Subscribe to our Mailing Lists (It's free!)
Friday, May 27, 2022
SAFETY4SEA
  • Home
  • Safety
    • All
    • Accidents
    • Alerts
    • Loss Prevention
    • Maritime Health
    • Regulation
    • Safety
    • Seafarers
    • Security
    day of the seafarer 2022

    IMO: Seafaring is a noble profession

    port of brisbane

    ATSB investigates breakaway incidents in Port of Brisbane

    marking labels symbols

    Lessons learned: Pay close attention to labels, markings and symbols

    barge loses containers

    Watch: Container barge loses 12 containers overboard

  • Green
    • All
    • Arctic
    • Ballast
    • Emissions
    • Fuels
    • Green Shipping
    • Pollution
    • Ship Recycling
    • Technology
    ship it zero coalition

    Ship it Zero coalition: Shipping companies should invest in zero-emissions technologies and fuels

    oil spill port elizabeth

    Oil spill occurs during oil transfer at Port Elizabeth

    port of tallinn port of gdynia

    Port of Tallinn, Port of Gdynia to collaborate on hydrogen management

    canada ballast form

    How to properly submit the Canadian Ballast Water Reporting form

  • Smart
    • All
    • Connectivity
    • Cyber Security
    • E-navigation
    • Energy Efficiency
    • Maritime Software
    • Smart
    cyber attack port of london

    Cyber-attack targets Port of London Authority

    emsa drones

    EMSA drones monitor sulphur and nitrogen emissions from ships in the English Channel

    Port of Antwerp

    New agreement to advance vessel automation pilot programs in Belgium

    port of long beach

    Port of Long Beach, Amazon collaborate to improve cargo data

  • Risk
    • All
    • CIC
    • Detentions
    • Fines
    • PSC Focus
    captain arrested

    Captain of cargo vessel arrested for drink-driving

    glencore

    Glencore pleas guilty to foreign bribery and market manipulation

    ship owner guilty environmental crime

    US: Ship owner and operator plead guilty to environmental and safety crimes

    us seizes oil from tanker

    US seizes oil from Russian tanker

  • Others
    • All
    • Diversity in shipping
    • Maritime Knowledge
    • Offshore
    • Ports
    • Reports
    • Shipping
    • Sustainability
    • Videos
    day of the seafarer 2022

    IMO: Seafaring is a noble profession

    north standard merger

    Merger of North and Standard Club receives approval

    uscg ystems Containing Plastic Pipe

    USCG: Review of systems containing plastic pipe

    russian ships eu ports

    Ban of Russian ships in EU ports: Everything you need to know

  • Columns
    Wind Propulsion: Building a level playing field for the decarbonization of shipping

    Wind Propulsion: Building a level playing field for the decarbonization of shipping

    worker dies at chittagong

    EU Taxonomy & Ship Recycling

    Fleet Safety to modernise maritime distress communication

    Fleet Safety to modernise maritime distress communication

    Trending Tags

    • Career Paths
    • Industry Voices
    • Maripedia
    • Maritime History
    • Resilience
    • Seafarers Stories
    • SeaSense
  • Events
  • Plus
No Result
View All Result
  • Home
  • Safety
    • All
    • Accidents
    • Alerts
    • Loss Prevention
    • Maritime Health
    • Regulation
    • Safety
    • Seafarers
    • Security
    day of the seafarer 2022

    IMO: Seafaring is a noble profession

    port of brisbane

    ATSB investigates breakaway incidents in Port of Brisbane

    marking labels symbols

    Lessons learned: Pay close attention to labels, markings and symbols

    barge loses containers

    Watch: Container barge loses 12 containers overboard

  • Green
    • All
    • Arctic
    • Ballast
    • Emissions
    • Fuels
    • Green Shipping
    • Pollution
    • Ship Recycling
    • Technology
    ship it zero coalition

    Ship it Zero coalition: Shipping companies should invest in zero-emissions technologies and fuels

    oil spill port elizabeth

    Oil spill occurs during oil transfer at Port Elizabeth

    port of tallinn port of gdynia

    Port of Tallinn, Port of Gdynia to collaborate on hydrogen management

    canada ballast form

    How to properly submit the Canadian Ballast Water Reporting form

  • Smart
    • All
    • Connectivity
    • Cyber Security
    • E-navigation
    • Energy Efficiency
    • Maritime Software
    • Smart
    cyber attack port of london

