In its Phish and Ships August Edition, Be Cyber Aware at Sea presents five cyber-security lessons that the shipping sector could use to prevent future cyber incidents.
#1 Perimeter security is not good enough. Majority of fleets have implemented basic perimeter IT security on their vessels, most commonly firewalls or antivirus software. Yet, a layered approach is needed, and situational awareness or visibility needs to sit at the heart of that. As John Donald, Cyber Adviser at AXIS Capital, recently reported, organisations with a good cyber hygiene, educated users and well-configured systems are able to better-cope with attacks.
#2 Security of vessel IT systems and operational technology (OT) systems are being treated as separate technical silos. This delineation is increasingly unrealistic in a world accelerating towards digitalisation, integration of operations and automation. An increasingly common setup presents a whole range of attack entry points and vectors, opportunities for a cyber criminal.
#3 Cyber-physical security is still being dealt with as an 'IT problem', but with limited authority or decision-making on budget given to the IT Director. Specifically, CIOs, CTOs and IT Directors seem to be the ones responsible to handle a cyber attack, but they have limited authority over vessel OT systems with not much autonomy over budgets and priorities for capability investment in OT security.
Mature critical national infrastructure organisations that have to manage IT, OT and industrial IoT (IIoT) systems have started structuring their security differently, with a Chief Security Officer given clear remit over the security of both IT and OT systems.
In addition, Tore Morten Olsen, President of Marlink reported to SAFETY4SEA that cyber security is not an issue for company’s IT department only, and complete awareness of the cyber challenges for people onboard and ashore is vital.
#4 Cyber incidents are not easy to detect. The appropriate urgent responses are required. A widely supported view seemed to be for the IT or cyber security team to immediately work on containing the spread of the malware.
#5 Risks from the loss of availability of critical vessel systems are well understood. On the other hand, risks from the loss of integrity is poorly understood. So you often encounter a false sense of security that manual processes can be put in place to override any systems that have been disabled through a cyber attack. However, Penetration testing exercises have already demonstrated that vessel systems can be easily manipulated to lie to you. Loss of integrity is a top concern of defence naval organisations but the commercial shipping world is yet to be alive to the risks.