SAFETY4SEA: What are the challenges for the maritime industry in the forthcoming years with regards to cybersecurity?
Cynthia Hudson: A key challenge is first for top management to understand the permanent and serious nature of cyber-risk and then to determine how to properly and immediately address this new reality.
The myriad challenges that follow from this include delivering education and awareness at top management level, identifying the needed cyber-security support resources during a global shortage of skilled cybersecurity personnel, and the finding the willingness to commit scarce company financial resources within the current depressed market conditions.
Senior shipping executives, once educated, must overcome their inertia—caused by awaiting new regulations, budget considerations and deficient internal resources—and take action to effect organizational change. The misapprehension that this is an IT problem or solely a shipboard operational technology problem, or that there is one effective solution to be purchased, or that a certificate is all that is needed leads the shipping company down a ‘slippery slope’ where real cyber maturity is sacrificed for expediency, potentially leaving the organization unprotected and unprepared for cyber incidents.
Managing cyber risk begins at the top and includes everyone in the company. From there, the company must appropriately task senior personnel, define responsibilities, and grant requisite authority for them to execute an agreed, prioritized plan across critical domains of cyber-security. Key priorities include but are not limited to: 1) developing awareness among shipowners, boards of directors and executive leaders; 2) getting organized for managing cyber risk across a shipping company’s entire enterprise; and 3) accepting the fact that cyber threats equally affect (and exploit) shore based and shipboard operating environments – that cyber risk cannot be viewed and managed on a vessel-by-vessel basis.
S4S: In your view, do the gaps in insurance cover expose maritime industry to cyber risks?
C.H.:The short answer is yes. While there do exist standard policies that offer baseline cyber breach and incident response coverage, larger policies remain elusive, especially where larger policies are required for first and third party business interruption covering the entire business.
As insurance companies design and release new types of cyber-specific insurance instruments, along with families of insurance instruments, shipping companies will be required to demonstrate ever greater levels of cybersecurity capability. In order to accomplish this, shipping companies will have to assess their organizational cybersecurity capabilities – thus, establishing a baseline – and then perform recurring assessments in order to demonstrate reasonable standard of care in managing cyber risks. Companies that incorporate cyber risk management best practices – that is, the controls, processes and procedures to manage such risks – into existing management of change activities will be best positioned to benefit from new and evolving cyber risk transfer instruments.
Cyber attack figures are definitely under-reported. Information sharing is critical to managing cyber risks.
S4S: Do you believe that the current regulatory framework is satisfactory to mitigate cyber risks?
C.H.: To be clear, regulations on their own, even when fully adhered to, do not mitigate cyber risks. Regulations in the global market continue to evolve and come into force, affecting shipping companies in different ways. While the IMO’s Maritime Cyber Risk Management framework affects all shipping companies, other regimes also play a role, such as the EU’s GDPR, which target privacy protections for EU citizens. Regulatory frameworks drive compliance, which typically drive periodic compliance-assessments.
Inevitably, these assume a checklist-type activity. Adequate cyber risk management efforts cannot be driven alone by regulations. Effective cyber risk management activities must be performed on a continuous basis across all aspects of an organization. Shipping companies must implement and sustain cyber risk management controls, processes and procedures across both shore-based and shipboard operating environments.
S4S: What is the overall situation with respect to cyber attack figures?
C.H.: Cyber attack figures are definitely under-reported. In December 2016, the US Coast Guard has issued its policy addressing the reporting of suspicious activity and breaches of security, which applies to all vessels and marine facilities subject to the US MTSA regulations. Specifically, where cyber-based attacks may result in transportation security incidents, such attacks must be reported to the NRC and/or the DHS NCCIC. Clear definitions of what characterizes a cyber attack are provided to assist mariners in their understanding of what must be reported.
