Lecture on Maritime Cyber Security - A Reality Check
The Company of Master Mariners of India organized their bi-monthly Webinar on 11th September 2021 on the above topic with single panelist Ms Anu Khurmi, Managing Director - Global Services at the Templar Executives, London, UK.
Welcoming the gathering Master of CMMI Capt B K Jha enumerated the importance of the topic, while Capt Bhasin, Secretary General of CMMI welcomed the Speaker and handed over to Capt Tescelin Almeida, Treasurer of CMMI to convene the session, who then invited Dr (Capt) S Bhardwaj, Warden CMMI, to moderate the panel discussion.
Dr Bhardwaj set the theme by pointing out that we are now 9 months down the line since Cyber Security has been mandated for the shipping companies. But, as circumstances would have it, it comes at a time when the industry is grappling with issues of the global pandemic causing unprecedented disruption and hardships. In this milieu of critical issues like crew changeovers and repatriation of seafarers also willy-nilly lies the increased use of social media and acceleration in digital adoption!!
It is indeed time to take a Realty check on the very real threat of Cyber Security this industry faces.
We couldn't have anybody better than Ms Anu Khurmi, Managing Director - Global Services at Templer Executives, which is an expert contributor to industry including the very popular - Bimco's Guidelines on Cyber Security Onboard Ships.
Anu leads on the Maritime Cyber Response Team (MCERT), a collaborative platform for global information threat sharing, cyber incident reporting and emergency response; also on consultancy including Maritime Cyber Risk Assessments (MCRA) aligned to IMO 2021; and the Templar Cyber Academy for Maritime (T-CAM), which provides certified training courses to further Cyber resilience capability and awareness across the Maritime ecosystem.
Prior to joining Templar Executives, Anu was a senior executive in IBM for over 20 years.
Interestingly, she is also Founder and Chair of Cyber Champions, a not for profit launched in 2011, promoting best practices in cyber skills and digital literacy for schools and communities across the UK and in March 2017 was awarded the 'Power of Women' Awards for Cyber Security.
An impeccable professional record and truly celebrated personality - we are indeed proud to have you Anu on this webinar all the way from London. Thank you very much.
Dr Bhardwaj: So, first things first - Can you give us some more insights into your company's involvements in the Maritime sector?
Anu: Templer Executives provides a portal for anonymous or direct reporting of Cyber incidents;
- Provides emergency response support and triage;
- Collects/analyses intelligence feeds to provide a rich intelligence picture including threat alerts and daily reports;
- Offers an industry forum for information exchange and collaboration;
- Offers a collaborative global Supplier Framework;
- Offers training and education courses from the Templar Cyber Academy for Maritime (T-CAM).
World Economic Forum pointed out that in 2020, Cyber Attacks on critical infrastructure of Shipping was the 5th top risk in the world. Cybercrime is 600% up due to Covid 19. There are 230,000 new malware samples produced every day. Reasons has been varied, from Ransomware to State sponsored, Data breech, innocent and insiders, Malware and Virus, Terrorism, Espionage.
IMO defines Maritime Cyber Security Risk as A measure of extent to which a technology asset is threatened by a potential circumstance or event, which may result in a shipping related operational safety or security failure as a consequence of information or systems being corrupted, lost or compromised.,
It further affirms that safety management system should take into account cyber risk management in accordance with the ISM Code.
So Risk assessment of key threats and vulnerabilities is the main requirement. This (a) establishes the baseline capability and what you care about the most (b) It helps inform aspirational capability and cost of achieving this capability (c) Inputs to risk appetite discussion (d) It can be a critical input to strategy and plan to optimise return on investment and (e) provides a means of monitoring and reporting of progress.
Dr Bhardwaj: This industry is only driven by regulations. No amount of guidance or best practices make a difference. Either it has to be regulations or customer pressure. The methodology prescribed is integrating it with ISM. Very noble in perspective - idea being like Safety - do you evolving Risk and Vulnerability assessment and be prepared. Involve everybody-not just the IT guy's baby - Also Can't be a Technical standard because of the rapid changing technologies....and threats ! remember the hackers are 2 steps ahead always!
BUT ISM is largely perceived as a paper exercise and Cyber security is seen going down the same way, do some documentation and carry on business as usual. What are your views on this?
Anu: IMO 2021 is expecting the Flag States to impose the Best Practices. Yes the journey starts with integrating with ISM but that would be a catalyst for companies to evolve and make IT as a significant enabler of our commercial activities. It is an investment in business and one has to see the return on investment and the coverage of risk. It has to looked at from a different mind-set, not as an issue or a challenge but as an enabler for business functions.
