“No industry is safe or secure from cyber-attack,” stresses Campbell Murray, CEO of IMCSO, and highlights that ransomware attacks in the maritime industry increased by 80% between 2022 and 2023 alone.
In this regard, the industry needs to invest in training to develop resilience against the numerous cyber threats, considering that cybersecurity is a responsibility for all members and not just the IT department. Developing a security culture, where all team members are conscious of the risks and potential fallout of a cyber attack, is more vital than ever.
SAFETY4SEA: Where does the industry stand with regards to cyber security? Is shipping safe & secure from cyber risks?
Campbell Murray: Maritime is still very much in its early days when it comes to Cyber Security compared to other shore-based industries, however the pressure and need to address the issues of vulnerability and attack surface reduction are increasingly urgent as ships and ports become more reliant on large data transfers, monitoring of ships systems and evolving safety systems. This presents a unique set of challenges in the maritime environment today and for the immediate future. No industry is safe or secure from cyber-attack. Security is a process, not a destination that is arrived at as new attacks and techniques are in continual development. Cyber security has long been equated to a game of cat and mouse between defenders and attackers, and this will always be the case. We always need to be mindful of what we consider an attack. The theft of data may be the obvious scenario that many are worried about, but this can be no less devastating than a denial-of-service of systems or, in some cases, the alteration of data. All scenarios carry considerable consequences under the right conditions.
S4S: How can we enhance cyber awareness to seafarers and ship owners/ operators and manage risk? What is your organization doing towards that end?
C.M.: In short, socialisation and normalisation of the subject in day-to-day operations such that cyber security is embedded in the habits and actions of all crew and staff. The same challenges affect Maritime as they do shore-based commerce and office spaces. Cyber security is not a problem for IT, or a dedicated security team, rather it is everyone’s problem and responsibility no matter how small a part they feel they may play. Every successful attack starts with a foothold, and attackers will take whatever they can get to further their aims and that foothold is all too often the result of human error.
S4S: What are the top priorities on your agenda for the next five years?
C.M.: The IMCSO is looking to expand its participation in all levels of Maritime where the consumption of cyber security services takes place, and this embeddedness is where we will be placing our focus on as we work with concerned consumers of cyber consultancy services and cyber suppliers alike. Our priority is to continue to develop an open platform and network in which we are the focal point for collaboration in producing excellence in service delivery and avoid many of the pitfalls and issues that we can learn from of the past.
S4S: What are the biggest challenges in terms of cyber safety & security up to 2030 for the industry?
C.M.: Good cyber security principles are well established, and the cyber security industry has come a long way in the last 30 years. The challenges lie in adoption of known good practices into Maritime and ensuring that those processes and technologies that are utilised are fully fit for purpose in the unique, vastly varied and challenging environments that maritime presents. As the industry becomes more connected and employs more digital solutions, so does the opportunity to introduce security errors that may be leveraged and exploited.
S4S: Have you noticed any alarming trends in cyber threats as shipping accelerates its path towards digitalization?”
C.M.: As with all emerging technologies and markets, it is only a matter of time before the malicious actor’s attention is drawn to what may be softer targets than those found ashore. Decades of preparation, education, technology development and best-practices can be evidenced in shore-based systems, but far less so in maritime and this alone will draw unwanted attention hoping to find an easy hack. The motives of cyber threat actors vary widely from organised criminal gangs to hacktivists and often mischievous individuals looking to simply cause trouble. Ransomware attacks in Maritime increased by 80% between 2022 and 2023 alone. The maritime industry is truly within the sights of the cyber attackers and needs to prepare to develop resilience against the numerous threat actors out there.
S4S: What is the weakest link with respect to cyber security onboard and ashore?
C.M.: The weakest link has always been, and I fully expect will always be, humans. Ensuring that everyone is cyber aware and vigilant always is a big challenge for any group whilst creating and adhering to policies to keep all digital components up to date and patched from attack in diverse systems is historically the root cause of all successful attacks. It takes one person to click the link in an email to expose their passwords, or one system that is not patched against a vulnerability to expose the entire network.
S4S: How do you approach cyber security training in the maritime industry, for those onboard and ashore?
C.M.: The topic of training is wide and diverse. All individuals have a responsibility for cyber security, regardless of if they work on digital systems or not. If they have access to a terminal and valid credentials to log in, then they already have what an attacker seeks to gain and are themselves a target for attacks. Several techniques have been proven to work well to embed cyber security awareness into teams, such as “nudge training” which seeks to deliver daily messages to keep cyber security at the forefront of everyone’s minds. In depth technical training should be regularly undertaken by all with the responsibility for hardening digital systems ashore and onboard and this should be revisited regularly to ensure that skills have not faded. All people learn in a different way and the science of pedagogy has generated reams of writing on the subject such as the VARK model, Honey and Mumford, Flemings learning styles and more. All of these serve to prove that training should not be treated as a one-time endeavour as what works for one, will not be effective for others and a flexible approach to the training and development needs of personnel should be adopted early on. I am personally a fan of the Halsted method of learning, “see one, do one, teach one”. If you can teach something to others, you truly understand it.
S4S: Are there any future projects or initiatives that you are planning to further support cyber security within the maritime industry?
C.M.: The role of the IMCSO is to assist in developing and maintaining standards of cyber consultancy available to the Maritime industry and to assist them in selecting suitably qualified and experienced suppliers. This is our first mission. Longer term we will also be looking to how the considerable collective expertise within the IMCSO can be utilised to drive standards in software and hardware development as well as reviewing and assisting in developing effective training for the industry. But please ask again in 3 years’ time and we will see what else we are working to improve.
S4S: If you could change one thing that would have an either profound or immediate impact on Digital/Smart performance across the industry, what this one thing would it be and why?
C.M.: Effective training. The rapid advancement of technology and solutions across the industry and the eagerness to adopt places a huge weight on the backs of those charged with keeping digital services safe. The majority of cyber breaches are due to human error and keeping pace with change is a challenge in stable industries let alone in an industry that is evolving at an immense pace. Developing a security culture, where all team members are conscious of the risks and potential fallout of a cyber attack now will pay dividends in future.
S4S: What is your key message to industry stakeholders to embrace an effective cyber hygiene?
C.M.: Whilst cyber security may not be a regulatory requirement for all, it is very much a need now and there is no escaping this fact. Action now will save time and expense later.
The views presented are only those of the author and do not necessarily reflect those of SAFETY4SEA and are for information sharing and discussion purposes only.
