Last year felt like an important inflection point. There was a noticeable shift in the general discussion from why better security was needed to how best to achieve it; leadership teams were starting to ask for evidence of better risk management; and regulation turned up a notch with the IACS effort around UR E26 and E27 (see a webinar we ran with Digital Ship).
There is still a lot to do to secure shipboard systems. And as the excitement about the possibilities of low-earth orbit satellites like Starlink begins to gather momentum, the sector needs to move faster on security. Better connectivity will simply make exploitation more accessible to bad actors.
For our part at CyberOwl, building on our recent 2023 SMART4SEA Cyber Security Award, there are 4 areas we will be focusing on developing this year.
Visibility of controls – the useful ones
The vast majority of shipping operators are struggling to gain visibility of the cyber security controls for shipboard systems. This means it simply isn’t clear whether policies that are written, for example in Safety Management Systems, are implemented or not. If they are implemented, it isn’t clear if those controls are effective.
This keeps those in charge of cyber risk management up at night. It prevents them from understanding what controls are already effective and how much further work needs to be done to actually reduce risks. It worries them that an inspection will raise questions and observations, against which they will struggle to prove that diligence has been taken to secure those systems. That makes cyber risk management of shipping systems feel overwhelming, as it is not clear if progress has been made.
Visibility of controls and controls effectiveness is an approach we have long been championing at CyberOwl and delivering through Medulla [link], our cyber security monitoring solution. It helps the shipping operator prioritise.
To take one example, Medulla is deployed across the fleet of both Pacific Carriers Limited (PCL). Ron Fong, Head of Fleet IT of Pacific Carriers Limited points out that “shipboard systems are not like office systems. In order to secure the increasing number of connected onboard systems, including the connected IoT and OT systems, we needed assurance that our onboard cyber security controls are working and continuous monitoring of when they are not working as they should be. CyberOwl’s Medulla gives us that visibility and ability to pinpoint the exact control that isn’t working.”
Ron and his team have been challenging us to keep improving our proposition. Implementing CyberOwl’s Medulla enables them to have a single view of cyber risks across all their onboard infrastructure. This allows them to understand and easily respond to cyber risks across the entire infrastructure onboard the vessel.
But there is more to do.
Vessel IT and cyber security teams lack time. This makes prioritising controls that are actionable in reality for shipping systems is not easy. They don’t have the capacity (and many lack the expertise) to pull together the right analysis. If an incident has occurred, or a control has been violated, how bad is it? Where else across the fleet does it exist? How urgently should I take action?
So we will focus on pursuing better visibility and granularity of control effectiveness to help shipping operators take practical steps, based on actual risks rather than hypothetical, unlikely ones. The goal is to get the right type of contextual information into the hands of the shipping operator, faster, and in “plain English” so it is more easily understood. This enables clear action to be taken to shut down the drive continuous improvement in security.
Automated containment
It is surprising how much change occurs on a vessel network. Devices get plugged in where they shouldn’t be, systems are turned into wifi hotspots against best practice and networks are reconfigured insecurely to update some OT system, or do some troubleshooting of some software. In the research we produced last year in partnership with Thetius and HFW, called the Great Disconnect, which can be found here, we identified that over half the vessels we work with have 40-180 connected devices and on 16% of vessels we found at least one critical machine regularly used as a hotspot.
Getting on top of these changes requires an army of IT or cyber security professionals. This is not a capability that shipping operators have or are willing to invest in. Some automation is required to make the workload manageable.
In response, this year we will launch capabilities that enable automated response. The intention is to protect the crown jewels of the vessel – the critical computing systems – from rogue devices and connections that may introduce unwanted vulnerabilities. This leverages existing capabilities within Medulla to discover rogue devices and connections, and make a determination of the risk that device or connection poses to the vessel network. Where the asset or connection poses an unacceptable risk, a containment mechanism is triggered, allowing either the shore team or crew time to consider the risks before removing the device or allowing the connection.
