How to avoid being seen as low-hanging cyber fruit
The key is to understand how the business is structured; best practice in one organisation won’t be right for another
BUSINESS leaders throughout the maritime sector have stepped up their search for advice, both internally and externally, about ways to protect their systems following the NotPetya attack on the world’s largest liner company in July. Maersk acknowledged that attack resulted in a revenue hit of up to $300m.
In a webinar conversation in September with Lloyd’s List chief correspondent Richard Clayton, Ince & Co partner Rory Macfarlane in Hong Kong and John Boles, director of global legal technology solutions at Washington DC-headquartered Navigant, underlined that cyber response has risen to the top of the list of urgent maritime issues.
There are two types of company, said Mr Boles, recalling his time at the US Federal Bureau of Investigation. “Those that have been breached [by a cyber attack], and those that don’t know it yet.”
Many owners and operators still do not fully appreciate the risk an attack poses, Mr Macfarlane said. “I think [the International Maritime Organization's] decision to include cyber security in the ISM onboard safety management code is to be welcomed. However, shipowners should not wait until 2021 to implement an appropriate cyber security protocol. Just because IMO has given a little leeway doesn’t mean we should take that time.” Any delay exposed businesses to increased risk, he warned. “Cyber criminals will see you as low-hanging fruit.”
Both speakers recognised there are two aspects to cyber risk: increased connectivity now linking ship with shore, and intra-business connectivity involving companies providing contracted services: charterers, freight forwarders, agents, loading and discharge ports. “All these people are talking to one another. Although your system might be well protected, someone in your network might not take the same proactive approach,” Mr Macfarlane observed.
Management buy-in is critical to the success of cyber security; without it, a company’s employees will be slower to comply. At one level, said Mr Boles, cyber security involves training personnel at ground level. “People in accounting teams are not only moving digits, they are working with data and information, which is attractive to crooks.”
Managers must be fully involved because there is investment in the security process. In some cases, that can be expensive.
It might include a board-level adviser, perhaps a cyber security officer working alongside the chief security officer. It gives a cyber security voice on the board. The UK Department for Transport cyber security code of practice refers to the need to have a cyber security officer, Mr Macfarlane said. “It’s about having someone at a high enough level to co-ordinate resources required to maintain effective security.”
It is unlikely there will be one person in-house with all the necessary skillsets a company needs — the right external and internal resources, adequate IT assistance, training schedule, fully updated on current threats. The key is to understand how the specific business is structured because best practice in one organisation won’t be the right practice for another.
“It’s wrong to believe you can just hire in all the necessary expertise,” Mr Macfarlane noted. In fact, there’s a very small talent pool. Mr Boles has seen “everybody is looking for the same individuals: government, private and public businesses, even the Silicon Valley types. My advice is to recognise that IT and cyber security skills are different. Cyber involves looking at defence, keeping the bad guys out and working out how to respond when they get in; whereas IT people are trying to keep the company rolling.” He recommended a small cyber security group alongside the IT team.
Asked by a listener how a company might determine whether it had been hacked, Mr Boles responded that the initial observation could be when an employee notices breaches and compromises of office email accounts. Employees should know the network, find out who has access to data, and ask, for example, why a server that usually handles training data is now handling human resource information. On a technical level, there are software tools available to monitor suspicious traffic. This isn’t always effective as “there are a number of clients out there who have systems in place but they are not correctly configured. Security systems might be turned down so low that they don’t flag at all. Be aware of what’s going on,” he cautioned.
Ships are as vulnerable as the level of connectivity, said Mr Macfarlane. “While the fully autonomous ship has yet to arrive, the cyber ship is already here. Communications systems include wireless networks, bridge systems connected to the shore, and AIS. If your ship is heading for a port not currently in the Ecdis system, you’ll need to contact the supplier to get a fresh chart. What happens if the supplier has been hacked?”
The need to monitor and evaluate emissions and ballast water output will use systems connected to shore. Smart containers, cargo management systems, crew welfare systems, and internal WiFi: in our striving for greater efficiency, ships are being opened to potential threat.
Another listener asked how cyber security training should be built into seafarer courses. It all begins with basic information security training, Mr Boles answered. Teaching crews how to recognise a phishing email, why there’s a risk when opening links in unsolicited emails, which areas of a ship to avoid to minimise suspicious behaviour. The trick is to maintain this level of awareness, and to educate seafarers that their actions affect the overall health of the ship and the company itself.
Mr Macfarlane agreed, adding that drilling was important. “We drill for an engine room fire and should do so for a cyber attack on a ship. Drill into your seafarers the response if the bridge loses control over propulsion. The first time you deal with these protocols should not be when you are under attack,” he said.
The conversation concluded with the best ways a law firm might advise clients on best practice. Lawyers should be part of a team of external specialists available to make sure shipowners and operators are adequately protected, said Mr Macfarlane. “[Ince] recognises our expertise only goes so far. To properly serve our clients we need to bring in additional skills that we don’t have.”
Companies should undergo a cyber health check. This reviews existing protocol and response plans, understands how the business is structured and where the key assets are situated, and whether insurance policies adequately cover data loss and cyber loss. All contracts should be studied to see where responsibility would lie in, say, a fake invoice scam.
In addition, Mr Boles looks at access to data, and vulnerability to threat both ashore and on board. “We help to build a layered defence out from there. There is no silver bullet to cyber security. Work out what you can’t live without, and identify the necessary level of protection around that. Remember,” he concludes, “security not used is not security at all.”