The weakest link
Still of Be Cyber Aware cyber security film. Credit Fidra Films
Findings from the Fairplay/BIMCO maritime cyber security survey reveal that training must improve to strengthen the weakest link in the chain – people
This year has brought an awakening for the maritime industry following the now infamous Petya ransomware attack that hit shipping giant Maersk on 27 June. The attack, which spread to IT systems around the world, destroyed the outdated belief that some in the industry seemed to hold, that being at sea somehow protected vessels’ IT systems from the cyber threat that existed on land.
Not improving current cyber security measures opens up companies to costly delays – total lost revenue for Maersk as a result of the cyber attack is estimated at between USD200 million and USD300 million – and could shut down vital systems, such as ECDIS, leading to dangerous incidents.
This year’s Fairplay/BIMCO cyber security survey, taken by 284 people working in the maritime industry, explores what organisations are doing, or should be doing, to prepare their people and how they are amending their processes in an environment of the escalating cyber threat. In the survey the responses were analysed by job level. What emerged from the crew’s answers was that, while some ground has been gained through campaigns such as Be Cyber Aware at Sea, which informs and educates crew members about how to prevent attacks, such as by not plugging in USBs or clicking on unknown email attachments, many still do not understand how their online activity can open up their organisations to attacks.
Tellingly, more than half of seafarers (55%) picked ‘our people’ as their organisation’s biggest cyber vulnerability. Nearly half of management level respondents (41%) said the same thing. This shows awareness of the human factor in cyber attacks, proven by the survey's finding that 66% of crew opened email attachments from strangers, which could leave ships’ IT systems vulnerable to ransomware or malware attacks, like the Petya virus.
It is unsurprising the most common attacks crew reported experiencing personally while on board or within the organisation as whole were phishing emails and malware.
Christopher Henny, senior project manager at Airbus Defence and Space, who has worked with security organisation CSO Alliance Maritime to launch an anonymous maritime cyber-crime reporting online portal, said he was not surprised at the results. “The insider is the weak link in about 80% of the cyber cases we have dealt with. Most of it [opening systems to attack] is inadvertent or careless.”
Crew blamed a lack of education as contributing to this risky behaviour, with more than three-quarters (76%) stating they had received no training on cyber security. Meanwhile, 36% of management level respondents said they provided internal training programmes and 11% provided external training. Clearly there is a disconnect or training is not always filtering down to crew.
Henny stressed training need not be complex and in most cases people will need a two-hour web training refresher and a question and answer session. Jordan Wylie, founder of Be Cyber Aware at Sea, told SAS that industry specific training was “absolutely key to a safer and more secure shipping industry as far as cyber is concerned”. He recommended that training should be benchmarked against an international standard and updated regularly to keep up with the fast-changing "cyber-threat landscape”.
JWC International, founded by marine risk and security specialist Jordan Wylie, runs a Maritime Cyber Security Awareness (MCSA) course, is the only programme in this field approved by UK government intelligence and security organisation GCHQ and recognised by the UK Maritime & Coastguard Agency (MCA). It can be delivered on board a vessel, at an organisation’s headquarters or via e-learning through one of its partners. The course is designed to be easy to understand and digest with minimal jargon and focuses on the human factor, Wylie explained. Running security drills, like those done for fire or lifeboat drills, could also help prepare crew, yet only 11% of crew said they had taken part in such an exercise.
Communication from leadership is also key in preventing attacks. While 37% of seafarers said that they believed their organisation had experience a cyber attack the past year, a greater number (39%) said they didn’t know whether the organisation they work for had suffered an attack or not. Only 9% of management said they did not know.
Wylie said, “A lack of awareness means people will continue to make the same mistakes as they do not know any better”. He regularly reinforces the message that the ‘human firewall’ is the most important element in fighting cyber crime, as he believes people are both the best form of defence and any system's biggest vulnerability.
Even simple information, such as knowing who to report to if a crew member suspects they may have inadvertently downloaded a virus, is not known, according to 53% of survey respondents. This is in spite the fact that 62% of management respondents said their organisation had a process in place for staff and crew to report cyber crime. While companies may have an information security policy and procedures if a cyber attack has occurred, it is of no use if crew are not aware of it.
Henny added that it was important to keep in mind that IT departments in all companies, not just shipping, are often be reluctant to advertise their '“weaknesses' uncovered during attacks. This is one of the reasons CSO Alliance set up its anonymous cyber-crime reporting platform. He explained this was so that “people can learn and see that they are not alone and should not be embarrassed and can in fact do better at prevention and response after the breach is uncovered”. Collecting data on attacks to build a 'criminal footprint' helps CSO Alliance to predict next steps using artificial intelligence or notify the industry if it spots something unusual before it spreads.
While, it is positive that 49% of crew said their organisation provided awareness on cyber security best practice for staff and crew, this still means that half of companies are not investing in cyber security awareness. As Wylie told SAS, “There is no excuse for a lack of awareness, especially after the recent incidents that affected Maersk.” Furthermore, awareness is just the beginning of the process. The high-profile and widespread attacks both at sea and on shore this year highlight a pressing need for companies to go beyond awareness and provide practical training on what to do in an emergency situation.