Something interesting happens when you lock a group of senior shipping executives in a room and put them through a cyber-attack drill. Given how unfamiliar cyber risk management is in shipping, the scenario quickly descends into guesswork based on false assumptions. It doesn’t take them long to realise just how unprepared they are to make the necessary decisions to contain and recover. And in some cases, they are not even sure who in their organisation has the right information and is expected to take responsibility. Not a great place to be in.
Earlier this month, CyberOwl alongside HFW, Navigate Response, and The Standard Club hosted a cyber security drill at the British High Commission in Singapore. This in-person event drew together senior business leaders across the maritime industry. The drill immersed participants in a cyber incident so they could feel the effects of the decisions they would have to make, and the preparedness of their company plans.
These are the 5 key takeaways from the business leaders in the room:
1. Most shipping companies are not set up to get the right information to the right individuals at the right time.
Broadly, you can split up a cyber incident timeline into 4 phases:
- ● Phase 1: before you know you’ve been attacked
- ● Phase 2: the point you find out
- ● Phase 3: your first few hours of response
- ● Phase 4: after the incident is contained.
Most people, not just the senior business leaders, obsess about Phase 3. It’s easy to see why – many imagine cyber incidents to be like physical incidents e.g. a fire. So attention and obsession immediately turns to how rapidly their teams and crew can put out that fire.
One interesting takeaway from the exercise is that most of the business leaders weren’t clear that their teams would even know the shipboard systems were under attack, until it was too late. There was little confidence that detection or monitoring systems were in place to flag up such alerts. So the obsession about putting in place a rapid response capability is somewhat misplaced, as there was no way of triggering that capability.
There was also debate about what information was really important in the first few hours of response. Many instinctively wanted to know the nature of the attack – is it malware? Is there a ransom note? Who is trying to attack us? What are the attackers demanding? While these are good questions, the focus in the first few hours should be on containment, minimising the spread, as well as checking whether the infected devices, assets or networks affected the operational running of the vessel, and if so, how quickly can they be brought back to seaworthiness.
In reality, cyber attacks are multi-staged and can take some time to deliver and manifest. In shipboard systems in particular, it is less likely to be a flash-to-bang scenario given the operating environment. So the sooner you are made aware of the initial intrusion, the earlier you can take action. Investing in the right cybersecurity capabilities can allow you to stretch the response window timeframe. If you were to continuously collect and analyse onboard data before a cyber breach occurs and put this information in the hands of the right people in your organisation, then instead of having hours to respond, you might have days or even weeks. This type of data can help identify key vulnerabilities and the vectors of attack onboard which might be exploited, alongside weak or failing security controls.
Very few of the business leaders considered Phase 4. Yet, how this phase is handled has a significant bearing on loss recovery and minimisation for the fleet owner. Once the incident is contained, assuming the losses are worth the effort, the difficult work of establishing the fact base begins. This typically involves undertaking forensic data analysis to try and understand how the breach occurred in the first place, both to support claims, disputes and regulatory investigations and also to ensure that you don’t leave other systems open to the same type of attack. Cyber criminals are notorious for circling back to “double tap” the same victim, particularly one that has established a pattern of paying ransoms.
Digital forensics can be an impossible task if the onboard systems have not been configured to collect and store the right data.
Having independent means to collect the onboard data would help solve this problem and puts you in an advantageous position to support deeper analysis of these incidents.
2. Cyber security is not just a technical or compliance problem.
Cyber risk management in shipping is primarily a commercial issue and ultimately about ensuring you are protecting against your key financial exposures. The key question business leaders should be asking themselves:
Do you already know the extent of your commercial exposures in case of a cyber security incident?
Whilst this might seem a straightforward question, the answer is far from it.
An obvious starting point is the cost of the attack itself. What is the cost of any ransom and restoring operations?
This is rapidly followed by determining any exposure to your charterers, due to delays and operational disruptions.
