The Evolution of Cyber Security Threats Within the Modern Shipping Environment… And How to React
At CMA Shipping 2020, Ben Densham (CTO at Nettitude) shared his thoughts tackling cyber security threats within the modern shipping environment.
In this article we cover Densham’s points on the evolution of the cyber threat landscape, the increased focus on port security, the shift in viewpoints from the supply chain, the main drivers and key stakeholder responses.
In closing, we will look at the pragmatic specifics of preparing and dealing with cyber security threats, as detailed by Densham, including simple tactical cyber security features an organisation can implement now.
The Evolution of the Cyber Security Threat Landscape
In observing the threat landscape over the last 12-month period, “we cannot avoid speaking about the impact of COVID-19,” notes Densham. “Due to the restrictions which have come in place and changes in working practices there are a variety of cyber threats which continue to be significant issues, and criminals have certainly capitalized on this.”
These include:
- Surge in Attacks – an increase in malware, ransomware and phishing emails exploiting the COVID-19 crisis
- Social Distancing & Travel Restrictions – Travel restrictions, social distancing measures and economic recession are reducing companies’ abilities to sufficiently protect themselves
- Remote Workers – Vendors and OEMs are not able to visit. Working remotely means insecure home networks are being connected to allows remote work
- Interconnected Systems – Historically isolated systems are no longer segregated and IT an OT systems are being connected out of necessity
- Business Performance Impacts – Budgets are being cut and responses being diverted to other activities
Densham suggests that these threats have opened an organisation’s attack surface and have created growing concerns around how cybersecurity events can then impact these environments. A report by Naval Dome in July 2020 noted a 400% increase in cybercrime during the pandemic highlights the vulnerabilities caused by new ways of working amid COVID-19. An upswing in incidents was also revealed in the 2020 Maritime Cyber Security Survey carried out by Safety at Sea and BIMCO.
“In the report 31% of organisations noted they had experienced a cyber incident in the 12 months prior to taking the survey in 2020 – versus the 22% that took the survey in 2019. Towards the end of 2020 we saw the IMO being breached and it would be interesting to see the response to that and how that will have an impact upon their own regulations and the future of their cyber recommendations and guidance,” states Densham.
Increase focus on Port Security
We've also seen some helpful guidance coming out around ports. The European Union Agency for Cybersecurity (ENISA) have released an updated Port Security Guidance report which was developed in collaboration with several EU ports.
“This aims to help build the right capabilities within organisations to deal with cyber security threats - supporting organizations so they can deal with the tactical day-to-day efforts but to help put in place the right strategy, to making sure that it's being actively worked on and developed in order to protect ports are on a national level,” says Densham.
Port authorities are also taking actions to ensure that they can detect and respond to cyber events.
“Both Los Angeles and Singapore have announced advanced cyber monitoring and response centres that have been created to monitor their ports in the respective locations and many other key national port security initiatives have been started.”
Densham continues, “This is demonstrating that there is a need to build cyber maturity and resiliency within the organs of these areas. These initiatives clearly should be welcomed, followed, and embraced, and we should be able to support these developments in whatever way we can.”
Maturing Viewpoints on Supply Chains
“There's an increasing number of vendors and manufacturers (hardware and software) that are picking up engagements and work around building products that can be supported in a cyber resilient network or environment,” observes Densham.
He believes the need for new vessels, especially those adopting autonomous aspects to be cyber resilient, is increasing and there's very active conversations around that currently.
“However, it's very apparent that many, particularly in the manufacturing and software development side of things, have virtually zero understanding of how the product should be supported once commissions and the types of services they need to provide so that clients can maintain them in a secure manner.”
“Many operators don't have contracts or agreements in place with vendors to support with regular patches and updates or security configuration changes with the products that they have in place. And it's still very hard to find vendors who actually have a robust security program that can manage zero-day findings and vulnerabilities that can be reported to them.”
“So again, a lot of conversations for us in the last 12 months have revolved around that, and although there is a challenge there, we are seeing many organizations who are developing products, increasing their understanding of these things and building these programs into play, which is which is great.”
What are Key Stakeholders doing about Cyber?
“With so many stakeholders in the industry that have something to say about cyber it can get very confusing,” says Densham.
The IMO have set regulations and provided guidance documents which have been the driving force between behind some of the activity, particularly the MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management and the Maritime Safety Committee adopted Resolution MSC.428(98) - Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages all entities to ensure that cyber risks are addressed in existing safety management systems (as defined in the ISM Code) by 1 January 2021.
“National governments and industry bodies have many requirements both for the ports and shipowners within their remits,” adds Densham. These include anything from flag state requirements to Coast Guard guidelines. Industry bodies like BIMCO (The Guidelines on Cyber Security OnBoard Ships v3) and the Oil Companies International Marine Forum’s (OCIMF) Tanker Management and Self-Assessment (TMSA) programme are standards to help specific areas of the industry.