Dr Bhardwaj: As has been mentioned in your presentation, there are many sources of cyber attacks including state sponsored, organised crime groups and insider threats. As far as shipping is concerned where do you see the greatest threats emanating from and is there any collective action the industry might consider to reduce the threat?
Anu: Ransomware is the biggest area and that is growing, 50% of attacks account for this. This emanates from humans and we are also the best defence for it, provided we understand that. 80% can be avoided if human factors is addressed. Social media is the easiest way and we need to lock away ordinary information systems and be very careful about it.
Dr Bhardwaj: Whatever one may say, people see cyber-attack as a black swan event...may happen to others not to us. Do you have some cases to share, and can you establish the real threat landscape so that it can be looked at more seriously?
Anu: To give you a non-shipping example, which could happen to anyone really, last week we got a call from a CEO of a company in Ireland who was being blackmailed. That was a result of some stuff he put on social media. So a big company like Maersk may have the wherewithal to mitigate a cyber attack, but a small company may not, and every penny counts for them as well. Also, solutions need not be expensive, there are cost-effective solutions also available like training up your people. One has to look at smart solutions and they are there.
Dr Bhardwaj: From a legal perspective too, there is a 'seaworthiness' issue if cyber-attack takes place. Yes there could be legal consequences - owners' responsibility towards 'degree of fitness' goes beyond hull and machinery...ability & preparedness to deal with expected cyber emergencies. So what kind of Risk mitigation we measures are there? The Response & Recovery as is said.
Anu: Well, beyond the HR, there is also the supply-chain integrity that must be looked at, deal with only those companies that assure a degree of cyber security. The last thing is business continuity. You need to be able to respond to an attack, make sure everybody understands that and you practice that.
CMMI then administered a poll among the audience on questions designed by Ms Anu.
Q: To what extent are you concerned about cyber attacks in our sector?
Poll result: 78% - very much; Rest of them - moderately.
Q: Do you believe Cyber security is high priority for your organization?
Poll result: 90% - YES
Q: Does your organization have enough contingency plans in the event of cyber incident?
Poll Result: 63% - already have. 37% - say No
Q: Do you believe you know enough about cyber security and how it affects you, through the trainings provided by your organization?
Poll Result: 43% - YES, 49% - Not adequate, 8% - no training provided.
Secretary General CMMI, Capt Bhasin then took up the Questions from the audience.
Audience: There is a new malware every 39 seconds, I don't think we have the Anti-virus to deal with such latest evolving viruses?
Anu: Well, cyber security is much more complex and anti-virus is a just a small baseline part of it and a basic hygiene that has to be there. Ethically I do not wish to talk in public fora about how criminals and hackers work, but we certainly are equipped to deal with all those and have a powerful intelligence system on detecting imminent cyber-attacks, as technology emerges on how to deal with evolving threats, like deception technologies and thinking from the minds of attacker. They sit in your systems and on an imminent threat they warn you so that you can take mitigation measures.
Capt Almeida: What are the motives for cyber-attacks on innocent ships at sea?
Anu: Financial of course! They obviously cannot steal the ship away. Also note that only so many are publicized but many go under the radar. There is terrorism, piracy resulting from cyber information compromise, kidnapping for ransomware....so there is a big concern. What happens if there is an impact on the scale of Suez canal blockage that happened recently. Not far fetched at all!
Audience: While we exercise discretion on ships data, but there are many popular websites that exhibit ships data worldwide?
Anu: Firstly, data is only a miniscule issue, there are a lot more impacts, but I do agree while we need to have the data on ships like AIS in order to protect them, but in light of what is happening, it does need to be looked at. Industry needs to get together on this review. So it is a much bigger question than what I can answer myself.
Audience: We don't even have a non-networked PC on board for use by outsiders like Agents and Draft Surveyors.
Anu: Yes, shipping is a very traditional industry and things can't change overnight. But like I said, it is time to look at it as a Supply-chain and get these people to fall in line.
Capt Daniel Joseph: With autonomous ships making way rapidly, do you see STCW mandating Cyber competencies in the next revision?
Anu: Yes, I do think this has to be a core part of the competency now and it can't be a separate agenda. But also there are organizations like IACS and BIMCO that are mandating Security at design stage in Autonomous ships where the segregation between OT & IT systems are rather blurred.
The session then came to end with the customary Vote of Thanks by CEO of CMMI Capt Sasikumar.