The need to recognise the potential risk and prioritise cyber security at board level was indicated by the Deputy Director for loss preventions, North P&I Club, when talking to the maritime world.
For many, especially us “land lubbers”, these are familiar words and a known requirement when looking to implement risk governance and risk management strategies within the workplace. Arguably too, this advice has been previously given to the maritime fraternity including details of potential result should a cyber risk actually come to fruition.
The days of pirates with eye patches and eloquent hats are long gone, replaced by those with guns (albeit over a decade ago). Whilst measures have been put in place to try and mitigate that risk, the “new” pirate has been readying itself, in the form of noughts (0) and Ones (1), to make its attack; not only as a result of external hackers looking to utilise poor (or lack of) system hardening/known vulnerabilities, but also as a result of the lack of employee cyber security knowledge, for example:
- Crew using infected USB sticks resulting in the infection of ships computers and navigation systems.
- Default account credentials being used (i.e. VSat communications). Allowing potential access to the vessels IT systems.
Cyber security mitigation should really be part of the bread and butter of the corporate life, with leadership, direction and governance provided from the top and risk management practices should be implemented throughout the whole company (and not just left for the IT departments to resolve). Direction has been provided to the maritime world on a number of occasions and there is evidence to show that some have taken heed, but not all. As such, the International Maritime Organization (IMO) is looking to adopt cyber risk management within the International Safety Management (ISM) code as of 2021, with penalty clauses which may result in the detaining of vessels.
So, the NotPetya attack that resulted in the Danish shipping giant, Maersk”, returning financial losses assessed to be in the area of $300 million, may be just what the maritime industry needs, in order to fully wake this industry up and for it to meet this new pirate head on.
Risks can be mitigated in line with Tolerance levels and risk appetite, IT systems can be securely configured and managed and staff can be properly trained on both cyber risks and appropriate policies etc, BUT it will not happen if the board maintains a “do as I say, not as I do” attitude and does not accept that the old pirate (all be them relevant) are not the only pirates on the block and that there is a high probability that there is an amount of cohesion between the old and new.
Yes (in my opinion) the IMO should be applauded for trying to address this situation, but should it have come down to this:
- Risks posed by cyber security have been around for a long time now and they will continue to come (in numerous guises),
- So too have various risk methodologies aimed at helping implement appropriate measures (Plan, Do, Check, Act etc.), and
- So too has this not so “new” pirate been in the making and there is no doubt that the “new “new”” pirate will be knocking at the door soon.
In preparation for the next attack, the board(s) needs to “buy-in” and “pitch-in” and be seen to be doing so, whilst instilling proper and relevant leadership, direction and governance into the company!
For any advice, on any aspect of IT (and firstname.lastname@example.org) security, then give us a call on 01242 225699 or drop us a line at
 Sep 2016 – DNV-GL – Cyber security resilience management for ships and mobile offshore units in operation – http://www.gard.no/Content/21865536/DNVGL-RP-0496.pdf