A special webinar on cyber-security was staged for Nautilus members in September 2018 in partnership with Appsecco and its specialist maritime division, ShipSecure. Gwilym Lewis, the company's CEO, offered some thoughts ahead of the event…
The recent successful cyber-attack at COSCO has once again shone the spotlight on cyber-security in the shipping industry and raised the question 'What happens when this happens to shipboard systems?'
The bad news is that with ever-increasing methods of mounting cyber-attacks, and the ease with which even technically unsophisticated individuals can use them, the reality is that everyone should expect that they will be 'hacked' at some point and thus this will happen to vessels.
One of the most common misconceptions about cyber-attacks is that they are all consciously targeted events; that there's a hooded hacker sitting in a shadowy room specifically attacking an individual or organisation. Whilst this is true in some instances - and there's a significant amount of money to made from doing so - most cyber-attacks are more random in nature.
Many attacks are started by automated programs looking for vulnerable systems online, rather than target X specifically, and then either flagging back to the hacker that they've found something interesting or completely autonomously completing their attack. It was the latter that caused havoc for Maersk in 2017 where its entire global IT infrastructure was destroyed as collateral damage in a cyber-attack tied to users of a Ukrainian accounting software package.
The good news is that it's a relatively straightforward process to quickly improve the baseline level of security on vessels to guard against many forms of cyber-attack without the need to bar crew from accessing things like the internet whilst onboard or purchasing expensive technology solutions.
This has long been the case for other industries - and the lessons, processes and experience from them can readily be applied to the maritime sector too. The key when looking to improve cyber-security, particularly when there is a low initial base, is to focus on the fundamentals; get the basics right first, rather than see it as a binary problem that needs to be resolved in one go.
Acting to address the basics today makes strong commercial and operational sense and doesn't need to be wildly expensive. Even a modest increase in investment in training crew and implementing simple steps to test and secure systems will help ensure that the risks are reduced and the damage from a successful cyber-attack, if it happens, better mitigated allowing normal operations to continue.
It's a relatively straightforward process to quickly improve the baseline level of security on vessels to guard against many forms of cyber-attack without the need to bar crew from accessing things like the internet Gwilym Lewis, Appsecco CEO