to cyber security onboard and ashore? The weakest link is the lack of data-driven decision making.
D.N.: Shipping is used to making decisions in a slow-paced way, based on experience and incremental observation. Where rates of change are slow, there is generally time to rectify a bad or poorly-informed decision. However, the rate of change in cyber risk is a paradigm shift away from anything that shipping has ever experienced. New attack techniques are developed daily and cyber criminals are very creative. We very frequently find fleet operators making “calculations” on their cyber risk based on unproven, often false, assumptions. Many fleet operators will swear that there is minimal connectivity and very “clean”, segregated networks onboard their vessels. Yet, it is worrying how frequently we find undesirable network architectures, unplanned configurations, unknown assets and unexpected applications.
S4S: How should we approach cyber security training in the maritime industry, for those onboard and ashore?
D.N.: Training is all about driving behavioural change. You don’t change behaviour by instructing somebody once, or even once a year. Training needs to be continuous, so individuals are frequently reminded why they need to maintain that behaviour change. I would like to see cyber security training models change entirely to incorporate approaches of drilling, nudging, gamification and continuous improvement. We are already familiar with such concepts: for example, the reason why apps like Strava and C25K (Couch to 5k) have been so successful in changing behaviour in personal fitness is that they incorporate such approaches.
S4S: How can we enhance cyber awareness to seafarers and ship owners/ operators and manage risk? What is your organization doing towards that end?
D.N.: There are two approaches we have seen work very successfully.
The first is to run maritime cyber drills, which is a very effective way of bringing to life the need for cyber preparedness. Drills can be tailored to cover a range of scenarios involving seafarers all the way through to the management team. At CyberOwl, we collaborate with HFW, the top global shipping legal firm, to run maritime cyber drill exercises that are focused on helping shipping companies prepare to minimise the commercial exposures of a cyber incident. These exercises are designed to involve multiple roles within the ship owner but also across their supply chain, including their insurer. As the scenario develops, the drill helps ship owners ensure the right people, processes, technologies, legal protections and insurance cover are in place to minimise exposure.
The second is to use data to “hold a mirror up” to seafarers on how they are performing on cyber hygiene. We find that seafarers are generally well-intentioned. Where they breach cyber policy, this is generally done either unknowingly or because they need to be practical in making exceptions in order to ensure operational requirements are met. It is rarely malicious. Using Medulla, our cyber risk monitoring system, we present monthly reports for masters or chief officers to evidence how they have performed on cyber hygiene and policy compliance. We find that when presented with such information, seafarers are encouraged to change and improve their behaviour over time. This takes cyber awareness to the “point of use”, rather than in a classroom setting out of context.
S4S: Do you have any projects/ plans you would like to share with industry stakeholders?
D.N.: We are sponsoring a research project, in partnership with HFW, performed by Thetius, an independent technology research organisation. This research is intended to create a global industry-first report into the state of cyber risk in the maritime industry a year after IMO 2021 came into effect. We are inviting as many shipping industry professionals to be involved in this research as possible. The more people are involved, the more representative the findings.
S4S: What is your key message to industry stakeholders for enhanced cyber hygiene?
D.N.: Make decisions on your cyber risk management and insurance based on real data and evidence. Getting this real data and evidence doesn’t have to be complicated. Clearly we would recommend that you deploy monitoring technologies. But there are other ways including running penetration tests or getting experts to help you perform a data-driven risk assessment. Desktop, theoretical assessments are not really good enough – cyber risk profiles are different across different fleets. There is no cookie-cutter answer.
The views presented hereabove are only those of the author and do not necessarily reflect those of SAFETY4SEA and are for information sharing and discussion purposes only.
