February 15, 2017
When Howard Brown, MD of consultancy Templar Global Services suggested to the IHSMarkit Risk Forum that cyber security is not an IT department’s problem, but a board problem, he also meant it’s everybody’s problem.
Trouble is too often what that means its nobody’s problem and one that the shipping industry has so far collectively failed to address. Malicious attacks are growing but are not always being reported so scale is hard to judge though the scope for software errors is huge.
It’s not for want of trying of course. At present the industry can rely principally on BIMCO’s IMO-endorsed guidelines which serve as a practical text for managing corporate risks.
Perhaps it’s the complexity that is a problem, combining the apparently universal decline in mariner competence levels with a ‘smart shipping’ mindset that is increasing IT and Operational Technology risks. Systems of systems, original equipment with its own data streams, lack of training and in some cases lack of basic controls; the industry is hardly making it easy for itself.
As BIMCO’s Philip Tinsley told the forum, many owners still believe this won’t happen to them. “The work we have done has been to point out that if you don’t take mitigating measures and training you are making the chance of problems more likely. There has been a lot of lip service paid to this issue; a lot of people read the Guidelines but didn’t act on them, our drive this year is about action as well as awareness.”
In fact, as Brown pointed out, boards have a duty and responsibility to protect themselves and every organisation has something of value. “If you openly demonstrate weaknesses by failing to do the basics you will experience some form of attack,” he said.
But he added that the change needed is cultural as well as procedural, for crew at least. “Nationalities differ in the ways they perceive and understand this risk. They need to be incentivised to see cyber as an enabling environment. So perhaps if they want free internet access, then they need to show behaviours don’t jeopardise that access.”
Equally important is that the board don’t see cyber purely as a cost to be swallowed. Rather he argued, it is a business solution, protecting value and making sure the company has the exclusive use of its own data. “Because if someone else gets it, you may not have a business.”
Tinsley agrees that the strategy must come from the top down. If the owner and the master aren’t bothered, he reasoned why should the crew be? Procedures and actions which cover operational and information technology from a basic level and which can be understood in simple chunks are the best place to start.
But despite the real and growing risk – and perhaps reflecting the recent dissatisfaction with the law-making process – neither Tinsley nor Brown thought regulation is necessarily the answer.
Regulations rarely move at the same speed as the business cycle and if owners adhere to the BIMCO guidelines the need is lessened if not removed. Brown suggested that regulations could risk a race to the bottom rather than encouraging best practice. “What would be better is a mature ecosystem. Standards are appropriate but what is needed is leadership of the agenda, not a compliance focus. Crew need to respect the guidance, and understand the risks.”
The merit of regulation might be the need for reporting of issues and the forensic capability to track problems back to their source. Tinsley added that BIMCO’s Guidelines have been updated with feedback from industry, including new chapters from insurance industry and addressing the ship-shore interface, since most cyber events occur as the ship enters port.
The obstacles that remain are both behavioural and financial. For the former, there is no point in controlling access to the engine room with a keypad lock if the code is written on the bulkhead.
Brown pointed out that even companies that have implemented cyber security need to keep them up to date. How companies are trained must be tailored according to their role but the problems will vary by nationality and geography, since some cultures prefer a master and servant approach to a collegiate one.
In terms of finance, the poor state of the bulker, container and offshore markets mean many owners have ‘$10 to spend on a $100 problem’ despite the issue moving ever more quickly. And like Y2K and piracy before it, there are multiple operators trying to commercialise the cyber problem.
The insurance market is acting too, with some general clauses appearing in policies and it is possible that the mutual structure of P&I Clubs might help drive behaviour, since they have a vested interest in protecting themselves and their members from losses.
Ultimately though, the idea that someone else will pick up the tab is a false economy that extends from basic software management to critical safety systems. There is no profit in letting commercial incentive run before a business risk with potentially unlimited liability.
What matters instead is understanding the threat and taking appropriate measures, encouraging behaviour, culture and governance so that when an incident occurs the impact is understood and you have a back-up plan, Brown suggested.
To Tinsley, the issue touches on recruitment too. Ship-shore connectivity will only increase but the industry won’t get the employees it needs if they can’t connect. “We must not hinder progress but we need security at the same time. The industry is in good position if we face the issue and move it forward by putting procedures in place. These are risks that can be reduced and we urge industry to grasp the opportunity.”