Paul R. Walters, Director, Cyber Service Delivery, Cybersecurity & Software Integrity, ABS, says that cyber hygiene is critical and calls for actions towards cyber awareness. It is not a matter if you will ever be hacked but when, Mr. Walters notes, therefore cybersecurity must be a priority and company officers should recognize a series of risk factors and conditions for control. In his view, ECDIS is the most vulnerable system onboard along with any system running running Windows XP. An increase on cyber-attacks has been noticed not only in phone companies and large firms but also in smaller firms, so companies must be alerted and safeguard IT systems.
SAFETY4SEA: What are the major developments and highlights for your company over the course of the last months?
Paul Walters: The major development from our perspective has been the development of the ABS CyberSafety series of notations and guide which are a first for our industry in deploying the capability to assess cyber-related safety in shipboard and at-sea assets.
S4S: What are the best practices to ensure cyber security within a shipping company?
P.W.: Cyber hygiene is critical as most infections are transferred by people – via USB memory sticks or clicking on a link in an email. Once activated the hacker can initiate ransomware, steal data on that system and servers that the user has permissions to access. Identity and Access Control are also important. The company needs to know who is accessing the systems and if they have the correct permissions which comes from Access Control, not everyone is an Administrator.
S4S: What are the key things to have in mind with regard to cyber security on board?
P.W.: Cybersecurity is one aspect of system integrity; other components are software integrity, data integrity and the ability to measure. A good cybersecurity program must be implementable, sustainable and measurable. A Cybersecurity Incident Response Plan is mandatory, as we have to protect against all infections and a hacker only has to be right one time to gain access. But equally as vital is the responsibility assignment for control systems through a control systems office in the company.
S4S: Is shipping safe & secure with regards to cyber risks?
P.W.: Vulnerabilities exist on every ship but protection offered by some satellite communication providers offering some protection through communications path. The CSO Alliance is a group of Chief Security Officers which anonymously informs the shipping community of physical and cyber incidents.
S4S: Are the existing cyber security practices considered sufficient to prevent cyber threats and attacks?
P.W.: In general, the answer is that challenges remain across all areas. Considering the number of ships and their age range, the possibility exists that someone, somewhere is being hacked. Some companies are better than others in security and isolating Operational Technology – that is the equipment that is used to maneuver the ship and provide utilities, with architectural protections.
S4S: How can we enhance cyber awareness to seafarers and ship owners/ operators and manage risk?
P.W.: The risk is shared with crew, vessel, company, port, and port community and the risk consequences may be more severe the further the hack travels. Hackers are motivated by accolades from fellow hackers and by money. State actors are, of course, paid. We do not accept that the chances of discovering and recovering from malware infections cannot be changed – owners and operators can change the odds by consciously training their people to be aware and cyber-safe in their habits.
S4S: Which vessel systems do you believe are most vulnerable to cyber-attacks and what it is needed for their protection from your perspective?
P.W.: In my view, the most vulnerable is the Electronic Chart Display and Information System (ECDIS) as charts are updated frequently and in many cases over the internet. Any systems running Windows XP are at risk, and many Human Machine Interface (HMI) systems run on Windows XP.
S4S: What is your key message to the industry regarding cyber security?
P.W.: It’s not a matter of if you will be hacked, but when. People that monitor hackers see new attacks on phone companies, then large firms, then smaller and smaller firms. Large well-managed firms have adaptive cybersecurity and firms like Crowdstrike have Artificial Intelligence algorithms programmed to mitigate the possibility of an infection or hack to occur. So the risk is moving down the chain.
S4S: What do you think should be industry’s priority to move forward?
P.W.: Cyber awareness and cyber training is needed. Start by security the organization with policies, processes and procedures. Cybersecurity must be a priority the CEO and company officers should recognize as a series of risk factors and conditions that figure into their company risk registers, to then be driven down the chain of command to be handled and mitigated. Cybersecurity sounds complicated but it is like ISO 9001 when it first with introduced. After implementation and training it is just normal everyday business. Members of the company need to have identity control and access control. They need to have to rights access appropriate for their jobs. This help limit the spread of an attack.