During the SAFETY4SEA Hamburg Forum, Chronis Kapalidis, Cyber Expert, HudsonAnalytix, referred to myths behind cyber security. He stressed that the narrative about cybersecurity, when talking to industry stakeholders should focus on cyber risk and cyber resilience instead of cybersecurity, because in the shipping sector, senior managers are cautious when talking about security, since in their mind, security requirements may affect business productivity.
According to the World Economic Forum Report 2018, cyber-attacks are the first non-natural threat in terms of likelihood to occur, globally. It is not criminal acts, it is not terrorism, but it is the cyber-attacks. And this is only going to get worse because of our rising cyber dependency.
More or less, everything that we do nowadays, both in our personal and professional lives has some sort of software component. So, our rising dependency is there, and it is only going to introduce more threats in our business everyday activities.
What should be understood is that cyber is a multi-complexed set of subdomains. It is not only penetration testing, it is not only the risk management part, but is also the legal side, the educational side, the threat intelligence and so many other different components when we talk about cyber security. It is impossible for one single entity to deal with all of them at once and effectively.
So what about cyber security and shipping? In this case we have to understand that there are two components:
The first is the IT (Information Technology): IT is primarily about protecting our data. It is very important because all the financial transactions are conducted by our IT equipment, but it is mainly data that is at stake. When you are trying to protect your shore side, IT is not very different from any other organization in any industry.
The differentiator for the shipping industry is the Operational Technology part: These are all the systems you have onboard your ships and these are the systems that make your ship run. They are important because they have additional elements in there: They have the effectiveness, trustworthiness and safety of the systems. So for any operational system installed onboard a ship, you must know it is effective, it will continue its operation no matter what the disruption, but also, it will keep the safety and security of the operations of the ship.
The other important element which makes the protection of the OT Systems a bit blurry is the rare system updates. We talk with a lot of shipping companies about how they protect their ships and some of them told us they still use Windows XP or Windows NT on their engine control systems. I told them “What do you do about this?” And they said they talk to their vendors to upgrade these obsolete systems. The vendors need to know when the ship is in a port, they go onboard the ship and need the ship for three days to do the upgrade and then ‘you are good to go’. How many of the operators have the luxury of leaving the ship standing on a port for three days? So you can understand there is an oxymoron there. There are ways of bypassing this when the ship is drydocking, when you build a new ship, but there are issues that need to be tackled and that is what makes operational technology protection difficult.
And of course we are talking a lot today about digitalization and the new trends that are coming into place, artificial intelligence, autonomous ships, blockchain: All of these have a cyber component in them. So when you try to adopt these new technologies, you should take into consideration how they are protected from the cyber security side.
We get asked a lot of times: “Is the industry actually a target?” I can tell you that the industry is a target. It has been a target for several years now: Maersk, COSCO, but I am going to focus on one specific case. From 2010 to 2011, a Greek shipping company suffered the most successful pirate attacks in the Gulf of Aden, Somalia. That shipping company tried to identify what happened. They were able to spot they were penetrated by hackers who were paid by pirates in order to gain access to the company’s ship routing plans in order to identify the vulnerable ships and the time of passage through the vulnerable high-risk area. The hackers were able to do that via Wi-Fi light bulbs.
The company in Greece upgraded their offices, they installed new Wi-Fi light bulbs, because they wanted to have the latest gadget, but they never bothered to change the default username and password, and we talked a lot about the Internet of Things. So the hackers were able to gain access into that company’s systems through the Wi-Fi light bulbs. This is the threat and it is out there.
However, there are sceptics who think ‘Ships specifically are not targets.’ Well the answer is here: The US Coast Guard issued a warning that hackers have introduced a malware which is designed to disrupt shipboard computer systems. So you can see, hackers are targeting the shipping industry and they are targeting operational technology systems onboard ships.
