Chronis Kapalidis: 3 pillars of cyber defence strategies
It is worrying to see the shipping news talk about cyber attacks and failed defences, especially when the industry has had several 'wake-up calls'. But once the media stops reporting on cybersecurity incidents, the industry seems to fall back into its usual processes and carry on.
Experts, however, noted that the maritime industry has become more aware of cyber risks, but that has not stopped unsafe connected devices to come on ships.
Chronis Kapalidis, Research Fellow of the International Security Department at Chatham House and part of the Converged Security Team at HudsonAnalytix, has done extensive research into this topic, and said:
"I can tell you that initially, the industry was fairly unaware of the topic and dangers. Now, gradually, the industry is starting to come to grips with this new threat but from what I have seen and the questions that arose in my research, there are too many reasons why the industry is not focusing so much on cybersecurity. First, there are no apparent attacks on ships, the industry's most valuable assets, so they believe that the threats are not for them. Second, this is not something that is mandatory, at least not until 2021, when cybersecurity policies and training will have to be implemented, as the IMO has indicated. Hence, since the profit margins of the industry being so small, the industry focuses on what is mandatory. With ballast water regulations and the 2020 global sulphur cap coming up in 2019 and 2020, respectively, these are the priorities of shipping companies right now, while cyber comes third."
"People, infrastructure, and procedures"
Still, preparedness is key in an increasingly connected industry which is currently integrating several digital tools. With that in mind, cybersecurity should be considered during these essential changes.
"The most common features of a defence strategy would aim at developing and maintaining the organisation's cyber hygiene. This involves layered defences that are based on three pillars: people, infrastructure, and procedures", Kapalidis told us. "A company should not only adopt state of the art cyber solutions and infrastructures. Shipping should use the knowledge and the strategies developed and adopted by other industries and also adopt the concept of cyber security by design. Shipping should also invest - and this is something that we really promote at Chatham House and HudsonAnalytix- in staff training to raise awareness and educate the staff on the cyber technologies and tools that have been implemented previously."
Data sharing, whether via physical or digital channels, in the shipping industry between several stakeholders is an everyday occurrence, and just like viruses, it is easy for cyber threats to "migrate from ship to shore or vice versa".
"A holistic approach must be applied, and the procedures followed should be structured in such a way that will minimise risks of exposing the company's assets in the cyber realm. But in order for all of these measures to be effective and consistent, leadership involvement is key. It must be managed by the managing director, C-suite levels, not only by the IT department."
"Cyber threats are actual threats"
"IT departments in every single shipping company, whether it is giants like Maersk or CMA CGM or small ones, understand the problem of cyber security. The difficulty is getting the message across to the managing director and getting the necessary support. It is difficult to convince the directors that cyber threats are actual threats. This is the first obstacle IT departments face, and even if they do that, the next issue is getting investment. Big companies have the capacity to invest in something like this, but smaller ones don't. Maersk had actually been very well prepared before the incident last year. Based on their analysis, the risk was low for an attack on the element that was actually affected, so the important lesson to be learnt from Maersk is that you should be prepared and you should have a contingency plan for when the attack occurs, not if! That way, you will be in a position where you can minimise the consequences and impact of the attack on your daily operations. Maersk did that. A few weeks ago, COSCO in the US did the same."
Targeted or untargeted? Cyber security lessons learnt
Stakeholders in shipping have seen both targeted and untargeted attacks in recent years that demonstrate the need for better cyber security measures. "The most known example of untargeted attack is the one that occurred against Maersk. Contrary to what most people believe, the attack on the shipping giant was not a targeted one. Maersk suffered collateral damage from an attack against a sovereign state, Ukraine."
In order to understand targeted attacks, however, we should shed light on the types of actors that shipping should defend against.
"So far, examples have shown that the actors targeting the industry are primarily organised criminals. Organised crime networks have tried to gain access to financial and customer data in order to profit from misguided payments, for example, and other forms of data and cargo manipulation. The Port of Antwerp case in 2011 showed that organised criminals used data to facilitate smuggling. This fact leads us to a sad conclusion that the cyber environment can be used as a facilitator for threat actors to obtain financial gain."
Cyber hygiene and preparing for cyber threats
"Having identified threats, I believe that companies should develop and maintain a cyber hygiene, which is an effective and persistent cyber security policy. In order to achieve this, there are specific steps that need to be followed. Initially, companies should assess the risks the entire organisation is exposed to. Currently - and this is a sub-finding of our research -, there are only a handful of tools in the market specifically designed for the maritime industry which assesses an organisation's cyber security capability maturity, while other solutions in the industry focus on protecting the industry's most valuable assets: the ships.
This first important step should be followed by several other actions such as more targeted vulnerability assessment, and more technical solutions like network scans, penetration tests, as well as drills and exercises. This on-going process should be repeated periodically, for example at least every 6 months, to ensure that the company is constantly prepared to confront any new threats within the cyber realm. This is the way forward to be able to assess the company's readiness against cyber threats."