ICS webinar – what are the cybersecurity risks?

Jul 23 2021


An ICS maritime cybersecurity webinar discussed the importance of managing cybersecurity the same as we manage other maritime risks, the problems of insurers excluding cyber risks, and what the biggest risks actually are.

A webinar on maritime cybersecurity organised by the International Chamber of Shipping (ICS) on Feb 10 discussed the importance of seeing cybersecurity as a risk management problem rather than a threat, the problem of insurance companies excluding cover, the role of people in preventing or causing attacks, and what the risk actually is.

 

Espen Poulsson, chair of ICS, said in his introduction that cybersecurity is relatively new to the industry, although many people know about the attacks on Maersk and CMA CGM, and have become worried about it.

 

Chronis Kapalidis

Cybersecurity expert Chronis Kapalidis said that many people struggle at the first step, understanding what cybersecurity actually is.

 

He suggested this working definition, “cybersecurity is the implementation of specific technologies, procedures and controls in order to protect information, data and infrastructure that is based on computer enabled devices or software enabled devices, from any external threats.

 

This can include technology both in the office and onboard the ship, if it has a software component and is vulnerable to a cyber incident.

 

Mr Kapalidis is an Associate at the International Security Department with UK think tank Chatham House, and a former naval officer with the Hellenic Navy. He is also a senior advisor to cybersecurity company HudsonAnalytix.

 

When hacks happen, Mr Kapalidis prefers the term ‘cyber incident’ to ‘cyber attack’, because, he says, people can adopt an unhelpfully defensive approach when they hear about an attack.

 

It can be more useful to spend time putting processes in place which provide protection, rather than trying specifically to stop attacks, he said.

 

This means that instead of talking about cybersecurity, we should be talking about cyber risk and cyber risk assessment, he said.

 

The maritime industry is comfortable discussing risks, but it is not very comfortable discussing security, he said.

 

The IMO regulation introduced in January 2021 also says that shipping companies should address “cyber risks”, not “cybersecurity”, he said.

 

The risks should be addressed within safety management systems, so part of the ISM code.

 

“Cyber security is a risk that has existed [for a while] but it has escalated. It is another risk shipowners need to address.”

 

The IMO approach is based on the NIST (US National Institute of Standards and Technology) cybersecurity framework, built around five steps of detect, protect, identify, recover, respond. It can be applied to any sort of cyber incident, he said.

 

“It is not something new,” he said. “There’s frameworks out there that shipping companies can turn to, to understand what they should do in order to meet that regulation. We are seeing that the industry has taken significant steps on that.”

 

“Shipping companies just need to identify what they should do for their specific operational environment, and to protect the organisation.”

 

Mr Kapalidis recommends the BIMCO “Guidelines on Cyber Security Onboard Ships,” now in its 4th edition, and being updated with much input from the industry.

 

Past attacks

The cyberattack on Maersk “was collateral damage of an attack of a sovereign state against another,” he said. The malware involved, NotPetya, is thought to have been released by a Russian government body with the aim of damaging Ukraine.

 

In 2010, a Greek shipping company, which had suffered some of the worst piracy attacks off Somalia, discovered that the pirates had paid hackers to get access to the shipping company’s infrastructure. This enabled them to identify when the ship would be in the most vulnerable situation, so the best time to launch an attack, he said.

 

The hacker gained access from using an “IOT search engine” to look up internet enabled devices in the shipping company’s office. Then the hacker found that they had not changed their default user name and password on some of them.

 

Risk assessment

The most important issue for shipping companies is to understand where their cyber vulnerabilities are, and how they should be protected.

 

Many risk assessment methods, such as penetration testing, only tell you where you are at a specific point in time. So it is important to look at cybersecurity not just as a one-off task, but as an ongoing risk management exercise, he said.

 

A “maturity model” approach can be useful, showing you how your organisation is evolving over time. “That assesses the entire exposure of the organisation, including technological elements, as you progress and improve things. It is a process, it is not a checklist.”

 

“We know the attacker will be one step ahead of the defence, we need to minimise that gap as much as possible.”

 

Regulation

Mr Kapalidis said there is an open question about whether maritime cybersecurity needs more drive from regulators.

 

In surveys done by HudsonAnalytix, European participants, who are mainly Greek, say that IMO should do more regulation. But Mr Kapalidis said he does not believe IMO will choose to go further than it has done so far, making initial guidelines.

 

Asian participants in the workshops typically say that the drive to improve cybersecurity standards should come from more classification societies and P+I clubs.

 

Insurance challenges

Many marine insurance companies are limiting their cover of cybersecurity risks, due to concerns that the costs of a cyber attack could be extremely large, said Julian Clark, global senior partner maritime at law firm Ince & Co.

 

“A number of leading underwriters have said they don't think the amount of coverage available is sufficient to meet the risk,” he said.

 

As a result, many P+I clubs have adopted a clause “LMA 5403”, which limits the extent of insurance cover they provide for cyber risks.

 

“We've seen a number of clubs put up warnings on websites saying that in the event of any claim resulting from a cyber breach, where it is determined the member did not have a cyber resilience program in place, cover can be compromised. That's a really important message for the industry.”

 

But this leaves a gap in cover, which worries other organisations with a stake in maritime risks, such as the US Coastguard and oil company charterers, he says.

