That’s enough theory – let’s get on with the practice
By Ian Millen, GNS Security & Intelligence Advisor
London International Shipping Week saw the publication of the latest Cyber Security guidance document, where Lord Calanan of the UK Department of Transport (DfT) launched the ‘Cyber Security for Ships Code of Practice.
Commissioned by the DfT and authored by the UK’s Institute of Engineering and Technology (IET) in collaboration with the transport department and the UK’s Defence Science and Technology Laboratory (dstl), the 72-page guide follows on from the 2016 publication of ‘Cyber Security for Ports and Port Systems’ and joins an ever-increasing list of guidance, publications and best practice to help the shipping industry to manage cyber-related threats.
The document is helpful enough, if ambitious in the scope of its anticipated readership, which ranges from those with direct responsibility for the protection of ships, cargo, passengers and stores to those who build, maintain, manage and insure vessels amongst others.
As a code of conduct, it is not a statutory document, but of course those who it supports will be expected to have knowledge of it in the event of something going badly wrong because insurers will read every sentence to see if a claimant has been negligent in their application of the common-sense advice it contains.
Whilst the document is most applicable to those operating UK-flag ships in UK waters, primarily due to some of the jurisdictional issues and supporting organisations, such as the UK’s National Cyber Security Centre (NCSC), the well-researched text and helpful checklists in the main body and appendixes are no less helpful to those who operate under different flags, outside of UK jurisdiction and with non-British crews.
As you settle down to read the Code of Conduct, you could be forgiven for thinking you’ve seen it somewhere before. You would be wrong, as it is undoubtedly a piece of original and diligent work that covers the subject matter in a comprehensive manner.
However, it is unsurprisingly similar in its detailed content and risk-based approach to many others that are already out there, such as the BIMCO (et al) guidance and many others from the industry. That it exists at all, is testament to the clear industry appetite for such guidance and codes of conduct in the absence of current regulation.
Cyber risk represents a clear and present danger to ships, cargoes, ports, passengers, livelihoods, reputations and profit margins – perhaps no differently to other business areas, but with potentially catastrophic consequences if one of the often-discussed high impact, low probability events comes to pass.
Whilst it wasn’t evident in my reading of the 72-page document, at least one UK newspaper saw the launch of this guide as evidence of a real risk of a cruise ship being sunk as a result of a successful cyber-attack, with the Times of London reporting ‘Cyber-attack could sink cruise ships, Government advice warns.’ The reality is that this is at the outer reaches of probability and imagination, if theoretically possible. More likely, is the kind of disruption we saw when Maersk suffered a cyber-attack in June this year, the cost of which could reportedly be up to $300m.
It doesn’t have to be an attack that somehow disables navigation and other operational technology systems to disastrous effect; a simple denial of service attack to a cruise ship terminal attempting to board 3,000 hungry passengers and 6,000 pieces of luggage will cause mayhem, reputational damage and cost lots of money.
At the scary end of the risk spectrum we must, of course, reduce the probability of the high impact events by ensuring that people, processes and technology are part of the risk-based, holistic approach that this guide – and many others – recommend with its focus on people, processes, technology and other factors.
People are without doubt the greatest asset in any risk mitigation activity, but are equally the greatest vulnerability. When unaware of the threats and untrained in the procedures to reduce cyber risks, they are more likely to inadvertently open a digital door for someone with malicious intent or, perhaps, damage a critical system via the now infamous ‘unauthorised USB in the ECDIS terminal’ scenario.
Make that same individual aware of the threats and competent in counter-measures to neutralise them, and we have a very different situation. Whilst welcoming the latest Code of Conduct, Jordan Wylie, the founder of the award winning ‘Be Cyber Aware at Sea’ campaign believes that ‘there is a danger of information overload’ and strongly believes that the time is now right to ‘focus on implementation and practical application, firstly by training our people and crews in the various guidelines and various guidelines in circulation today.’
