IMO has given shipowners and managers until 2021 to incorporate cyber risk management into ship safety, giving the industry another issue to deal with.
Owners risk having ships detained if they have not included cyber security in the ISM Code safety management on ships by 1 January 2021.
Delegates discussed the ramifications of this at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, which is being held in association with Norton Rose Fulbright in London.
A morning panel, which included MOL LNG Transport IT manager Pete Adsett and representatives from Lloyd’s Register and Moore Stephens, highlighted how this would be difficult to implement.
There were discussions from the summit floor as to what this means to shipowners and how this will impact shipmanagers. One conclusion is that port state control officers will need to be advised what to look for.
Ships have multiple cyber vulnerabilities and security issues that put them at risk from hackers and malware. Delegates at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, held in association with Norton Rose Fulbright in London, participated in an interactive presentation by DNV GL.
In that session, DNV GL maritime cyber security manager Patrick Rossi listed many of the problems found on board container ships and tankers that make these vessels more vulnerable to cyber attack. These include:
- Bridge systems connected to unsecure connections
- Missing software patches
- USBs passed between multiple ship computers and bridge equipment
- Unconnected firewalls
- Lack of network segregation
- Unencrypted emails
- No malware scanning on ECDIS
In an online poll, 44 per cent of delegates said the most important function of cyber security was to identify threats and 31 per cent said protection was more important.
Delegates heard about the mitigation methods for preventing and dealing with a cyber attack from John Boles a former assistant director of US Federal Bureau of Intelligence’s international operations. He is now director of global legal technology solutions at Navigant.
Mr Boles said controlled networks should be separated from unsecure ones, software should be patched and crew trained to prevent unintentional malware infections. He said shipping companies should have layered defences to isolate protected data from the internet, implement multi-factor authentication and retain outside security experts to help plan for a cyber attack.
In another interactive session, NYA International chief operating officer Aleck Burrell and Norton Rose Fulbright associate Steven Hadwin asked delegates what they would do during a ransomware attack. They said shipping companies should have a virtual crisis management team in place for such an eventuality.
Also in the afternoon session, Waterfall Security Solutions chief executive and co-founder Lior Frenkel explained how unidirectional security gateways could be used for secure links between ships and corporate networks. Darktrace account manager Sam Martin described an immune system approach for cyber security
This followed a lively morning session where the realities that the shipping industry is already under cyber attack were exposed.
Inmarsat Maritime senior vice president of safety and security Peter Broadhurst confirmed that his organisation had been notified that shipping companies had been hacked. North of England Club director of marketing and communications Colin Gillespie said shipping was under attack every day and many companies are unaware of this. He said the priority of implementing cyber security should go as high as the board room.
Patrick Rossi (DNV GL) listed many of the vulnerabilities found on board ships
The panel discussion also included Abatis chief executive Kerry Davies, who said shipping companies need to use technology that blocks malware from hard drives and servers from executing the harm.
Norton Rose Fulbright partner Philip Roche kicked off the summit with an opening address, outlining the risk shipping faces. Moore Stephens partner Steve Williams outlined the cyber security landscape, the drivers for implementing better security and recognising what can go wrong.
Lloyd’s Register global strategic marketing manager Luis Benito explained what systems on ships were vulnerable to cyber attacks. MOL LNG Transport IT manager Pete Adsett provided the shipowner perspective, explaining how his organisation prevents cyber issues and protects ships from malware. He said his ships had malware on board in the past, but these were cleaned off.