    Cyber-attack targets Port of London Authority

    emsa drones

    EMSA drones monitor sulphur and nitrogen emissions from ships in the English Channel

    Port of Antwerp

    New agreement to advance vessel automation pilot programs in Belgium

    port of long beach

    Port of Long Beach, Amazon collaborate to improve cargo data

  • Risk
    • All
    • CIC
    • Detentions
    • Fines
    • PSC Focus
    captain arrested

    Captain of cargo vessel arrested for drink-driving

    glencore

    Glencore pleas guilty to foreign bribery and market manipulation

    ship owner guilty environmental crime

    US: Ship owner and operator plead guilty to environmental and safety crimes

    us seizes oil from tanker

    US seizes oil from Russian tanker

  • Others
    • All
    • Diversity in shipping
    • Maritime Knowledge
    • Offshore
    • Ports
    • Reports
    • Shipping
    • Sustainability
    • Videos
    day of the seafarer 2022

    IMO: Seafaring is a noble profession

    north standard merger

    Merger of North and Standard Club receives approval

    uscg ystems Containing Plastic Pipe

    USCG: Review of systems containing plastic pipe

    russian ships eu ports

    Ban of Russian ships in EU ports: Everything you need to know

  • Columns
    Wind Propulsion: Building a level playing field for the decarbonization of shipping

    Wind Propulsion: Building a level playing field for the decarbonization of shipping

    worker dies at chittagong

    EU Taxonomy & Ship Recycling

    Fleet Safety to modernise maritime distress communication

    Fleet Safety to modernise maritime distress communication

    Trending Tags

    • Career Paths
    • Industry Voices
    • Maripedia
    • Maritime History
    • Resilience
    • Seafarers Stories
    • SeaSense
  • Events
  • Plus
No Result
View All Result
SAFETY4SEA

How to prepare for Cyber Security

by Cynthia Hudson
March 20, 2019
in Cyber Security, Opinions
cyber adversaries
FacebookTwitterEmailLinkedin

During the 2019 SMART4SEA Conference, Cynthia Hudson, CEO, HudsonAnalytix, provided a discussion on Cyber Incident Response to share insight on immediate need to establish the method/means to respond to a Cyber Incident. Mrs. Hudson suggested that a response organization headed by an appointed Cyber QI or similar in the US, (CQI), Cyber Incident Response Team (CINT) and Cyber Incident Response Organization (CIRO) be strongly considered during the planning, training and exercise process of Cyber Incident Readiness.

I am lucky enough to be able to speak to you about an interesting topic that everybody knows it is there, but nobody like to talk about it. I hope that I will be able to provide you with some insights to help you understand and think about this problem.

I would like to start with a quotation from an US author: ‘Growth demands a temporary surrender of security.’ I am sure she was correct, but I am not sure she was talking about maritime security.

We, as a company, are in many areas of risk management, such as the environmental side, security and other key areas like TMSA, but we started to see about 5 years ago that cyber was going to be something important and understanding how the vessel owners we serve approach new problems like this, we said, well we better be ready, this is a new risk on the horizon and this is what we did.

RelatedNews

Cyber-attack targets Port of London Authority

Wind Propulsion: Building a level playing field for the decarbonization of shipping

Why are we discussing cyber risk? As I have heard many times, ‘It is not a regulation, we don’t need it. Nobody will tell us that we have to do it.’ Well, it is in regulations, it is in the ISM Code, not by name necessarily, but by the fact that you are already required right now to establish safeguards when you identify a risk.

If we agree that cyber is in fact a risk, what we have to do is to establish appropriate safeguards. Period. There is no question about it.

As far as the US is concerned, the Rear Admiral who started the investigation on this, has said that no additional regulations are required because the existing regulations already cover cyber risk. This is what he is referring to and I want to talk to you about the US context on this so that you understand what is coming to the US and then what you hopefully can do about it.

