CyberOwl CEO Daniel Ng questions whether commercial shipping is asleep at the cyber security helm, headed for hazards already overcome by more cyber-mature sectors
At CyberOwl, we have engaged with more than 50 shipowners, operators and OEMs in the last six months to gain a deeper understanding of their cyber security challenges and what measures they are taking to address them.
Overall, from our discussions, common challenges are surfacing, and it is becoming clear the maritime sector is in danger of tripping over the same stumbling blocks that other sectors, such as oil and gas, have previously encountered.
I have highlighted a few below.
1)There is still false confidence that perimeter security is good enough
Most fleets have implemented basic perimeter IT security on their vessels – commonly firewalls or antivirus software. The main assumption here is that a clear perimeter can be defined for the vessel network and therefore controlling the ingress and egress points is enough security.
However, the first step in an effective cyber security plan is to assume that the vessel systems are already compromised, and an active threat is already inside. Trust nothing.
Ultimately, a layered approach is the only realistic defence, and situational awareness or visibility must sit at its heart.
2) Vessel IT systems and operational technology (OT) systems are being treated as separate technical silos
Delineation between IT and OT is increasingly dangerous in a world accelerating into greater levels of digitalisation, integration and automation.
Sensors and telemetry are being integrated across vessels to feed in real-time intelligence about the engine and assets they are monitoring. Systems to analyse sensor data are often run on an onboard workstation and hosted on a server sitting on the vessel’s business or administration IT network. The workstations are typically Windows machines, sometimes running old versions of operating systems with known and wide-ranging vulnerabilities.
This all-too-common setup presents a whole range of attack entry points and opportunities for cyber criminals and illustrates the permeable borders between IT and OT systems.
3) Cyber security is still being dealt with as an “IT problem”, but IT directors are typically afforded limited decision-making powers and small budgets
This attitude is at odds with the direction of travel of regulation and guidance from IMO, classification societies and other bodies, which are all seeking to closely link cyber security with safety.
Outside the sector, mature critical national infrastructure organisations that must manage IT, OT and industrial IoT (IIoT) systems have already started structuring their security organisations differently, with a chief security officer given clear remit over the security of both IT and OT systems. Shipping organisations would do well to follow the example.
4) There is a naïve assumption that cyber incidents are easy to detect
The fact is that existing cyber resilience technologies and procedures on vessels are generally not good enough to provide the situational awareness and actionable intelligence that would allow a cyber security team to identify and understand a cyber attack on a vessel’s system.
FireEye research tells us the average dwell time of a cyber attack globally, across all sectors and technologies is over 170 days. This means it is taking organisations over five months to detect an attack. We would expect the shipping sector to perform below the average, given the unmitigated vulnerabilities and lack of cyber maturity within the sector.
5) Risks arising from the loss of availability of critical vessel systems are not well understood
Many of our industry partners have told us they believe that manual processes can be put in place to override any systems that have been disabled through a cyber attack and have shown a poor understanding of risks associated with loss of integrity.
One common misconception is that a disabled navigation system, like ECDIS, is of limited risk because traditional navigation tools and procedures can cover during the loss.
However, the “look out the window” strategy is clearly not full proof, as demonstrated by recent collisions.
In fact, loss of integrity of positioning data is a top concern of naval defence organisations, but commercial shipping is not yet alive to the risks.
*This is an edited version of a fuller paper uploaded to our Knowledge Bank. Download the white paper here.