Cyber Security in Shipping – Just a trend or necessity?
There is no need for someone to go through the whole article to answer this question, the answer is obvious – we need Cyber Security, after all it has to do with security and everyone in the industry knows how important this is.
But let’s go back to the fundamentals of the term for a bit.
Using the term Cybersecurity to describe the defensive practices against IT related threats is wrong, as Cybersecurity is only a subset of IT security which also includes Computer Security and Information Security.
These terms are so closely linked that they are often used interchangeably.
To determine the similarities and differences among these terms, we need to analyze what asset in what context is being secured and what purpose it serves.
- Computer security is the collection of measures and controls that ensures the confidentiality, integrity, and availability (CIA) of the assets in computer systems. These include all hardware devices, from Servers, PCs, laptops, smartphones, storage devices, routers, and embedded software/firmware.
- Information Security is about a significant asset -Information- that can be stored and communicated in different ways. InfoSec, in short, is another way of saying data security. Most current business data resides electronically on hardware or the Cloud.
- In Cyber Security, the distinction of the assets is not so clear as they are for InfoSec and Computer Security. In fact Cyber Security is younger compared to these two as it emerged along with the Internet around 1990. Many define cybersecurity as a subset of InfoSec since it concerns the information in cyberspace. What is cyberspace, then?
What are the assets?
According to Ottis and Lorents definition, “Cyberspace is a time-dependent set of interconnected information systems and the humans that interact with these systems.” Therefore, we know that cyberspace is a dynamic, connected, multilevel ecosystem of physical infrastructure, software, regulations, processes, and interactions influenced by an expanding population of contributors who representing the range of human intentions.
… how these hackers gained access to the company’s systems? From the WiFi light bulbs […]
The maritime industry is known to be a late adopter of technology, especially concerning the IT and the vessel environment.
A study aimed to identify crucial machinery on a vessel and their vulnerability against cyber threats with potential consequences resulted in a relatively low number of components.
But the attack is not always direct; actually, most of the times come from “trusted” sources. For example, between 2010 – 2011, a shipping company suffered 11 pirate attacks in Somalia, out of which eight were successful. After some research within the organization, it was found that hackers helped the pirates gain access to the company’s systems to identify the most valuable targets. And how these hackers gained access to the company’s systems? From the WiFi light bulbs installed at the Headquarters because they never changed the default username and password. So, through that vulnerability, they gained access to all the information they needed. And even if most of the ships are not always connected to the internet, the danger is still there. How many USB sticks are being used daily by the crew or passengers on board for technical support, audits etc. And because the ships are frequently off the grid, it becomes more difficult to identify the threat and promptly act on it from the shore.
The Risk Management
These examples show that Cybersecurity Risk Management is not always straightforward, and someone needs not to overlook the less critical assets. The infrastructure security is like a chain that is as strong as its weakest link.
The industry’s cyber dependency is rapidly growing. From IoT to Cloud-based applications and even unmanned ships, it attracts the attention of cybercriminals. Let’s not forget that, after all, it is a multibillion industry.
IMO published general guidance for Maritime Cyber Risk Management and included Cyber Security into ISM Code for which shipping companies should comply from 1st of January 2021.
This is a step forward to raise awareness on this subject and ensure that, at least, some basic procedures will be in place to minimize the potential damage from cyber threats, but is it enough?
What would be the benefit if companies implement their procedures just to check off compliance boxes and then don’t actively monitor their infrastructure afterwards?
Investing on securing their cyber assets, reviewing their procedures frequently and -importantly- training the people involved is essential.
“If you know the enemy, and know yourself, you need not fear the result of 100 battles. If you know yourself, but not the enemy, for every victory gained, you’ll also suffer defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”(Sun Tzu, “The Art of War”, 500 BC)
Interestingly enough, over 2,500 years later, each of those three points directly applies to the world of cyber security.
Are you afraid your ships could fall into a Cyber-Trap?
Contact us immediately and see how we could help your organization be more safe and resilient.
Associate Consultant, Cyprus
I am passionate about new technologies and i’m always seeking opportunities to safely apply them to the Maritime Industry. My objective is to push the boundaries and unlock new possibilities.
Ottis, R. & Lorents, P. (2010). Cyberspace: Definition and Implications.
Cyber Security challenges for the maritime industry:
IMO Cyber Security:
ISM Cyber Security guidance:
RITx CYBER501x – Cybersecurity Fundamentals
RITx CYBER503x – Cybersecurity Risk Management