BIMCO understands what is happening and it is not only BIMCO. Just look CLIA, ICS, Intercargo, Intertanko, etc. Everyone has at least this time banded together and said this risk is real. How are we going to face it? BIMCO has come up with two things in particular: They have recognized that most shipping companies are going to need external assistance and that assistance is going to be like in other areas:

  • Before a cyber incident
  • During a cyber incident and
  • After a cyber incident

Another thing that BIMCO guidelines says is ‘Establish a team’. Does this sound familiar? That team needs to be established to take the appropriate actions. It has to be capable, in other words, not the guys you know around the corner, not the guy you trust and like very well, who had a graduate degree in IT. He may be good, but this is a capability-driven requirement. You’ve got to have capabilities. That team has to be identified in your plan. Do you have a plan? OK.

There is also the US Coast Guard. How many of you really realize that there are today reporting requirements by the USCG for a cyber incident? These are reporting requirements, not suggestions.

So if you are trading to the US and you experience an incident on your vessel or an incident that will affect you vessel, you need right now a reasonable chance of risk, a threatened incident; there is a reporting requirement now.

If you have reported a particularly serious incident, do you think the Coast Guard will say ‘Thank you so much, let us know when you have cleaned it up’? Probably not. Probably you are going to see them after you have reported and they are going to be asking some questions to you. We need to be aware of this because there is a bit of an attitude that, until a regulation has passed somehow, someway, we don’t have to do anything. We do not agree with that. We think it is now.

I wanted to give you a little insight based on a client of ours, a significant owner who had a significant breach and whom we have been serving on the assessment side. The best part is that an unnamed internal guy watched the IT manager googling ‘how to remove malware’. You can learn a lot of things on google, but perhaps this is not what you want to be doing on the day you just had a significant breach or three days later. So then he says ‘free removal tool from the internet’. Apparently, it did not work.

So what do we want to do?

Before an attack occurs:

  • Assess: Perform a cybersecurity capability assessment of your entire organization: How cyber secure are you, how capable are you, how mature are you?
  • Plan: Establish a cyber incident response (IR) plan. This plan has to be a real plan, based on your real vessels, on your real enterprise, your business, based on your real operating systems and your IT systems.
  • Train: Incorporate cyber risks into tabletop exercises. We had an awareness training. Is that all you need? No. Awareness training is great, but it is a starting point.
  • Integrate Plans: Data Loss Prevention (DLP), Disaster Recovery (DR) and Business Continuity Plans (BCP). Does the plan you have on cyber really work with the other plans that you are already using for your business? I suggest if you have a disaster plan, a data loss prevention plan or a business continuity plan, which it may be the most important of all in this particular case, that the plan is actually integrated?

Ask yourself as an Owner:

  • Who will be there in the middle of the night when the breach occurs? Prepare for the worst – establish cyber incident response capabilities
  • Who will cover our assets?
  • Who will speak for our company?
  • Have we appropriately transferred our cyber risk? Prepare now for cyber insurance (don’t assume you have full coverage)

These are some questions that you can ask in due time or your risk manager internally can ask.

We want to give you a solution set. This set is not going to be fully ‘baked’ for you until you have done these other things that we have suggested. But a solution set that we think is going to work for the US will start to look suspiciously similar to other things you have encountered in the past.

We are suggesting you essentially need a cyber Qualified Individual (QI). Don’t get upset with the QI as a regulated requirement today. The QI has an association with the US oil pollution and slots of other requirements, but what we are using it as is an indicator that you need someone to act on your behalf, who has been participating with you and is prepared to know your exact systems and your contingency plans.

This guy has to be pre-contracted and the other resourced you need externally need to be pre-contracted; you cannot get to know them the day of the breach. By the time the new expert learns that you may be up and running, I don’t know how many days or weeks, even months, the restoring can take.

So you may have, for example, a communications firm which is very good or an internal communications person. Don’t assume that this is going to cover you. It has to be an integrated response. The vessel and the owner have to act on a crisis management perspective when an incident occurs. The other stakeholders have to be brought in: Legal, Public relations, Insurance of course, and the port state and the local authorities have to be involved, because they are threatened by the breach experienced, possibly. Also, there has to be an independent cyber incident response organization.

I think it is suffice to say it is time to start, it is time to get ready, it is time to set yourself up for this continuous improvement and it is time to transfer your risk once you have done that by looking at what you do have covered and you can sustain yourself of and what you cannot.  And then you are going to look to a viable insurance company to provide the difference.

 

Above text is an edited article of Cynthia Hudson’s presentation during the 2019 SMART4SEA Conference

You may view her video presentation herebelow:

The views presented hereabove are only those of the author and not necessarily those of  SAFETY4SEA and are for information sharing and discussion  purposes only.