What is less clear is the extent that any of these losses can be recovered, if at all. How clear are you on the extent of your insurance cover, your excesses and limitations, as well as residual risks that are not covered?. Many hull and machinery covers already explicitly exclude cyber risks. One factor of standard P&I cover hinges on whether the cyber-attack is considered to be an attack of terrorism – and that depends upon the motivation behind it. Establishing the motivation for an attack may not necessarily be easy to do, unless there are clear signals like a ransom note. In any case, the policy holder needs to demonstrate that they did not act in an “imprudent, unsafe, unduly hazardous or improper” way.
What about the responsibilities and liabilities of your suppliers? For example, the shipboard system vendors and integrators or visiting service engineers. Who has liability for losses arising from a cyber attack that originated on their systems and to what extent has that been clarified contractually?
These supplier and insurance agreements are vital to being able to recover and limit your exposures. So, if you don’t already have access to a single aggregated view, start now.
3. Communication flow during a crisis is vital.
When a cyber security incident hits, it’s likely to be only the IT team that has the knowledge to understand the seriousness of the incident. How can you balance the need for continuous flow of information with the need for laser focus on incident containment in order to support vital management decisions?
Whilst assignment of roles and responsibilities is natural as part of incident response, it can be too easy to overlook the importance of delivering clear and consistent messaging throughout an incident. It isn’t simple to express complex, technical issues in layman terms, a skill which is vital in communicating effectively to all stakeholders during a crisis. Investing in training and cyber drill practices can help improve the efficiency of internal communication.
Organisations should not overlook the importance of crisis communication when formulating business continuity plans or when staffing emergency response teams.
4. No two crises are the same. Drills help your team think on their feet.
How will I know whether we are ready? Awareness is changing, certainly based on the evidence within the room, and across senior business leaders, otherwise this type of question wouldn’t have been posed to the expert panel.
The starting point is to have a set of structures and protocols in the business to help you mobilise your internal team and create your readiness- to- respond framework. All too often cyber drills, or table-top exercises follow the same process or pattern. However, when faced with a real incident, you are unlikely to follow your response plan exactly. Throw in the tensions that are usually not accounted for in a drill across the different parties: charterers, owners, technical managers, insurers etc, and the difference between practice drills and reality is amplified even further.
To survive a cyber incident, what you need to do is help your team think on their feet. This is where regular drills are helpful.
In order to prepare effectively, consider changing your internal cyber drill scenarios and prepare your team to respond to new situational challenges. One of the most effective ways to test this is to engage external organisations that have expertise in the type of cyber security scenarios you are likely to face across the entire organisation.
5. Avoid compromising your legal privilege.
When an incident or investigation first arises, companies can respond in different ways. Some will look towards their in-house legal and/or compliance teams or through an internal investigation team. Others will appoint external advisers to assist with the investigation typically by instructing lawyers to carry out forensic reviews or to conduct the investigation.
It is crucial to carefully consider the sequence of instructing your lawyers. Instruct them early and you can orchestrate it such that all the investigation gets protected under legal privilege. Instruct them late and the evidence surfaced from investigative work may not be privileged. This could come back to really haunt you in a dispute situation.
A final thought.
As mentioned at the start, one of the critical elements of cyber risk management is ensuring the appropriate level of executive commitment and engagement within the organization. Inevitably, senior commitment to cyber risk management will heavily influence the way risk practices and cyber strategy becomes embedded within the business.
The goal for this event was to build increased awareness and understanding of cyber risks across the leadership team. In that respect, the drill helped this group of senior executives think about their possible areas of exposure and effective mitigations.
Ultimately, business leaders want to make intelligent and risk-based choices on a day-to-day basis, underpinned by data and clear insights. The challenge when it comes to cyber security is that this is a topic that requires deep knowledge and expertise in an industry that is only just starting its regulatory and security journey. Managing the risks and improving cyber resilience begins with knowing which questions to ask internally. Now is the time to start asking those difficult questions, not when a cyber-attack happens.