Findings of a research I conducted when I was at a Research Institute in London, illustrated the vulnerabilities, the consequences and the affected fields of a potential cyber incident onboard ships. In our research, we broke down the ship components into 18 sub-components and we looked at the vulnerabilities of these sub-components against a cyber incident. We looked at the consequences and at the affected fields: What would happen on the ship itself if a cyber incident occurred.
The important realization from this is that right now ship systems are not as vulnerable as someone may think. This more or less implements what ship owners are saying: that “our systems are not very vulnerable”. But the worrying element is the vulnerability part, which will only get worse because of the increased adoption of digitalization over the years. The more digital systems you have, the bigger the vulnerability part will be.
The other thing I want you to keep in mind at ships, is the affected fields: data, environment, human and physical. Out of the 18 sub-components, 16 of them have a physical consequence. So if a cyber breach occurs in one of these 16 sub-components, there will be a physical consequence for your ship. Your ship may run aground, may have no propulsion, may have no navigation, it can even cause incidents that affect your crew on board. Hence, we have to understand that cyber security is not only about protecting data but when we talk about ships, it is also about protecting the ship itself.
The IMO has introduced a guideline that, as of January 2021, cyber risk management measures should become part of your SMS. The IMO is changing the narrative and is not only talking about cyber security, it is talking about cyber risk. And this is important to understand it because when we talk about cyber security, it is not a matter of if you will be attacked but when. In order to deal with that, you should have a risk management approach on it and this what the IMO is introducing.
This of course is already in place with TMSA 3. All tanker operators have specific elements that require cyber security policies, so the regulation is there, it is coming, and it will become mandatory as of January 2021.
For us to explain cyber risk to our clients, we need to explain it in a way of risk-to-money metaphor. So what is the ROI of investing in cyber security? But in order to do that, we should understand who owns the risk. There is a very simple answer: It is everyone within an organization. Everyone has a specific role to play when it comes to cyber risk. It starts from the top and it goes down to the last operator, the last user, the receptionist, within the company itself. Within that context, the maturity security model is an ongoing process in order to improve your cyber posture.
What are the next steps? We have seen from my engagement within the industry that the insurance market is very much interested in cyber security. The insurance industry is picking up on this new challenge. And as I said before, cyber threat intelligence is the new add-on that is coming into the arena of cyber security. Organizations are trying to identify what are the critical components and critical aspects from the shore side and the ship side and this is a way of dealing with it.
To sum up, I think it is time for all of you to start taking cyber security more seriously.
Above text is an edited version of Mr. Kapalidis’ presentation during the 2019 SAFETY4SEA Hamburg Forum.
View his presentation herebelow
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
About Chronis Kapalidis, Cyber Expert, Hudson Analytix
Chronis Kapalidis is the European Representative of Hudson Analytix, promoting the company’s synergies in Europe on issues related to security, both physical and cyber. He recently concluded a fellowship at the International Security Department, Chatham House, on maritime cybersecurity, where he now stands as Academy Associate. He also stands as visiting research fellow at the Dartmouth Centre for Seapower and Strategy at Plymouth University, and as a board member in several academic and scientific bodies.
Chronis was an officer at the Hellenic Navy for 20 years. He was specialised on operations, communications, intelligence and IT infrastructure, while participating in several NATO, EU and UN operations. His research interests include cybersecurity, defence studies, international and maritime security.
He has published widely for Foreign Affairs, Chatham House, International Affairs, the Academy for Strategic Analyses, has been interviewed by The New York Times, the Independent and The Wall Street Journal and has participated in several maritime and cybersecurity related conferences and forums. Chronis has competed several projects at Chatham House on Cybersecurity for Critical National Infrastructure, in general, and the maritime sector specifically. He recently created the first digital learning course on maritime cybersecurity for Lloyd’s Maritime Academy.
He is currently based at the University of Warwick, where he is pursuing his doctoral degree on cyber risk quantification for the maritime sector. He holds an MA in International Relations and Global Security from Plymouth University, a PGCert in Defence Management and Leadership from the Hellenic Naval War College and BSc in Naval Warfare from the Hellenic Naval Academy, along with several professional certificates.