Automation, digitisation, system integration, internet of things…….the list goes on. Technology and our use of it, is advancing at a staggering rate. The speed at which this advance is taking place and our reliance on the technology to get business done, has meant that vulnerabilities in the systems have either been ignored altogether, because of a lack of perceived risk and the “It’ll never happen to me” attitude. Or, the vulnerabilities have just not been considered.
I could be talking about any industry or part of the economy you can think of today.
Many industries and sectors of the economy are currently putting measures in place to improve the protection of their information and the security of their IT systems, against the cyber threat. No doubt this is due in part to new legislation such as EU GDPR and the NIS Directive.
There is one industry however that has been slow to respond and slow to recognise its own vulnerability to the cyber threat and that industry is the maritime and shipping industry.
There are a number of disturbing scenarios being discussed amongst maritime organisations and in the media in general. These range from cyber enabled hijacking of a ship and its crew by pirates. The “spoofing” of the automatic Identification System (AIS), to change the reported positions of ships at sea.
Through to cyber-attacks, similar to those that affected Maersk shipping and cost it in the region of a reported $300 million. Superyachts are not immune either, as demonstrated by students from the University of Texas, when they successfully sent a yacht off course in the Mediterranean, without the crew’s knowledge.
Of course, all things are possible given the technical expertise, planning and resources required to perform a determined and targeted attack. And when we read of these incidents it’s easy to forget the more mundane and everyday risks that affect the maritime sector and shipping in general. The same risks that affect every other sector, in any industry and in any country, that uses technology as part of its business.
Due to a number of factors however, the risk of cyber-attack to the shipping industry is magnified. The international shipping industry is responsible for the carriage of around 90% of world trade.
Shipping enables the global economy. Without shipping, intercontinental trade, the bulk transport of raw materials, and the import/export of food and manufactured goods on its current scale would simply not be possible.
Ships are technically sophisticated, high value assets (larger hi-tech vessels can cost over US $200 million to build), and the operation of merchant ships generates an estimated annual income of over half a trillion US Dollars in freight rates. (figures courtesy of ICS)
There is a huge drive towards digitisation and a reduction in crewing numbers, allowed by the increasing automation and a desire for completely autonomous vehicles. The sheer complexity of a ships systems and lastly, the size and value of the ships themselves and of their cargo.
Ships have a huge number of digital systems and networked devices, from navigation equipment, bridge and engine control, crane equipment, load and stability computers, bow thruster control systems, alarm monitoring, ship safety systems, power management, mooring and winch control, electronic chart display and Information Systems (ECDIS), automatic identification systems (AIS) and more. All of these systems form part of a ships network or networks. All systems require maintenance and patching and all should be subject to “controls”.
A survey by I.H.S. Fairplay, last year into cyber security survey in the maritime industry found that 34 % of companies had knowingly experienced a cyber-attack in the previous 12 months. Of those attacks, the majority were ransomware and phishing incidents; exactly the same sorts of incidents affecting companies everywhere else.
The survey also revealed that employees had not received cyber awareness training of any kind.
34% of those questioned said that their company had no IT security policy at all. Suggesting that IT security in a 1/3 of all maritime and shipping companies is being ignored or being is handled through an unsatisfactory, ad hoc, incident by incident approach.
For an industry as important to global trade and prosperity as shipping and with the immense investment required in infrastructure and operations, this disregard for cyber security is negligence on an unprecedented scale. It also leaves company executives and boards in indefensible, exposed and vulnerable positions. Open to sanction and personal liability in the event of a breach, for failing to implement appropriate “systems”, to prevent and defend against such eventualities. Not to mention the catastrophic damage a serious cyber incident could have on the company itself or its reputation.
In line with other industries, the employee risk is a big concern. The survey showed that 47 % of believed that their organisation’s biggest vulnerability was its staff, the “insider threat”. It should also be remembered that the insider threat will include 3rd party suppliers, contractors and others in the supply chain, outside of the direct control of the shipping company.
Regulation / Compliance
The EU General Data Protection Regulations (GDPR) and the Network and Information Systems Directive (NIS) both coming into force in May.
GDPR’s territorial scope is global. If your company holds or processes the personal data of E.U. citizens, people working for E.U. entities or trading with the E.U. then you need to comply. Failing to do so could result in punitive fines following a breach. Under GDPR the definition of “personal data” is also much broader than you might expect, and encompasses any information that can identify a living individual.
GDPR also requires companies to report data breaches within 72 hours. Compulsory breach notification will highlight those companies not applying appropriate measures to protect the data they hold. In turn, it will also spotlight potential vulnerabilities in systems and processes, allowing the industry as a whole to take coordinated and complementary action to mitigate the vulnerabilities identified. Staff training must also feature heavily in these measures.
GDPR also places obligations on organisations to ensure that all those within the supply chain, with data processing responsibilities, to apply appropriate security measures in the collection, handling, access and destruction of data. If the processor suffers a breach, the controller could still be liable. So, it is incumbent on the controller to make sure that suitable security measures, agreements and contracts are in force.
The NIS Directive, covering network and information systems across the EU hasn’t received the publicity and attention that GDPR has and you might be forgiven for not noticing it. NIS applies to organisations working with Critical National Infrastructure and Services, including water, energy, digital infrastructure, banking, healthcare and transport.
The fines are in line with GDPR, for those organisations that “fail to demonstrate” that they have sufficient “systems” in place to protect their systems and networks against cyber-attack. Think of the Maersk shipping incident costing $300 million and add on GDPR size fines.
The level of security is not mandated but should include: Systems and Facilities, Incident Response, Business Continuity, Monitoring, Auditing and Testing and Compliance. The directive requires organisations to have an “appropriate” level of security in place to manage the cyber risk.
The way to protect your company and yourselves (if you are directors) and to become compliant with the GDPR and the NIS Directive is to implement a cyber security and resilience programme within your organisation. Incorporating cyber / information security and business continuity, to provide you with robust, risk-based defences, appropriate preventative measures and the tools and systems to deal with incidents when they occur.
Implementation of an Information Security Management System (ISMS) within your business, aligned with international standards such as ISO27001 for Information Security and ISO 22301 for Business Continuity, will ensure that all cyber and business resilience risks are identified and controlled appropriately. Protecting you, your organisation and global trade.
Need help, call us... ESID Consulting Tel 0844 358 2362 or email email@example.com
Gary is CEO and Founder of ESID Consulting. An Insider Threat & Information Security consultancy.