What is cyber risk? Why does it matter to the maritime industry?

When discussing the subject of cyber risk, the majority of shipowners and senior executives are uncomfortable with the subject, typically deferring the responsibility of cybersecurity management within their organization to information technology (IT) professionals or trusted third-parties. Even more, most have received little or no awareness training on the subject, leaving both themselves and their organizations exposed, unprepared, and often unclear about the hyper-connected operating environment within which they operate.  To make matters worse, most don’t understand who might be attacking them, how they might be attacking, when they are attacking, and why they are attacking.  Often, executives are left uncertain about the cyber risk landscape.  With the above in mind, understanding the cyber threat landscape requires looking at it in various contexts and through a range of perspectives.

Further complicating matters, certain aspects of the maritime environment intensify the complexity of cyber risk management efforts. Some of these include:

  • Competitive imperatives: The shipping industry is highly competitive, with many segments performing in an environment suffering from persistently low charter party rates. Those companies remaining afloat do so with thin margins. Because cyber threats mostly manifest themselves in surreptitious, intangible fashion, most shipowners reject the notion that their organization is at risk. They therefore accept this risk without fully understanding its nature, prevalence and potential impact to their organizations.  Therefore, any investment in managing cyber risk is (mistakenly) perceived as corrosive to the organization’s financial position.
  • Cyber risk is pervasive: Many shipowners fail to understand the ubiquity of cyber threats. Cyber threats are neither limited to one’s work environment nor constrained by the fact that vessels are not “wired” while at sea. Further, successful cyber attacks against one’s personal relations (e.g., family members and friends) can be exploited to gain access to organization assets.  Lack of such awareness impedes the adoption of risk-based strategies in both our personal and professional lives. Cyber risk not only affects every business function across a shipping company, but also every aspect of an individual’s online and digital behavior.
  • Cyber risk is difficult to quantify: There is no single quantitative metric, such as value at risk, for cybersecurity, making it much harder to communicate the urgency to shipowners.
  • Difficult to change behavior:  Cybersecurity is the responsibility of everyone across a shipping organization, not just the IT department. It includes all core areas of the business, such as: information technology, security, safety, compliance, audit, finance/treasury, crewing, human resources, training, fleet management and operations, procurement, legal, marketing and communications.

As mentioned above, personal trust relationships, such as those with strategic partners and suppliers, customers, co-workers, friends, and family members, present a significant and persistent threat to organizational security – they are, in effect, a Trojan Horse. Cyber threat actors exploit such trust relationships to spoof communications, spread malware, and steal credentials in order to gain access to and compromise critical systems. Consider the following statistics[1]:

  • More than 70 percent of cyber attacks where the motive was known included a secondary victim.
  • More than 75 percent of cyber attacks spread to the secondary victim within a day
  • More than 40 percent of such cyber attacks spread to the second victim within one hour.

Maritime Cyber Risk Context

Regarding the threat actors themselves, many act individually or collaborate with organized crime, but increasingly national foreign intelligence services and/or militaries are becoming a threat. Recruitment and network has also evolved. In many countries, for example, including those in the EU, the United States, and China, there are formalized “hacking events”, which facilitate the sharing of case studies and lessons learned and provide networking opportunities. Interestingly, the US Department of Defense, in response to this rapid evolution of warfare, recently formalized the position of US Cyber Command to a combatant command, elevating the command to a peer level with other unified combatant command commanders who report directly to the Secretary of Defense.  As Pentagon spokesperson Dana White stated: “The cyber domain will define the next century of warfare…This change is noteworthy because it signifies the elevation of Cyber Command as [the country’s] tenth combatant command, acknowledging that a new war fighting domain has come of age.”[2]

But what do shipping companies have to do with US Cyber Command, or any other foreign intelligence service active in the cyber domain?  The answer is relatively simple: the shipping industry supports the global economy, facilitating more than 90% of trade, and those countries seeking to gain advantages over adversaries will search for asymmetrical vulnerabilities to exploit. With their relatively weak cybersecurity postures, shipping companies remain vulnerable to compromise and exploitation by sophisticated national intelligence organizations.  As geopolitical tensions wax and wane, and as cyber threats continue to evolve and become more sophisticated in their design and application, shipping companies must increase their cyber vigilance.