It’s hard not to agree with this position. Whilst many of the documents published so far are comprehensive and informative, they can’t possibly be all things to all people. Board members won’t have time to read every page and crew members will not get the straight forward guidance they need from a 72-page document. An eyecatching infographic wall poster in the messroom would arguably have just as much impact.
To be clear, there is absolutely a place for this latest document and similar ones that provide the detailed content it provides, but there is a need to distil its content into manageable chunks that are easy to consume and digest. That’s where Be Cyber Aware At Sea has succeeded with its posters and videos aimed at transforming vulnerable, unaware and untrained crew members into vigilant anti-cyber warriors
At the other end of the spectrum, in shipping board rooms and operational headquarters, we also need to educate those who strategise, direct and manage our ships with the facts that cyber security is not the latest fad and a problem for the IT department, but a necessary part of everyday business. Ask Maersk, or beyond the shipping industry, Equifax, who saw the value of their shares plummet on the news that hackers had accessed the personal details of their customers, including 400,000 UK citizens.
Cyber security is a subject that should be understood and implemented ‘From the Boardroom to the Bridge’ and taken seriously if hard-pressed owners are to avoid problems ranging from disruption of operations to reputational damage, pollution, financial liability and, in extremis, loss of life.
From the short and strategic IMO guidelines on Maritime Cyber Risk Management to the detailed and dense guides that classification societies, shipping associations, the IET and others are publishing, the message is clear, that cyber security needs to be incorporated into existing risk management processes and tackled in the same way as we deal with other safety and security threats.
Mike Hawthorne, CEO of Cobweb Cyber Ltd and former Commander of the UK Ministry of Defence Joint Forces’ Cyber Group sees the problem through the stereoscopic vision of a cyber expert and former vessel captain.
He relates the new cyber issue to the maritime sector’s instinctive understanding of keeping a ship afloat, saying that ‘Watertight integrity can be breached through any untoward activity or event that allows the ingress of water into unwanted areas or compartments of a vessel. It is the individual responsibility of all employees, visitors, contractors and clients to be aware of how watertight integrity might be breached, often communicated in a ship safety brief. In the same way, the maritime sector should demand an instinctive understanding of maritime cyber security.’
To return to where I began, the publication of the IET Code of Conduct is a welcome addition to the already significant volumes of available guidance. It is a recognition of the need for cyber security in an industry that, in my opinion, has been slow to get to grips with the issue.
It provides good practical advice, especially on the elements of a Cyber Security Assessment and Cyber Security Plan, although a quick flick forward to the checklists in Appendix I will save the busy reader time, whilst telling them most of what they need to know. Its conceptual description of a Security Operations Centre (SOC), Section 7 is probably many nautical miles from the reality of where the majority of the shipping industry is today.
Active monitoring of threats is available from commercial providers and alerts are published by others, such as the UK’s National Cyber Security Centre (NCSC). If you’re not big enough to have your own internal cyber threat monitoring, or fortunate enough to pay someone to do it for you, then taking advantage of free alerts from NCSC, Microsoft et al, is a good idea, provided you’re not under attack and your internet is down.
As I look back on London International Shipping Week and the launch of this latest document, I also reflect on the growing awareness and, sometimes, concern I’ve seen in 2017 on the issue of cyber security.
From presentations at Nor Shipping in Oslo to the UK Chamber of Shipping in London and beyond, it appears that the maritime sector is thinking hard about a threat that has crept up on the industry and has shown its teeth most visibly this year inside and outside shipping.
In light of the IMO’s recent decision to give shipowners until 2021 to incorporate cyber risk management into ship safety, the clock is ticking. Early adopters will not be waiting for the deadline, but will be getting on with Mike Hawthorne’s recommendation of making cyber security as instinctive as watertight integrity. They will also be training their crews in the basics, as advocated by Jordan Wylie and his awareness campaign.
Those that wait for the 2021 alarm call must face up to the the negative impacts of non-compliance but lay themselves open to greater risks in the meantime.
Continuing to believe that cyber security is a IT department issue or just another way for opportunistic suppliers to make money from fear, risk a rather rude awakening – and at a time not of their choosing.