During the 2022 SMART4SEA Virtual Forum, Panel 3 focused on cyber security in shipping. The participants discussed about the latest cyber resilience challenges, lessons to be learned, issues surrounding the industry, as well as new cyber threats, and how can shipping enhance its cyber security in an ever digitalized world.
Beginning the discussion, the panelists were asked to share their opinion on how the pandemic affected cyber resilience across the industry. According to Jakob P. Larsen, Head of Maritime Safety & Security, BIMCO, the fact that the world started working from home posed a threat to many companies and to the IT servers as well.
Criminal acts can very quickly spread to ships. The key thing was the new element of the pandemic, that the people started working from home. The attacks have increased dramatically, forcing companies to rethink the cyber defence strategies
said Mr. Larsen.
Another critical point that shipping had to dealt with over the past two years was phishing attempts. As Jim McKee, CEO, Red Sky Alliance, explained, these attacks “have always centered our fear, uncertainty and doubt. All of a sudden, there appeared many cyber threat actors pretending to be health official or government officials.”
Agreeing with both aforementioned comments, Michael Vrettos, Cyber Security Expert, RINA, added that in order to better deal with phishing incidents, a good practice would be to re-examine the risk assessment program, and increase personnel awareness.
Phishing attacks were one of the biggest challenges; cyber criminals get a hold of a difficult situation in order to launch their attacks and inject trojans and malware
stated Fotis Tsitsirigkos, Fleet IT Manager, Euronav.
Taking the above into consideration, one question was born and that was whether shipping was ready to deal with such incidents. According to Mr. Tsitsirigkos the industry was not ready for this extent of the demand and had to provide immediate solutions in short time and under difficult circumstances.
On the same wavelength, Mr. Vrettos noted that while shipping was not 100% ready for this kind of incidents, it managed to adjust quite effectively. “The maritime sector showed a quick adaptation, and within a couple of months most of the organizations were ready to face this situation.”
With cyber security incidents on the rise, certain aspects led to more troubles for operators. Mr. Larsen highlighted that the most worrying trend is the increased tension geopolitically. “With Russia invading Ukraine there has been so much tension building, so we have to keep in mind that it is a concept that is developing, and in the future we could see more and more cyber attacks.”
For his part, Mr. Vrettos mentioned that there are some trends over the last years, like the increased connectivity of the fleet with numerous applications, and the increased bandwidth which makes access easier and give the attackers the ability to use more offensive tools.
Another worrying trend is the reliance to 3rd party software and hardware that shipping companies use for the variety of different actions, so I would say that shipping companies should use trustworthy solutions that have some sort of reliance
Of course these attacks can have widespread consequences. In fact, Mr. McKee emphasized that cyber incidents can be a threat to the entire supply chain, as they could “target everything from suppliers , to schools, to hospitals, to cities.”
So, with cyber attacks becoming more and more common, what method would be best in order to protect the industry? According to Mr. Tsitsirigkos, the answer lies within 3 aspects:
- Education;
- Training;
- Awareness.
These three aspects will give us the tools to provide access to 3rd parties so they have remote access in a way that companies can control.
Another best practice, recommended by Mr. Larsen, is for companies to back-up of the data that is separated from the main source, “because if everything else fails and we have devastating impact, companies should have the ability to recover everything.”
However, access management is a worrying issue and a possible solution at the same, said Mr. McKee. As he mentioned “a lot of organization don’t really know who has access to things, so access management is a big piece.”
Another step is to implement a vulnerability program specifically for the fleet, Mr. Vrettos supported. Adding that identifying new sensors, protocols and services that exist on board are also vital.
Continuing the discussion, the panelists talked about how cyber security connects with ESG, with Mr. McKee saying that ESG is going to depend a whole on digitalization, in order for its goals to work. “Ensuring cyber security and resilience , the ability for the systems to be up and running and working as expected is the foundation of achieving anything else.”
This led to the next and final point of debate, which are the regulatory requirements of cyber security. “A lot of recommendations are there with references to other frameworks, but we need to be more specific and define a way to evaluate all this,” said Mr. Tsitsirigkos.
A realistic and well defined regulatory framework needs to have the industry move and have less risks, otherwise just trying to check on the checklist, to comply, is not the best thing to do
Mr. Larsen and Mr. McKee both agreed with this statement, adding that the industry should be mindful that these audits will be a key element in the overall risk management, especially as maritime has just started to realize the need to incorporate cyber risk into the SMS.