Of course, the sky is not falling and the world is not about to end, and the mentioning of the US Cyber Command’s position within the US military is not intended to scare.  Rather, it’s meant to highlight the fact that the cyber domain – a domain where over 50% of the world’s population (over 3.8 billion people)[3] enjoys some degree of access – includes intelligence services, terrorist organizations, organized crime, Facebook, Instagram, and my 12-year-old daughter and her friends. It represents a collaborative environment unlike anything that has existed before in human history. It is effectively a global common hosting every industry, country, and millions of competing business interests, both good and bad. Much of the ‘bad’ however can be characterized as cyber threats.

Shipowners – often investors, publicly traded corporations or members of multi-generational, high net worth families – are part of this decentralized hyper-networked ecosystem. Critically, they must understand and accept this new normal: that while they themselves may not be the direct target of a coordinated cyber attack, a cyber attack could be launched against the organization in an attempt to indirectly harm the clients and/or national economies it serves.  Conversely, indirect attacks, such as the NotPetya attack that ensnared Maersk in 2017, promise harsh consequences for an unprepared shipping company in a hyper-connected global operating environment where collateral damage from targeted attacks can be severe.

Is the IMO taking action?

The IMO is keenly aware of the challenge cyber risk presents to the maritime industry. In response, the Maritime Safety Committee confirmed through MSC.428 (98) that cyber risks should be managed under the ISM Code, thus requiring shipping companies to incorporate and align cyber risk management activities into their safety management systems by 1 January 2021[4].  MSC-FAL.1/Circ.3 (5 July 2017) contains the current guidelines and states:

One accepted approach is to comprehensively assess and compare an organization's current, and desired, cyber risk management postures. Such a comparison may reveal gaps that can be addressed to achieve risk management objectives through a prioritized cyber risk management plan. This risk-based approach will enable an organization to best apply its resources in the most effective manner.

In other words, this risk-based approach, which is non-prescriptive, is designed to encourage organizations to target investments in resources in the most effective manner. The IMO is looking for shipping companies to adopt cyber risk management best practices within the existing framework of risk management activities that shipping companies already use.  The IMO requirements highlight a holistic approach to managing cyber risk, which, because cyber threats can morph and migrate within and across an organization (which means from ship to shore and vice-versa) contemplates such activities incorporating all aspects of an organization.

The IMO guidelines reference the ISO 27001 standard, the United States National Institute of Standards and Technology (NIST) Cybersecurity Framework, and BIMCO’s Guidelines on Cyber Security Onboard Ships. BIMCO’s guidelines also incorporate the Center for Internet Security’s Critical Controls – often referred to as the “20 Critical Controls”.  What is important and relevant to shipowners is that the 20 Critical Controls are a compilation of key lessons learned and prioritized actions derived from real-world experiences defending against and/or recovering from cyber attacks, based on a unique collaboration between government and industry. The Critical Controls periodically undergo revisions based on new findings and lessons learned.

Although the IMO’s guidelines reference various standards and guidelines, they most closely mirror the NIST Cybersecurity Framework (NIST CSF). For example, Sections 3.5.1 – 3.5.5 from the IMO documents map directly to the NIST CSF functional taxonomy of Identify, Protect, Detect, Respond, and Recover.

Where should the maritime industry start when tackling this challenge?

Once maritime transportation companies acknowledge that they must begin managing their cyber risk exposure, they are faced with the following critical questions:

  • What do we invest in first?
  • How much do we need to budget?
  • Where do we make our initial investments?
  • What are our priorities?
  • What do we purchase?
  • How can we measure the effectiveness of our investments?
  • Are our investments sustainable?

In order to appropriately answer these questions, and if they have not already done so, a good first step is for the company to perform a cybersecurity capability maturity assessment of its entire organization. This provides:

  • A structure for consistently assessing all functional areas of the business
  • A methodology that supports benchmarking and trend analysis
  • A tool for identifying strengths and weaknesses
  • A method for prioritizing investments and allocating resources
  • A mechanism for sharing knowledge.

The last question – are our investments sustainable? – represents one of the greatest challenges maritime transportation companies currently face. After the terrorist attacks of September 2001, and following the implementation of the IMO’s International Ship and Port Security Code, organizations invested in tangible, physical security solutions. Unfortunately, the cyber risk discussion challenges traditional concepts of what is and/or is not tangible.  For the majority of the 3.8 billion Internet users in the world, cyber threats are difficult to comprehend because they are not readily visible and they do not typically announce themselves.  The most insidious cyber threats attack, exploit and persist silently.  Therein lies the challenge.  Gaining insights, therefore, into where best to invest precious funding and allocate limited resources (e.g. people, processes and tools) is critical to an organization’s ability to achieve a degree of cybersecurity capability maturity that will drive sustainability.

