During the 2019 SMART4SEA Conference, Cynthia Hudson, CEO, HudsonAnalytix, provided a discussion on Cyber Incident Response to share insight on immediate need to establish the method/means to respond to a Cyber Incident. Mrs. Hudson suggested that a response organization headed by an appointed Cyber QI or similar in the US, (CQI), Cyber Incident Response Team (CINT) and Cyber Incident Response Organization (CIRO) be strongly considered during the planning, training and exercise process of Cyber Incident Readiness.
I am lucky enough to be able to speak to you about an interesting topic that everybody knows it is there, but nobody like to talk about it. I hope that I will be able to provide you with some insights to help you understand and think about this problem.
I would like to start with a quotation from an US author: ‘Growth demands a temporary surrender of security.’ I am sure she was correct, but I am not sure she was talking about maritime security.
We, as a company, are in many areas of risk management, such as the environmental side, security and other key areas like TMSA, but we started to see about 5 years ago that cyber was going to be something important and understanding how the vessel owners we serve approach new problems like this, we said, well we better be ready, this is a new risk on the horizon and this is what we did.
Why are we discussing cyber risk? As I have heard many times, ‘It is not a regulation, we don’t need it. Nobody will tell us that we have to do it.’ Well, it is in regulations, it is in the ISM Code, not by name necessarily, but by the fact that you are already required right now to establish safeguards when you identify a risk.
If we agree that cyber is in fact a risk, what we have to do is to establish appropriate safeguards. Period. There is no question about it.
As far as the US is concerned, the Rear Admiral who started the investigation on this, has said that no additional regulations are required because the existing regulations already cover cyber risk. This is what he is referring to and I want to talk to you about the US context on this so that you understand what is coming to the US and then what you hopefully can do about it.
BIMCO understands what is happening and it is not only BIMCO. Just look CLIA, ICS, Intercargo, Intertanko, etc. Everyone has at least this time banded together and said this risk is real. How are we going to face it? BIMCO has come up with two things in particular: They have recognized that most shipping companies are going to need external assistance and that assistance is going to be like in other areas:
- Before a cyber incident
- During a cyber incident and
- After a cyber incident
Another thing that BIMCO guidelines says is ‘Establish a team’. Does this sound familiar? That team needs to be established to take the appropriate actions. It has to be capable, in other words, not the guys you know around the corner, not the guy you trust and like very well, who had a graduate degree in IT. He may be good, but this is a capability-driven requirement. You’ve got to have capabilities. That team has to be identified in your plan. Do you have a plan? OK.
There is also the US Coast Guard. How many of you really realize that there are today reporting requirements by the USCG for a cyber incident? These are reporting requirements, not suggestions.
So if you are trading to the US and you experience an incident on your vessel or an incident that will affect you vessel, you need right now a reasonable chance of risk, a threatened incident; there is a reporting requirement now.
If you have reported a particularly serious incident, do you think the Coast Guard will say ‘Thank you so much, let us know when you have cleaned it up’? Probably not. Probably you are going to see them after you have reported and they are going to be asking some questions to you. We need to be aware of this because there is a bit of an attitude that, until a regulation has passed somehow, someway, we don’t have to do anything. We do not agree with that. We think it is now.
I wanted to give you a little insight based on a client of ours, a significant owner who had a significant breach and whom we have been serving on the assessment side. The best part is that an unnamed internal guy watched the IT manager googling ‘how to remove malware’. You can learn a lot of things on google, but perhaps this is not what you want to be doing on the day you just had a significant breach or three days later. So then he says ‘free removal tool from the internet’. Apparently, it did not work.
So what do we want to do?
Before an attack occurs:
- Assess: Perform a cybersecurity capability assessment of your entire organization: How cyber secure are you, how capable are you, how mature are you?
- Plan: Establish a cyber incident response (IR) plan. This plan has to be a real plan, based on your real vessels, on your real enterprise, your business, based on your real operating systems and your IT systems.
- Train: Incorporate cyber risks into tabletop exercises. We had an awareness training. Is that all you need? No. Awareness training is great, but it is a starting point.
- Integrate Plans: Data Loss Prevention (DLP), Disaster Recovery (DR) and Business Continuity Plans (BCP). Does the plan you have on cyber really work with the other plans that you are already using for your business? I suggest if you have a disaster plan, a data loss prevention plan or a business continuity plan, which it may be the most important of all in this particular case, that the plan is actually integrated?
Ask yourself as an Owner:
- Who will be there in the middle of the night when the breach occurs? Prepare for the worst – establish cyber incident response capabilities
- Who will cover our assets?
- Who will speak for our company?
- Have we appropriately transferred our cyber risk? Prepare now for cyber insurance (don’t assume you have full coverage)
These are some questions that you can ask in due time or your risk manager internally can ask.
We want to give you a solution set. This set is not going to be fully ‘baked’ for you until you have done these other things that we have suggested. But a solution set that we think is going to work for the US will start to look suspiciously similar to other things you have encountered in the past.
We are suggesting you essentially need a cyber Qualified Individual (QI). Don’t get upset with the QI as a regulated requirement today. The QI has an association with the US oil pollution and slots of other requirements, but what we are using it as is an indicator that you need someone to act on your behalf, who has been participating with you and is prepared to know your exact systems and your contingency plans.
This guy has to be pre-contracted and the other resourced you need externally need to be pre-contracted; you cannot get to know them the day of the breach. By the time the new expert learns that you may be up and running, I don’t know how many days or weeks, even months, the restoring can take.
So you may have, for example, a communications firm which is very good or an internal communications person. Don’t assume that this is going to cover you. It has to be an integrated response. The vessel and the owner have to act on a crisis management perspective when an incident occurs. The other stakeholders have to be brought in: Legal, Public relations, Insurance of course, and the port state and the local authorities have to be involved, because they are threatened by the breach experienced, possibly. Also, there has to be an independent cyber incident response organization.
I think it is suffice to say it is time to start, it is time to get ready, it is time to set yourself up for this continuous improvement and it is time to transfer your risk once you have done that by looking at what you do have covered and you can sustain yourself of and what you cannot. And then you are going to look to a viable insurance company to provide the difference.
Above text is an edited article of Cynthia Hudson’s presentation during the 2019 SMART4SEA Conference
You may view her video presentation herebelow:
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
About Cynthia Hudson, CEO, Hudson Analytix
Cynthia A. Hudson is CEO and founder of HudsonAnalytix, Inc., a global maritime risk consultancy serving the maritime transportation sector, headquartered in the Philadelphia, US and internationally from Piraeus to Jakarta. In 1986, Ms. Hudson founded what became HudsonAnalytix to provide emergency response, maritime project management and maritime consulting services to maritime transportation interests; oil and energy, vessel owners/operators and insurers for more than 100 oil and hazardous material response incidents. Hudson led the firm into maritime security for ports and vessels providing port vulnerability security assessment work at hundreds of ports and facilities worldwide and in 2016 expanded HudsonAnalytix’s cyber operations to design and deliver cybersecurity and cyber risk management solutions to maritime clients and provide cybersecurity expertise to governmental agencies. Well-known and highly regarded throughout the maritime transportation industry for her work and contributions in her field, Ms. Hudson was most recently honored by the Organization of American States (OAS) Inter-American Committee on Ports with the 2016 Maritime Award of the Americas: Outstanding Women in the Maritime and Port. Ms. Hudson serves on a number of Industry Boards, and is President of WIST A Delaware River & Bay Chapter and a Director of the North American Marine Environment Protection Association (NAMEPA).
