Cyber warfare has affected well known companies such as Deloitte and Maersk, and the message from the International Marine Contractors Association is that offshore companies could be next
Not surprisingly, many of the speakers at the International Marine Contractors Association (IMCA)/Oil Companies International Marine Forum (OCIMF) cyber security seminar during London International Shipping Week warned of the importance of understanding that cyber attacks will happen.
It’s not a case of ‘if’ but ‘when’, and countermeasures have to be in place to isolate the damage. Opening the seminar, IMCA CEO Allen Leatt said hacking is big business, and hackers are often able to stay one step ahead by continuously investing in R&D. Touching on various threat aspects, he noted that industry would defend itself in a variety of ways.
Industry experts discussed some of those ways. Aristos Partnership’s director, cyber security Mike Hawthorne gave a presentation entitled ‘The threat posed by unauthorised access to vessel systems’. Kongsberg’s VP cyber security and data management spoke on ‘Cyber security in the maritime industrial revolution’. Rolls-Royce’s product cyber security specialist Jonathan Roberts gave a talk on ‘Cyber security issues of highly connected vessels and autonomous infrastructures’, and TechnipFMC’s portfolio manager for strategic IT systems development, Ian Hindmarsh, talked about ‘The contractor’s perspective on remote access and cyber security’. Alex Ferrant, a senior consultant at Context Information Security, gave a brief and very interesting video demonstration of hacking into and taking control of certain common electronic devices including internet-connected cameras and smartphones. DNV GL’s principal specialist Mate Csorba spoke about ‘Safe and secure remotely connected vessels’, and OCIMF director Andrew Cassels gave a round-up of the presentations. He noted that, whilst it was important to do everything possible for cyber protection, attacks would get through.
Common themes ran through the presentations, such as the importance of securing technology systems. “Insecure vessel systems or services are inherently unsafe,” said Mr Roberts. Attention to cyber hygiene is vital, explained Mr Hawthorne. This encompasses weak passwords or open administrator rights. Mr Csorba said the safety of vessels and personnel at sea is increasingly dependent on networked systems. He stressed that threats are evolving and becoming a part of our daily business. Mr Hawthorne showed just how easy it is to break into vessel control systems if not properly protected.
The supply chain came in for particular comment. Mr Hawthorne stressed that supply chain cyber security should have the same priority as ship owner/operator cyber security, with Ian Hindmarsh explaining that owners need to become more intelligent buyers of operational systems, with security built into the equipment. Data transfer was highlighted. Mr Jensen remarked that increased digitisation across the world’s 80,000 vessels had increased communication paths – and hence risk. The security of rapidly expanding ship-to-shore data transfer was important. Operational technology and information technology are converging and increasingly connected, so cyber security should be planned in for people, processes and technology.
Mr Hindmarsh observed that remote access was important and there was a good business case for its increasing use, yet the significant risks it posed to members’ operations need to be addressed. Personnel can be the greatest asset and the most significant risk. He advocated training, awareness and full understanding of how to manage change. Mr Roberts stressed that cyber security was everyone’s responsibility. Mr Csorba commented that costs were often perceived as a cyber security barrier but considered that recent events might act as a wake-up call.
Summing up, Mr Hawthorne explained that cyber security was starting to be seen as a serious threat by some CEOs. He expressed the view that industry needs to work together to address the threat and effectively communicate it at board level. Mr Cassels said he sees good contingency planning as imperative, along with educating and informing personnel. Managing and addressing cyber security should, he believes, be treated in the same way with the same level of attention as any other risk.