More broadly speaking, information sharing is critical to managing cyber risks. In most cases, mariners face a range of common threats that can affect shipping companies, and facilitation of information sharing in a non-attributable fashion is critical to helping shipping companies take more proactive steps to better understand the existing cyber threat landscape that they currently operate within. Moreover, cyber threat reporting should be expanded to include identification of mitigation steps and recommendations that can be more broadly shared across the industry. Participation would benefit the industry overall. Regulations, yes, can drive this.
S4S: What are the lessons to be learned from other industries with respect to response to cyber risks?
C.H.: Organize. Organize. Organize. Companies must re-structure their organizations to address the cyber threat landscape. Industries such as the finance, defense, aerospace, and power have embraced the role of a Chief Information Security Officer, or “CISO”. CISOs are assigned the responsibility of managing cyber risk in their organizations; are granted the appropriate authorities to perform their job in this role, and are endowed with a direct line of reporting to CEOs, owners and boards. More importantly, the responsibility of managing cyber risk has been elevated above the Information Technology department.
Another key lesson-learned is the establishment of effective information sharing capabilities, which have been successfully implemented for the benefit of entire industries. For example, the financial services industry has been battling cyber attacks longer than most. Establishment of the Financial Services Information Sharing and Analysis Center (FS-ISAC) has delivered real benefits to FS-ISAC participants.
No company is immune from cyber attack
S4S: What is your key message to stakeholders for a change in the perception from cyber security to cyber resilience within the organizations in the maritime industry?
C.H.: No company is immune from cyber attack. Moreover, cybersecurity cannot be implemented on a ship-by-ship basis. Managing cyber risk requires a holistic, enterprise approach that begins at the top. One mistake that we see over and over again is the perception of shipowners that individual vessels can be ‘protected’ and made ‘cyber-secure’ without consideration for the rest of the organization. This is a myth. In an industry that is heavily regulated there is a natural tendency to gravitate towards a compliance-based approach – one that advocates for annual checklist – like activities. Shipping companies with senior leaders who adopt this approach are not going to be prepared.
To achieve and sustain a cyber resilient capability state requires cultural change within an organization. Accomplishing this requires training of everyone inside the organization – from owners, boards and executives, to secretaries, deck officers and crew. As an enterprise-level risk, cyber threats can be managed, and the good news is that shipping companies are, more than other industries, well positioned to institutionalize cybersecurity best practices by incorporating cyber risk management controls, processes and procedures into the wide range of day-to-day activities that already occur.
SAFETY4SEA Team met Mrs. Hudson during Posidonia 2018 for an exclusive interview on cyber security challenges for the maritime industry.
The views expressed in this article are solely those of the author and do not necessarily represent those of SAFETY4SEA and are for information sharing and discussion purposes only.
Cynthia Hudson, CEO, Hudson Analytix
Cynthia A. Hudson is CEO and founder of HudsonAnalytix, Inc., a global maritime risk consultancy serving the maritime transportation sector, headquartered in the Philadelphia, US and internationally from Piraeus to Jakarta. In 1986, Ms. Hudson founded what became HudsonAnalytix to provide emergency response, maritime project management and maritime consulting services to maritime transportation interests; oil and energy, vessel owners/operators and insurers for more than 100 oil and hazardous material response incidents. Hudson led the firm into maritime security for ports and vessels providing port vulnerability security assessment work at hundreds of ports and facilities worldwide and in 2016 expanded HudsonAnalytix’s cyber operations to design and deliver cybersecurity and cyber risk management solutions to maritime clients and provide cybersecurity expertise to governmental agencies. Well-known and highly regarded throughout the maritime transportation industry for her work and contributions in her field, Ms. Hudson was most recently honored by the Organization of American States (OAS) Inter-American Committee on Ports with the 2016 Maritime Award of the Americas: Outstanding Women in the Maritime and Port. Ms. Hudson serves on a number of Industry Boards, and is President of WISTA Delaware River & Bay Chapter and a Director of the North American Marine Environment Protection Association (NAMEPA).