Jordan Wylie, Communications Officer, Be Cyber Aware at Sea Campaign, argues that it is time for shipping companies to prioritise cyber security in their risk registers and assign accountability for managing this risk . Mr Wylie highlights that industry needs to build on a strong cyber security culture by communicating important issues not only to IT experts but also to appropriately qualified senior executives. Cyber-attack is no longer a matter of “if” but “when” and concerns whole organization; both the senior leadership team, shore side staff and onboard crew members. ‘Be Cyber Aware at Sea Campaign’ aims to assist in raising awareness of the cyber risks and threats to international shipping, he explains.
SAFETY4SEA: There has been an increase on the smart technologies and applications which they are constantly changing the landscape of shipping industry. How vulnerable may these be to cyber-threats and how can we avoid a possible attack?
Jordan Wylie: The reliance on smart and interconnected systems will continue to grow within the industry as shipping companies strive for speed, cost reduction and maximum effeciency. Today’s onboard Operational Technology (OT) and Information Technology (IT) systems are becoming increasingly connected like never before, this hyper-connectivity greatly increases the risk of critical systems such as safety, propulsion, or navigation being exposed to internet-based and insider cyber-threats. Additionally, shipping companies and their vessels are not immune to the relentless cyber-criminal threat, seeking financial rewards as well as sensitive company or employee information by using common social engineering techniques such as phishing, business email compromise (BEC), and other basic scams. Whilst certainly not as catastrophic as the loss of a ship’s navigation systems, the loss of money and/or critical information can have a significant financial, legal, and reputational impact on the shipowner, manger or charterer.
Avoidance of a possible attack on either IT or OT systems from either an internet-based or insider threat starts with companies understanding the threat; understanding their IT and OT environments and how they’re connected; assessing where those environments could be exposed to the threat; and then managing that exposure. Shipping companies need to recognise and prioritise cyber security in their risk registers and assign accountability for managing this risk to appropriately qualified senior executives. This is NOT an IT issue, as I am often told by senior executives, CSO’s/DPA’s and onboard senior officers.
S4S: How would you assess the levels of maritime cyber security awareness in the industry? Are the existing cyber security practices considered sufficient to prevent cyber threats and attacks? What does the industry need to build cyber security awareness?
J.W.: Cyber security awareness across most industries globally is still relatively poor but it is particularly lacking in the shipping industry, as part of my own Masters Degree in Maritime Security I spent a significant amount of time exploring this area, the findings after extensive research, interviewing and questioning was the catalyst for the launch of ‘Be Cyber Aware At Sea’. Organisations’ employees remain one of their biggest cyber security vulnerabilities due to a lack of understanding and awareness of the risk. Instead of using highly technical and time consuming hacking methods to breach a company’s systems, cyber criminals often prefer to target the employees themselves who are considered the “soft target” in order to get access to information and systems.
As discussed before, a key first step to building a strong cyber security awareness culture in any organisation is for the executive management team to recognise the risk and provide all necessary support to effectively develop and promote an awareness culture. Education for both the senior leadership team, shore side staff and onboard crew members is key to raising awareness of the developing cyber security risk – but this needs to be a constant process, not a once off box-ticking exercise. Company executives, heads of IT departments, CSO’s and SSO’s onboard should be regularly communicating the cyber security message across the organisation with the help of awareness courses, awareness campaigns, and regular testing. Heightened awareness will greatly improve a company’s ability to effectively manage the cyber security risk, when at sea and onshore.
S4S: Tell us a few words about the ‘Be Cyber at Sea’ campaign. What are its goals/aspirations and feedback received so far across the industry?
J.W.: The ‘Be Cyber Aware At Sea’ campaign is a completely free not for profit initiative to help raise awareness of the cyber risks and threats to international shipping. Our main objectives are to ‘inform’ and ‘educate’ in order to increase awareness and understanding. After spending 2 years researching what shipowners understand about cyber security risks and how they managed those risks, it was clear there as a lot of work to be done to ensure this issue is taken seriously and I felt an innovative messaging campaign and suite of free resources was the best way to do this. I hope I can make a significant contribution to the international shipping and offshore sectors by simplifying a subject that is often considered too technical and complex for most people. I have been overwhelmed by the support and traction the campaign has gained to date worldwide and I am delighted that some of the biggest names in shipping from all sectors such as Teekay, Inmarsat, North & Standard P & I Clubs, P & O Ferries, Navarino, Holman Fenwick Willan marine lawyers and even the British Royal Navy have come onboard (excuse the pun) to name just a few.
S4S: What is your key message to the industry regarding cyber security? What do you think should be the industry’s priority to move forward?
J.W.: Unfortunately, with the rate of new malicious software (viruses) and attack methods being discovered every day, a data breach or cyber-attack is no longer a matter of “if” but “when”. The business, financial and reputational impact experienced by a company resulting from an attack will be completely dependent on the measures they implement today to adequately manage the risk. Key control measures include awareness and education, vulnerability management and cyber insurance. This needs to be an issue that is understand and managed from the boardroom all the way through to the depths of the engine room onboard. My final message would be to highlight that ‘online is quickly becoming the new frontline’ and fortune favours the cyber prepared!
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
Don’t miss 2017 SMART4SEA Conference & Awards on January 31st, where Jordan Wylie, Communications Officer, Be Cyber Aware at Sea Campaign will speak about the initiative. For more information or to show your support, please visit www.becyberawareatsea.com
[divider]
Jordan Wylie, Communications Officer, Be Cyber Aware at Sea Campaign
Jordan Wylie is an experienced maritime security and risk management professional whose career started with 10 years’ service in the British Military as an intelligence and reconnaissance specialist, before entering the private maritime security sector in 2008. Jordan has provided maritime security consultancy services to many of the world’s largest ship owners and is a retained consultant by several flag states, providing guidance on piracy, terrorism, organised crime at sea and the maritime cyber security approach. Jordan has trained over 10,000 seafarers globally and also completed over 100 missions on board as a security team leader during the height of Somali based piracy. Jordan holds a BA (Hons) in Marine Risk Management and an MA in Maritime Security where his much talked about thesis subject was; ‘Cyber Security; The Unknown Threat At Sea’, which was also the catalyst for the free to join global maritime and offshore cyber awareness campaign that he and his team are driving throughout the shipping industry – BE CYBER AWARE AT SEA www.becyberawareatsea.com Jordan is the founder of JWC International, a specialist marine consultancy provider, the President of the Security & Risk Management Alumni and a Non-Executive Director at the Company Security Officers (CSO) Alliance.