Often shipowners ask: Nothing has happened to me, so why should I do anything?

Most maritime transportation companies have likely suffered some form of cyber attack, whether it’s a low-level ransomware incident onboard a vessel or a more damaging attack where computer systems were compromised, data manipulated, and financial fraud losses incurred. In many cases, shipping companies have been compromised by persistent attacks of which they are unaware. However, even if an organization has not suffered an attack, If nothing has happened, then the real question is not if but when an attack will occur and gauging how resilient the organization is in its ability to respond and recover.

The most effective cyber risk reduction activities depend on where an organization resides on the risk reduction curve.  Unfortunately, most organizations suffer from low cybersecurity capabilities and high cyber risk exposure. Organizations with low or no cyber risk management capabilities have very high cyber risk, and typically their initial investments should be made in technical and other controls to begin to manage this risk.  Training, also, represents a high-value add, low-cost investment, which can be realized through a range of solutions spanning awareness videos, software modules, and drills and exercises modified to incorporate cyber risk factors as a means of impacting physical risks.  As cyber risk management processes and procedures, along with cybersecurity capabilities, improve, cyber risk decreases.  As this cybersecurity capability maturation occurs, the organization might consider cyber insurance instruments as the most efficient means for transferring cyber risk off their balance sheet and protecting the organization as a whole.

Sources:

[1] Source: Think Your Security is up to Par?  Think Again!, CSO Online, TJ Trent, September 8, 2015

[2] Source: https://www.defense.gov/News/Article/Article/1511959/cybercom-to-elevate-to-combatant-command/

[3] Source: https://en.wikipedia.org/wiki/Global_Internet_usage  / ALSO SEE: https://blog.microfocus.com/how-much-data-is-created-on-the-internet-each-day/

[4] The resolution affirms that an approved Safety Management System should incorporate cyber risk management.  It also encourages Administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the shipping company's Document of Compliance after January 1, 2021.

 

Above text is an edited article of Max J. Bobys’s presentation during the 2018 SAFETY4SEA Cyber Masterclass

You may view his video presentation below

The views expressed in this article are solely those of the author and do not necessarily represent those of SAFETY4SEA and are for information sharing and discussion purposes only.


Mr. Bobys draws on 24 years of experience with technology startups, enterprise risk management, and new product development, spanning such disciplines as cybersecurity and integrated physical/electronic security systems in the maritime security space.  As Vice President of Global Strategies for HudsonAnalytix, Inc., a global maritime risk management firm, he currently leads the company’s cyber risk management practice: HudsonAnalytix Cyber (“HA-Cyber”), which specializes in bringing to market best-in-class cyber risk management, assessment and cyber threat information sharing solutions tailored specifically to the global maritime industry.  In this capacity, he led the design and is currently leading the delivery of HA-Cyber’s first-to-market, award-winning maritime cybersecurity assessment and management platform, HACyberLogix (www.hacyberlogix.com).  In addition, he works closely with HudsonTrident, the company’s security arm, in supporting maritime clients with converged and evolving cyber-physical security requirements.  Mr. Bobys previously served in a variety of executive positions at such companies as Civitas Strategy Group, providing specialized advisory support to companies in the Homeland Security, Defense and Intelligence markets; as well as BAE Systems, Stanley, and Ciber, among others.

Mr. Bobys has also successfully co-founded several companies offering innovative, first-to-market capabilities in the cybersecurity space.  These include, among others, Axio, a niche advisory firm specializing in measuring enterprise cyber risk and the underwriting major cyber insurance instruments; Global Cyber Security, a provider of specialized cyber threat intelligence services; and Smart Security Group, a provider of security training and compliance management solutions for the global maritime security market.  He has supported a wide range of clients, including various U.S. Federal, State and Local Government bodies, including all branches of the U.S. Department of Defense, NATO, and numerous allied governments in Europe, Latin America and the Caribbean.  He has spoken widely on the subject of maritime cybersecurity throughout the Americas, Europe, Africa and Asia. He currently advises the Organization of American States’ Inter-American Committee on Ports on matters of maritime cyber risk management, is the co-founder and Vice-Chair of the Maritime Technology Society’s Maritime Cybersecurity and Infrastructure Committee, and serves on the Delaware Bay Area Maritime Security Committee’s Sub-Committee on Cybersecurity.