About Cynthia Hudson, CEO, Hudson Analytix

Cynthia A. Hudson is CEO and founder of HudsonAnalytix, Inc., a global maritime risk  consultancy serving the maritime transportation sector, headquartered in the Philadelphia, US  and internationally from Piraeus to Jakarta. In 1986, Ms. Hudson founded what became HudsonAnalytix to provide emergency response, maritime project management and maritime consulting services to maritime transportation interests; oil and energy, vessel owners/operators and insurers for more than 100 oil and  hazardous material response incidents.  Hudson led the firm into maritime security for ports and vessels providing port vulnerability  security assessment work at hundreds of ports and facilities worldwide and in 2016 expanded  HudsonAnalytix’s cyber operations to design and deliver cybersecurity and cyber risk  management solutions to maritime clients and provide cybersecurity expertise to governmental  agencies. Well-known and highly regarded throughout the maritime transportation industry for her work  and contributions in her field, Ms. Hudson was most recently honored by the Organization of  American States (OAS) Inter-American Committee on Ports with the 2016 Maritime Award of  the Americas: Outstanding Women in the Maritime and Port. Ms. Hudson serves on a number of  Industry Boards, and is President of WIST A Delaware River & Bay Chapter and a Director of  the North American Marine Environment Protection Association (NAMEPA).

Tags: cyber riskcyber securitySMART4SEAUS
Cynthia Hudson

Cynthia Hudson

Cynthia A. Hudson is CEO and founder of HudsonAnalytix, Inc., a global maritime risk  consultancy serving the maritime transportation sector, headquartered in the Philadelphia, US  and internationally from Piraeus to Jakarta. In 1986, Ms. Hudson founded what became HudsonAnalytix to provide emergency response, maritime project management and maritime consulting services to maritime transportation interests; oil and energy, vessel owners/operators and insurers for more than 100 oil and  hazardous material response incidents.  Hudson led the firm into maritime security for ports and vessels providing port vulnerability  security assessment work at hundreds of ports and facilities worldwide and in 2016 expanded  HudsonAnalytix’s cyber operations to design and deliver cybersecurity and cyber risk  management solutions to maritime clients and provide cybersecurity expertise to governmental  agencies. Well-known and highly regarded throughout the maritime transportation industry for her work  and contributions in her field, Ms. Hudson was most recently honored by the Organization of  American States (OAS) Inter-American Committee on Ports with the 2016 Maritime Award of  the Americas: Outstanding Women in the Maritime and Port. Ms. Hudson serves on a number of  Industry Boards, and is President of WISTA Delaware River & Bay Chapter and a Director of  the North American Marine Environment Protection Association (NAMEPA).

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

day of the seafarer 2022

IMO: Seafaring is a noble profession

May 27, 2022
north standard merger

Merger of North and Standard Club receives approval

May 27, 2022
MARITIME EVENTS

Newsletter

GET THE SAFETY4SEA IN YOUR INBOX!

Explore

  • Safety
  • Green
  • Smart
  • Risk
  • Others
  • Events
  • Plus

Useful Links

  • About
  • Disclaimer
  • Editorial Policies
  • Advertising
  • Contact

© 2021 SAFETY4SEA

No Result
View All Result
  • Safety
    • Alerts
    • Accidents
    • Loss Prevention
    • Maritime Health
    • Regulation
    • Safety
    • Seafarers
    • Security
  • Green
    • Arctic
    • Ballast
    • Emissions
    • Fuels
    • Green Shipping
    • Pollution
    • Ship Recycling
    • Technology
  • Smart
    • Connectivity
    • Cyber Security
    • E-navigation
    • Energy Efficiency
    • Maritime Software
    • Smart
  • Risk
    • CIC
    • Detentions
    • Fines
    • PSC Focus
    • Vetting
  • Others
    • Diversity in shipping
    • Maritime Knowledge
    • Offshore
    • Ports
    • Reports
    • Shipping
    • Sustainability
    • Videos
  • Columns
    • Opinions
    • Career Paths
    • Industry Voices
    • Maripedia
    • Maritime History
    • Seafarers Stories
    • SeaSense
  • Events
  • Plus

© 2021 SAFETY4SEA

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Disclaimer.