 

Perhaps as a result, the US Coastguard has said it will take a very strict interpretation of the [IMO cyber risk management] rules. This could extend to detaining vessels if they think there has been a breach (a successful hack), or if they are not happy with the cyber risk management. “We see the same from oil majors and Inspectorates.”

 

“We need to come together to create a standard of cyber protection where underwriters and members can be assured, in the case of a cyber incident, they have adequate insurance coverage.”

 

An insurance underwriter might also argue that a ship which has been successfully hacked is “unseaworthy”, leading to a discussion about whether the ship owner took due diligence, he said.

 

But if the hack pathway was something in the ship when it was built, for example a flaw in the ship’s electronics, then there is a question of whether that falls “within the owner’s scope of due diligence.”

 

Another scenario is if a cyber incident leads to a grounding or collision, but the insurer claims limited liability for cyber related issues. “I think there's some huge issues here for the industry to cope with,” he said.

 

The fact that cyber incidents seem to be rising is increasing insurers’ concern. There have been reports of increases in phishing attacks on employees during the pandemic, and an increase in operational technology (OT) related attacks (although not specifically in ship operations), he said.

 

Mr Clark believes that shipping companies have got quite good at protecting IT infrastructure, but that may mean that hackers look harder to attack ships via devices, or “operational technology”.

 

That could be compared to someone who puts strong security systems on their house front door, but makes it easy to get into the house through the garage, he said.

 

Mr Clark agreed with comments from Mr Kapalidis, that we should adopt a risk management approach. “We need to get away from a tick box approach to [cyber] compliance,” he said. “You need a resilience policy that ensures you're constantly on top of and reviewing the exposure to the organisation.”

 

How people fit in

People are sometimes blamed too quickly for cyber security incidents, said Phillip Morgan, professor in human factors and cognitive science at the School of Psychology at Cardiff University.

 

But evidence increasingly shows it is more likely that people are the strongest link in the cybersecurity chain, spotting incidents quickly which bypass the digital cyber defences, he said.

 

Mr Morgan serves as technical lead for the Cyber Psychology and Human Factors Pillar for the Airbus Centre of Excellence in Cyber Security Analytics at Cardiff University.

 

“Some suggest [people] are irrational, gullible, sometimes we hear the word stupid.”

 

But “we are a species known to being adaptive problem solvers, who adapt strategies and create tools to succeed in the face of huge challenges.”

 

While all cyber attacks have people involved, that does not mean that the  people intended them to happen. They may be caused by “people who chose to download files, click on links, connect a device to fulfil an urgent task. People working long hours, responding to apparently urgent e-mails.”

 

“We can't be super vigilant all the time. Under time pressure, we all do things where we think, ‘I wouldn’t have done that under normal circumstances.’”

 

“It is sadly the case that cyber criminals are attacking employees at all levels.”

 

“Behind each cyber attempt is a human being, vigilant and adaptive,

praying on our cognitive biases. They’ve learned techniques that can impact biases, cause maladaptive behaviours. They've found optimal times to strike.”

 

But, “the playing field is more level than we think. We can better understand that, teach our employees about them - so they can become better defenders.”

 

People can be given advice about better ways to be protected when using mobile / IOT devices, and when working with sensitive and confidential data, he said.

 

It is good advice never to feel too comfortable you know where your vulnerabilities are – because attackers are always trying to find new ones, he said.

 

The human characteristics which lead to vulnerability are not necessarily those you expect.

 

You may expect your most risky employees are those who take more risks in other areas, or are more prone to impulsive behaviour. But research shows that vulnerability levels may be more connected to how well a company thoroughly appraises its threats. Also, whether staff members feel comfortable managing their own security (their ‘self-efficacy’), and the level of connection people have with the devices they use.

 

Mr Morgan cautioned against relying too much on surveys to find out what is going on. If you really want to know what people are thinking, there are methods to see more directly. Such as monitoring people’s eye movement when looking at a screen, measuring brain activity and pupil dilation. “Surveys have a place but we need to triangulate objective data with subjective data,” he said.

 

What are the risks?

The panel was asked about what cyber incidents they had actually seen in 2020, as a means of assessing the overall risks.

 

Mr Kapalidis replied that many shipping companies saw denial of service attacks bringing down their websites, sometimes denying staff access to data for internal use. Some companies had compromises in their data centres.

 

“In our internal analysis [with consultancy HudsonAnalytix] we recognised there was a specific way these attacks were launched. The [whole] industry is using more or less the same solutions with data management and data handling.”

 

Some shipping companies had been themselves conducting cyber attacks on competitors, trying to prevent staff from getting access to their company information, he said.

 

Julian Clark said he had seen an increase in Europe of companies trying to obtain personal data from company databases via phishing attacks, and then threatening to make it public unless a ransom was paid. The company would then have to choose between paying the ransom, or paying a fine for a data breach under GDPR regulations.

 

Mr Morgan said that companies sending phishing e-mails were getting more sophisticated, such as appearing to be a person in authority, and giving reasons why an urgent response was required.

                    



Previous: Coming soon – ballast efficacy tests

Next: Strike continues at Libyan port as tanker diverts


Aug-Sept 2021

Sea Cargo Charter - ship recycling - CO2 from tank cleaning - fixing damaged propeller blades