The truth about maritime cyber security
Yes you did read that correctly, there are no official records of cyber attacks in the maritime industry. None. Nada. Nee. Nein. So does that mean it doesn’t exist? I’m certainly not suggesting that the CEO from Templar Executives, a British cyber security firm, is wrong, sadly he’s most likely bang on the money but why is this the case?
The seafaring community have been bleating on about cyber-risk for years and yet not one of the many, many governing bodies or think tanks in our industry has thought, “Here’s an idea, let’s jot down how many attacks there have been so we can see if there’s a trend and then maybe we might be able to work out how to mitigate the risk using actual data”. We collect data for everything; ENC usage, bunkers, stores, route planning, the list is endless, and yet we aren’t actively processing targeted maritime cyber attacks?
Lloyds of London estimate that a serious cyber attack in our industry could cost the global economy $92bn, not exactly small change is it? KNect365 undertook their regular Crew Connectivity survey last year and the results pertaining to cyber activity were pretty damning; 49% of seafarers said that they are unaware of their employers’ cyber policies, and a significant majority (41%) thought the responsibility lies with the Master of the ship. Furthermore, 47% of seafarers said they had sailed on a vessel that had become a target of cyber attack, with a shocking 85% of the survey respondents stating that they hadn’t received any cyber training.
So let’s get this straight, nearly half of the crew that took this survey are saying that they’d fallen foul to cyber activity and yet we’re still not recording it via official channels?
Potentially there are two reasons as to why no one is paying attention to these figures, the first is because if our regulatory bodies do start totting up the numbers, they’ll see that the problem is far bigger than they anticipated and the high level guidelines and numerous articles on cyber protection aren’t doing a damn thing. Take Marinemec’s recent article ‘Three Cornerstones for Effective Maritime Cyber Security’, it’s a great read, if you’re a CEO with an army of IT folk who can decipher all the blue sky thinking waffle and actually read between the lines to find the practical advice. If 85% of crews interviewed are saying they’ve never received any cyber training whatsoever, how is threat intelligence assessment going to help them when their ECDIS is riddled with malware and the comms systems have been hacked? Bet those paper charts and dividers are looking pretty attractive right about now aren’t they?
Having been lucky enough to go to a cyber seminar last year, the most effective way to reduce cyber attacks is something that is easy to do, free and most importantly, doesn’t require a ridiculously expensive consultancy firm to do it – TALK TO YOUR CREW!! Give them the training that they need to make them aware of the big no-no’s, i.e. don’t put your personal USB into an ECDIS (yep, that has happened, more than once), make it mandatory to change passwords regularly, update your software when it tells you to rather than just assume the IT team will do it. These are the basics but they work. Yes by all means have the strategies and contingency plans in place, but that kind of work takes years to sort out, go for the quick win and have regular conversations with your teams onboard and onshore.
As for the second reason, well, let’s call it a theory because I can’t prove it, but I strongly suspect that there is a fear culture at play. Let’s pretend Dave works onboard a tanker and wants to charge his smartphone, he’s on watch so he uses a USB port on the ship’s computer. He doesn’t know this but that email he opened two hours ago that looked like it was from his crewing agency was actually a trojan horse. He’s now infected the entire network with malware which could bring down the ship’s main computer. Dave, when he realises what he’s done is going to go into a blind panic because he knows he may potentially be sacked. So what does he do? Absolutely nothing. He removes his phone and hopes the problem will magically go away.
The aviation industry has adopted a Just Culture, meaning that if you make an honest mistake but report it, you will receive protection from punitive measures such as prosecution or dismissal. By installing that ‘own up’ mentality, it means that people like Dave can go to their bosses as soon as the issue becomes apparent and IT can work faster to fix it because they know exactly what they’re looking for. Dave might get a bollocking from his boss but he’ll also get additional training and the rest of the crew working for that company will also be informed of how that situation came about, therefore reducing the risk of it happening again. The crux of the matter is this; we need to tell people that it’s okay to make mistakes if we learn from them. We all do it, but pretending that it never happened and willing it to go away only makes the situation worse. Blame culture isn’t just a shipping issue, but it is particularly bad in our industry and it is an attitude with consequences that extend beyond cyber security and into safety. If we want to really get a grip on cyber, we’ve got to start talking more and forget about the blame game.
Cyber security isn’t just a problem for the Master, or IT, or even the CEO. It’s everyone’s problem, and to solve it we need every man and woman to get onboard and start taking responsibility. It might not be new and exciting but good old fashioned training, continuous development and initiating a fear free culture are the real three cornerstones that make up a solid cyber strategy.