We believe this addition will fundamentally reduce the impact of ransomware or more nefarious cyber attacks like wiper malware, on vessel systems where it is not always possible to ensure the anti-virus (or anti-malware or endpoint detection system) can be consistently updated for the latest signatures. More details to follow shortly or do get in touch if you’d like to find out more.
Empowering the crew
Ultimately, to fundamentally change the cyber risk profile of vessel systems, shipping operators need the crew to take more interest in and responsibility for cyber risk management. This is a delicate balance to get right. It is unrealistic to assume the crew will ever become cyber security experts. But even small behavioural changes can lead to huge gains in risk reduction. Further, if the crew can be aided to take some basic steps early on in a cyber incident, this can go a long way towards minimising losses and maximising resilience.
The way some shipping operators are attempting to achieve this today is through desktop training. But this is difficult to roll out to crew across the world and often delivered out of context when the crew is on down time or shore leave. As a result, crew cybersecurity training, if it is even done at all, is treated as a checkbox exercise. It frequently fails to change behaviour. And the majority of crew continue to be clueless on the steps they should take to minimise the impact of a cyber incident when (not if) it happens.
A more direct approach is required that engages the crew in context, and at the point of use. The system should be user friendly, easy to understand and engaging. It should empower and incentivise the crew to follow best practices and comply with cyber policies to minimise the exposure of vessel systems to cyber risk. In the event of an attack, the system should serve as an aid to enable crew to take simple steps to minimise the impact of the incident.
This approach fundamentally aligns with safety management systems. The philosophy is that the crew should take ultimate responsibility for managing vessel risks. Yet today, most cyber security solutions are not designed to decentralise the responsibility for cyber risk management and engage the crew as the first line of defence. We will be looking to launch capabilities to change this, developing this with Eastern Pacific Shipping following an award from the Cyber Security Agency of Singapore. Please get in touch if you want to be involved in trials or help shape this new approach.
Building a cybersecurity community and benchmarking to best practice
What does good security look like? Which practices have worked for peer shipping companies and which haven’t? How do we progress initiatives that require whole-sector effort, like supply chain security?
Strangely, shipping operators aren’t particularly good at collaborating, even on matters that should not be competitive, like cyber security. There are few mechanisms set up for exchanging information, comparing notes or sharing threat information. This means shipping companies rely heavily on small, informal networks they have developed, often limited to a specific region.
This limits the quality and reliability of the exchanges. Discussions lack data-driven evidence on key risks being exploited across the sector and the controls that have been effective to manage these risks. They tend to be geography-specific knowledge, rather than global best practices.
This makes decision-making difficult. It prevents shipping CIO’s from being able to confidently recognise whether they have invested enough in security, or are falling behind their peers.
To address this, we will work on two related initiatives. The first is to continue to build a global sharing community for cyber risk management for ship operators. We have begun doing this by developing a series of workshops and events we have themed “Mind the Gap” where we bring the community together. If you are a shipping operator or have an active interest in cyber security of shipping systems, do join and help us build the community. If you register interest at this link, we will follow up with you.
Secondly, we will be working on initiatives to anonymously benchmark the cyber maturity and share information on the effectiveness of controls implemented by shipping operators around the world. The goal is to make this available for shipping operators to benefit from this intelligence and get a sense of the level of readiness compared with their peers. This builds on a service we already provide to ship operators we work with. For example, Fotis Dalmyras, Andriaki Shipping’s CEO identifies that “working with CyberOwl, also means we can lean on their strong understanding of global industry best practice. This helps us benchmark the cyber hygiene of our fleet against the rest of the world and ensure we don’t fall behind and keep challenging ourselves to improve.“
Origami owls made by the CyberOwl team. Plenty of room for improvement!
As you can see, we’re going to be busy. And we won’t get it all right the first time. If you are bought in to the same mission, we would invite you to engage.
Help us shape these initiatives and capabilities.
Help us make it easier for you to manage your vessel cyber risks.
