Cybersecurity is a collective responsibility
In the maritime world where time is money, cybersecurity is no laughing matter. The shipment of a single container, tanker or bulk shipment can involve a multitude of cargo owners, shipping lines, ports, land transportation companies and customs authorities. This complex supply chain relies heavily on essential cybertechnologies to manage numerous systems and processes, both ashore and at sea.
It only takes one breach to leave a company reeling financially from the resulting downtime or scurrying to do damage control to lessen any potential blow to its reputation. Protecting marine interests from cybersecurity threats must therefore be a collective responsibility.
“Cybersecurity threats will grow, there is no doubt about it. Cybersecurity is not an IT (information technology) issue. Rather, it is an organisational and structural issue to tackle” stated President of the Caribbean Shipping Association (CSA), Juan Carlos Croston.
The delicate balance between operational technologies and connectivity leaves the shipping industry vulnerable to cyberattacks and risks. Interference of ship Global Positioning System signals, ransomware, cyber-enabled smuggling and theft, and cyber-enabled fraud are just some of the many breaches that can wreak havoc on the industry. The average downtime after a breach varies between six days to well over two weeks.
With this framework in mind, and faced with the realities of adapting to a work-from-home culture as a result of the novel coronavirus, the CSA partnered with international marine business risk solution company HudsonAnalytix for a virtual deep dive into the effects of the pandemic on the security of shipping operations, while providing proactive solutions for shoring up processes for all stakeholders.
The virtual discussion, fittingly dubbed ‘Securing shipping during the pandemic’, was the first in a two-part series ‘COVID-19: Securing Operations in an era of uncertainty’ and featured presentations by Chronis Kapalidis, cybersecurity practice lead, Europe, Middle East and Africa at HudsonAnalytix, and Chris Bhatt, global sales director at Aon. Andrew Baskin, vice-president of global policy and trade, HudsonAnalytix, moderated the session.
As the discussions delved into how the pandemic has introduced risks in the digital domain, it was revealed that our inherent desire to connect with other people may be fuelling an increase in malicious cyberattacks. There has been a 400 per cent increase in cyberattacks since the start of the pandemic.
“Do I think we [humans] are the weakest link? No. We are the primary attack vector. That is because our mobile smartphones ‘knows’ all about us ... all of our credentials, bank details, even our hobbies. Everything we do daily is there,” expressed Kapalidis.
He went further, “Nowadays, working mainly remotely, we check on work emails, and we even access work files through our phones. That gives easy access to hackers who want to penetrate corporate systems through our personal devices.”
Data gathered by HudsonAnalytix indicate that 65 per cent of employees had not received training on working from home, 25 per cent were using devices that were not updated, 23 per cent were using unauthorised devices, and a further 10 per cent were sharing devices with family members.
From a regulatory standpoint, currently there is no mandatory framework in place. However, the International Maritime Organization (IMO) is seeking to change the cybersecurity paradigm in the maritime space with its IMO Resolution MSC.428(98).
Under this regulatory framework, IMO member states are encouraged to ensure that cyber risks are addressed in safety management systems no later than the first annual verification after January 1, 2021, of a company’s document of compliance, which will then have to include a chapter on cybersecurity.
ALL IS NOT LOST
Cyber insurance plays a key role in mitigation measures applied by most companies to address cyber risk. While it is difficult to protect against all cyber incidents, it is important for companies to have the capabilities to respond and recover as early as possible. This can be achieved by investing in sustainable cyber capabilities and insurance. Marine interests must put measures in place to protect what they care about.
According to Bhatt, “Cyber insurance will not instantly solve all your cybersecurity issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect their interests.
“Perhaps it does make sense to transfer a portion to the cyber insurance market, but maybe an alternative risk-retention or self-insurance financing strategy is warranted,” he opined.
For organisations that have just started to test the waters in shoring up their cybersecurity processes, Kapalidis shared this advice, “I think that shipping companies should start with a mentality that cyber is just another business risk. To start, shipping companies should review their asset registry and see which of those assets have a software component and may be vulnerable to an attack. Review all processes as well as the company’s ship security plan or security assessment, try to see where cyber integration is possible.”
He continued, “Train your staff to have an awareness of cyber threats and breaches so that they may be able to identify what a malicious email looks like. Training them to use new equipment and software-enabled systems is another import part of impeding cyber-security risk.”
E-platforms, advanced analytics, artificial intelligence, blockchain, cybersecurity autonomous vessels and robotics emerged as some of the digital trends transforming shipping.