Class Societies have audits (ISM Code/ SMS and DOC/ SMC) and procedures (e.g. LR ShipRight), while the International Association of Classification Societies (IACS) consolidated its previous 12 Recommendations related to cyber resilience (Nos. 153 to 164) to publish its Recommendation on Cyber Resilience (No. 166) - a single, standalone recommendation which, “applies to the use of computer-based systems which provide control, alarm, monitoring, safety or internal communication functions which are subject to the requirements of a Classification society.”
“Finally, many owners and operators are also implementing their own cybersecurity risk management plans and procedures in line with a Ship Security Plan (SSP) as defined by the International Ship and Port Facility Security Code (ISPS).”
Industry Drivers for Marine and Offshore owners
Densham believes there are a number of different industry drivers for owners within this space and, “The impact we're seeing from COVID-19 in particular is increasing cyber-attacks and organizations are beginning to realize that they need to do more, faster and quicker.”
At the same time many organizations are going through digital transformation where they're adopting more cloud-based services, more collaboration, more connected online systems, and requiring those supply chains to be able to manage things in a much more continuous online status. Densham believes this is leading to an attack surface that is only increasing risk exposure for many.
“From a port security perspective there are increased national expectations and capabilities are being implemented,” says Denham. “Cyber regulations are maturing as insurance under writers are improving their approaches to managing that risk and how they deal with it.”
“Operators are increasingly looking to procure cyber resilient services - particularly in the charter area – as it is beginning to become a competitive driver in situations where organizations are looking for vessels, platforms and systems that can be operated in a secure manner.”
Finally, manufacturers are building cyber security into their development lifecycles but there's still a need to focus on that operational maintenance and how to support clients who use these products on a day-to-day basis.
Densham advocates that while it may be tempting to go through these regulations and view them as tick boxes to obtain compliance. “But compliance does not equal security.”
“We need to make sure that we're thinking about these things from the real risk perspective and making sure they're being addressed, not just in the short term, but the long term too.
How should you respond? Building the right approach.
In summary, Densham offers eight strategic takeaways which can help in building the right approach in tackling cyber threats.
- Be strategic and think longer term - As he mentioned earlier, “Don't just think practically and about the compliance side of it to do to tick the boxes or meet the minimum. We really encourage you to think about (cyber security) long term and treat it as a journey.”
- Be pragmatic in your approach - Densham admits that there are many rabbit holes and discussions that can leads you many different areas, but stresses that it is important to always ensure focus on the key risks and to be practical about what needs to be achieved and how risks will be managed.
- Work and look for opportunities to be collaborative and open - many industries have seen great benefit over the last few years to share what they're seeing from a cyber perspective and learn from each other as they build and develop and mature.
- Focus on the supply chain - Keep your customers and business partners in mind.
- Manufactures should be encouraged to build cyber security onto their while product life cycle - Manufacturers and vendors play a critical role in that they can be key in driving improvements within cyber security.
- Charterers should encourage pragmatic levels of cyber resiliency - They will be an important driver through the process.
- Operational technologies (OT) should not be perceived to be more complicate or different to information technologies (IT) - It’s worthwhile putting in the effort to understand OT. On a basic level, look at the practices that you deal with on a typical IT network and use some of those high-level practices on your OT, where appropriate too.
- COVID-19 is acting as an accelerator in the inevitable increase in remote connectivity, collaboration and digital transformation if the industry – “Embrace this time as an opportunity for improvements, rather than a challenge or roadblock.”
Basic tactical cyber security today
Densham suggests on a very simple level, “onboard your vessels, think about protecting those USB ports. This is often a location where malware is introduced, and by taking some very basic steps to control what's plugged in and verify that those things are free from viruses can do a long way to preventing a significant issue.”
He adds, “Perceptual email and Internet facing systems are another key area malware and malicious programs gets into your environment. So, focus protections around these areas to ensure that anything that comes in from the Internet or email is not going to have an impact upon those critical systems on board your vessel.”
Segmenting security critical IT and OT systems is another step an organisation can take states Densham. Separating them out from crew networks or from other networks that are not essential to the safety and the operation of the vessel.
He also endorses documenting and understanding your remote access connections and critical data flows.
“You need to understand what the important things are for you, where the most important data resides, and what systems that data is living in? Once you have recognised these areas, you're focusing your efforts on where you should put your controls.”
“If you don’t do that, you tend to apply these things to the whole network and it becomes very challenging, very quickly.”
Finally, Densham notes that education and training of staff on basic cyber hygiene is key.
“Again, the frontline of many of our networks and systems is our people. Ensuring they understand the basics around how to spot malicious emails, how to deal with some of those events that can happen and are able to report incidences that do happen is key. Making sure your team is education will go a long way to protecting your networks.
Find out more about the CMA Shipping 2021 event here.