Humans still weakest link in shipping cyber security
This year has brought an awakening for the maritime industry following the now infamous Petya ransomware attack that hit shipping giant Maersk on 27 June. The attack, which spread to IT systems around the world, destroyed the outdated belief that some in the industry seemed to hold, that being at sea somehow protected vessels’ IT systems from the cyber threat that existed on land. Recent revelations about an attack on BW Group in July reveal just how vulnerable shipping’s IT systems are.
Not improving current cyber-security measures opens up companies to costly delays – total lost revenue for Maersk as a result of the cyber attack is estimated at between USD200 million and USD300 million – and could shut down vital systems, such as Electronic Chart Display and Information System (ECDIS), leading to dangerous incidents.
This year’s Fairplay/BIMCO cyber security survey, taken by 284 people working in the maritime industry, explores what organisations are doing, or should be doing, to prepare their people and how they are amending their processes in an environment of the escalating cyber threat. The results of the cyber survey will be discussed in detail during a forthcoming webinar on 19 October. In the survey the responses were analysed by job level. What emerged from the crews’ answers was that, while some ground has been gained through campaigns such as Be Cyber Aware at Sea, which informs and educates crew members about how to prevent attacks, such as by not plugging in USBs or clicking on unknown email attachments, many still do not understand how their online activity can open up their organisations to attacks.
Tellingly, more than half of seafarers (55%) picked ‘our people’ as their organisation’s biggest cyber vulnerability. Nearly half of management-level respondents (41%) said the same thing. This shows awareness of the human factor in cyber attacks, proven by the survey's finding that 66% of crew opened email attachments from strangers, which could leave ships’ IT systems vulnerable to ransomware or malware attacks, such as the Petya virus.
It is unsurprising the most common attacks crew reported experiencing personally while on board or within the organisation as a whole were phishing emails and malware. Christopher Henny, senior project manager at Airbus Defence and Space, who has worked with security organisation CSO Alliance Maritime to launch an anonymous maritime cyber-crime reporting online portal, said he was not surprised at the results. “The insider is the weak link in about 80% of the cyber cases we have dealt with. Most of it [opening systems to attack] is inadvertent or careless.”
Crew blamed a lack of education as contributing to this risky behaviour, with more than 76% stating they had received no training on cyber security. Meanwhile, 36% of management-level respondents said they provided internal training programmes and 11% provided external training. Clearly there is a disconnect or training is not always filtering down to crew.
Henny stressed training need not be complex and in most cases people would need just a two-hour web training refresher and a question-and-answer session. Jordan Wylie, founder of Be Cyber Aware at Sea, told Safety at Sea (SAS) that industry-specific training was “absolutely key to a safer and more secure shipping industry as far as cyber is concerned”. He recommended that training should be benchmarked against an international standard and updated regularly to keep up with the fast-changing “cyber-threat landscape”.
JWC International, founded by marine risk and security specialist Jordan Wylie, runs a Maritime Cyber Security Awareness (MCSA) course, and is the only programme in this field approved by UK government intelligence and security organisation GCHQ and recognised by the UK Maritime & Coastguard Agency (MCA). It can be delivered on board a vessel, at an organisation’s headquarters, or via e-learning through one of its partners. The course was designed to be easy to understand and digested with minimal jargon and focused on the human factor, Wylie explained. Running security drills, like those done for fire or lifeboat drills, could also help prepare crew, yet only 11% of crew said they had taken part in such an exercise.
Communication from leadership is also key in preventing attacks. While 37% of seafarers said that they believed their organisation had experienced a cyber attack in the past year, a greater number (39%) said they did not know whether the organisation they work for had suffered an attack or not. Only 9% of management said they did not know.
Wylie said, “A lack of awareness means people will continue to make the same mistakes as they do not know any better.” He regularly reinforces the message that the ‘human firewall’ is the most important element in fighting cyber crime, as he believes people are both the best form of defence and any system’s biggest vulnerability.
Even simple information, such as knowing who to report to if a crew member suspects they may have inadvertently downloaded a virus, is not known, according to 53% of survey respondents. This is in spite the fact that 62% of management respondents said their organisation had a process in place for staff and crew to report cyber crime. While companies may have an information security policy and procedures if a cyber attack has occurred, it is of no use if crew are not aware of it.
Henny added that it was important to keep in mind that IT departments in all companies, not just shipping, are often be reluctant to advertise their “weaknesses uncovered during attacks”. This is one of the reasons CSO Alliance set up its anonymous cyber-crime reporting platform. He explained this was so that “people can learn and see that they are not alone and should not be embarrassed, and can in fact do better at prevention and response after the breach is uncovered”. Collecting data on attacks to build a ‘criminal footprint’ helps CSO Alliance to predict next steps using artificial intelligence or to notify the industry if it spots something unusual before it spreads.
While it is positive that 49% of crew said their organisation provided awareness on cyber-security best practice for staff and crew, this still means that half of companies are not investing in cyber-security awareness. As Wylie told SAS, “There is no excuse for a lack of awareness, especially after the recent incidents that affected Maersk.” Furthermore, awareness is just the beginning of the process. The high-profile and widespread attacks both at sea and on shore this year highlight a pressing need for companies to go beyond awareness and provide practical training on what to do in an emergency situation.
Help on the web
Christopher Henny, senior project manager at Airbus Defence and Space, told SAS that CSO Alliance would soon be supplying links to a library of best practice on a new website.
“In association with professional groups like BIMCO, ICS, class and insurers, and the BeCyber Aware at Sea campaign, it can surely make information more accessible,” said Henny. He added that Airbus intended to try out a malware analysis tool on the CSO Alliance website, so that CSO members could “drop a suspect attachment into it” and get a report about whether or not it contains known malware.