As a boy my father regularly invoked a modified version of Sir Isaac Newton’s first law of motion: “a body at rest remains at rest until given a stiff kick in the rear end”. In other words, a body’s natural state is one of unchanged behavior until an outside force impacts it. In this respect, Newton anticipated my father’s motivational intent.
Both my father and Newton’s observations remain instructive regarding the resistance to change exhibited by many shipowners’ desire to maintain the natural state of business as usual in the “Smart Era”. Reluctant to change, they excuse decisions based on market dynamics, cast responsibility to IT staff, resist investment, and hope to avoid a major attack in today’s “cyberized” environment.
It is axiomatic among shipowners that shipping is an aggressive business; in broad terms charter rates remain competitive, and despite increases in container volumes, for example, slim profits persist. The day-to-day market dynamics of shipping are tough. It therefore remains unsurprising that many shipowners have little appetite for allocating discretionary funds to invest in cybersecurity. Surprisingly, this posture persists even among some who have suffered cyber attacks. Such continued resistance leaves companies vulnerable.
While some early adopters have embraced new ways of addressing cybersecurity challenges, many remain stubbornly doubtful about the extent to which they must assume oversight. Their natural instinct is to delegate cybersecurity responsibility to Information Technology (IT) staff. However, as the shipping industry enters the 21st century’s hyper-connected Smart Era this is a critical mistake.
Certainly, IT staff are expert in dealing with IT based applications and systems, combating cyber threats daily, but effective organizational cybersecurity neither begins nor ends with them. As ships and fleets become more inter-connected, deploying Internet-of-Things (IoT) enabled technologies, networked-enabled systems, and predictive analytics, shipowners must accept the Smart Era’s new normal. By relinquishing cyber risk management responsibility to IT staff, they are inadvertently placing their company at a disadvantage in an age of hyper-competition, rapid technical innovation and adaption, and chronic cyber threat evolution and pervasiveness.
IT-only leadership on cybersecurity responsibility, oversight and accountability misplaces the responsibility of managing Balance Sheet risk. IT cybersecurity activities are only effective if there exists alignment with other personnel across the business –spanning security, engineering, crewing, ship management, health and safety, compliance, training, finance and administration – and especially the DPAs. To implement effective cyber risk management, shipowners and Boards of Directors must assume primary overall responsibility for leading and managing their organization’s cyber risk management efforts.
With information breaches reported daily, Newton’s cyber “kicks” keep coming and should serve as sobering reminders to any shipowner left wondering about the potential impact of a successful cyber attack. As Maersk’s experience with the NotPetya attack in 2017 and Cosco Shipping’s recent Ransomeware incident highlight, cyber attacks can still impact the broader operations, market brand and revenue of a modern shipping company.
Though more details in Cosco’s experience will likely emerge, Møller-Maersk’s chair, Jim Hagemann Snabe, recently disclosed, their cyber incident response efforts necessitated “heroic” internal efforts, which involved the re-installation of “4,000 new servers, 45,000 new computers and 2,500 applications.” Mr. Snabe went on to state that the recovery effort encompassed the company’s "complete infrastructure,” and total revised loss estimates range between USD $250-300 million.
To succeed in the Smart Era shipowners must first understand three key points. First, they must assume overall responsibility for cybersecurity. Second, they must recognize that there exists no ‘magic bullet’ for purchase that can solve all their cybersecurity needs.
Shipowners must accept the fact that at some point their company will be compromised by a cyber threat which will significantly impact their operations organization wide
Here are four key steps to help shipowners position their businesses for managing cyber risk in the Smart Era:
#1 Develop cyber loss scenarios
It’s critical to understand the business’s exposure in financial terms. Develop a set of cyber loss scenarios that could realistically impact the business and determine their exposure values. While smaller scale scenarios cover site-specific instances, such as how a vessel or an office might be impacted, broader thinking is recommended to characterize how a multi-vessel/site attack might impact the overall business.
#2 Review and test existing insurance policies against the loss scenarios
Attempt to uncover any gaps that may leave the company vulnerable. Cyber threats in the Smart Era can impact the entire loss spectrum, spanning first and third – party tangible and financial losses. Are you covered? How might your insurers respond? Determine cyber risks for acceptance, tolerance and transfer.
#3 Perform a top-down, cybersecurity capability maturity-model based evaluation
This should not be characterized as a compliance exercise with the objective being certification. Managing cyber risk is not a once-a-year activity. Shipowners must understand that cyber risk represents a chronic peril that must be continuously and proactively managed as an organizational risk. A maturity-model approach uncovers vulnerabilities and opportunities for continuous improvement.
#4 Sustain Cyber Risk Management Resources
Endeavor to sustain an appropriate balance of resources (e.g. people, processes, tools, and funding) to support continuous improvement and incident response activities that align fleet and shore based assets. For example, ensure personnel are trained; revise contracts and vendor reporting requirements; update insurance policies to support incident reporting and recovery; and establish and maintain budgets to support a range of technical and non-technical cybersecurity investments.
The above steps are intended to help shipowners understand how to approach and manage the complexities of cyber risk, as well as to lessen the impact of an eventual stiff cyber kick in the “rear end” that all companies will eventually suffer in the Smart Era.
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
About Max J. Bobys, Vice President, HudsonCyber
Mr. Bobys draws on 24 years of experience with technology startups, enterprise risk management, and new product development, spanning such disciplines as cybersecurity and integrated physical/electronic security systems in the maritime security space. As Vice President of Global Strategies for HudsonAnalytix, Inc., a global maritime risk management firm, he currently leads the company’s cyber risk management practice: HudsonAnalytix Cyber (“HA-Cyber”), which specializes in bringing to market best-in-class cyber risk management, assessment and cyber threat information sharing solutions tailored specifically to the global maritime industry. In this capacity, he led the design and is currently leading the delivery of HA-Cyber’s first-to-market, award-winning maritime cybersecurity assessment and management platform, HACyberLogix (www.hacyberlogix.com). In addition, he works closely with HudsonTrident, the company’s security arm, in supporting maritime clients with converged and evolving cyber-physical security requirements. Mr. Bobys previously served in a variety of executive positions at such companies as Civitas Strategy Group, providing specialized advisory support to companies in the Homeland Security, Defense and Intelligence markets; as well as BAE Systems, Stanley, and Ciber, among others.
Mr. Bobys has also successfully co-founded several companies offering innovative, first-to-market capabilities in the cybersecurity space. These include, among others, Axio, a niche advisory firm specializing in measuring enterprise cyber risk and the underwriting major cyber insurance instruments; Global Cyber Security, a provider of specialized cyber threat intelligence services; and Smart Security Group, a provider of security training and compliance management solutions for the global maritime security market. He has supported a wide range of clients, including various U.S. Federal, State and Local Government bodies, including all branches of the U.S. Department of Defense, NATO, and numerous allied governments in Europe, Latin America and the Caribbean. He has spoken widely on the subject of maritime cybersecurity throughout the Americas, Europe, Africa and Asia. He currently advises the Organization of American States’ Inter-American Committee on Ports on matters of maritime cyber risk management, is the co-founder and Vice-Chair of the Maritime Technology Society’s Maritime Cybersecurity and Infrastructure Committee, and serves on the Delaware Bay Area Maritime Security Committee’s Sub-Committee on Cybersecurity.