Around 100 delegates gathered for a cyber security seminar on 12 September 2017, organised by IMCA in conjunction with OCIMF (the Oil Companies International Marine Forum) as part of London International Shipping Week.
- Allen Leatt, IMCA CEO, gave a short scene-setting address, noting that industry faced information cyber-warfare, against a variety of enemies, some of whom were able to stay one step ahead of the game by deploying more time and resources. He touched on aspects of the threat faced, and noted that industry would defend itself against the cyber security threat in a variety of ways, which would be discussed by experts at this event.
- Mike Hawthorne of the Aristos Parnership, gave an update on the threat posed by unauthorised access to vessel systems. Noting that it was vital that we understand our information technology systems, he drew attention to the risks posed by poor cyber hygiene – something as simple as weak passwords or open administrator rights. He showed how easy it could be to break into vessel control systems as a consequence of this. The cyber security of our supply chain should have the same priority as our own. He concluded by encouraging more sharing of information and better reporting, noting that a collective response was a more secure response.
- Jostein Jensen of Kongsberg spoke on cyber security in the maritime industrial revolution. He noted that increased digitisation across the 80,000 vessels in the world has increased communication paths and hence risk. It was important to ensure the security of the rapidly expanding ship to shore transfer of data. Operational technology and information technology were increasingly connected – industry was becoming a digital eco-system. As a result, hacking of vital vessel systems is possible and could have potentially catastrophic consequences. He concluded by noting that in this interconnected world, cyber security should be planned in – for people , processes and technology.
- Jonathan Roberts of Rolls Royce gave an interesting presentation on the cyber security issues of highly connected vessels and autonomous infrastructures. His key message was that insecure vessel systems or services were inherently unsafe. Working to ensure that such systems were safe and secure was the basis of cyber security and was everyone’s responsibility. He outlined some of the main sources of cyber risk, which included technical issues such as increased internet connectivity, and cultural issues, including lack of perception of the marine cyber threat landscape. He brought some thought-provoking case studies as illustration of the way in which cyber risks might affect the marine environment.
- Ian Hindmarsh of TechnipFMC brought the contractor’s perspective on remote access and cyber security. Remote access was important and there was a good business case for its increasing use, yet it posed significant risk to members’ operations in the context of cyber security. He noted that personnel could be at once the greatest asset and the most significant risk. In that context training and awareness, and a full understanding of how to manage change, were vital in addressing cyber risks. He concluded by noting that ship-owners needed to become more intelligent customers; security needed to be built into the supply chain, and a cultural change was required across the industry.
- Alex Ferrant of Context Information Security gave a brief and very interesting video demonstration of hacking into and taking control of certain common electronic devices including internet-connected cameras and smart phones. He noted that very often, the same design flaws and the same incorrect assumptions were repeated again and again, weakening cyber security and allowing access to attackers. These video demonstrations can be viewed on YouTube: GPS spoofing • SMS-based attack • IP camera hack
- Mate Csorba of DNV GL spoke on safe and secure remotely connected vessels. He noted that cyber security threats were evolving and becoming a part of our daily business. The actual safety of vessels and personnel at sea was increasingly dependent on cyber systems. He gave some interesting examples of recent cyber audit findings and recommendations, often matters of poor cyber hygiene, weak password practice or poorly understood security. He noted that costs were often perceived as a barrier to cyber security – “why should be pay for this?” – but noted that recent events may act as a wake-up call to the industry to take the threat more seriously.
Mike Hawthorne of Aristos Partnership summed up the seminar presentations and the panel discussion, noting that cyber security was starting to be seen as a serious threat by some CEOs. In the digitised world, there were many threats, perhaps most particularly to the very vulnerable supply chain. It was important to understand that cyber-attacks would happen – not if, but when. Information technology (IT) and operations technology (OT) both had a part to play – cyber security was not just an IT issue. He concluded by noting that industry needed to work together to address the threat, and effectively communicate that threat at board level.
Andrew Cassels, Director of OCIMF, provided some closing remarks. He noted that whilst it was important to do everything possible for cyber protection, attacks would get through. It was important to have good contingency planning and ensure that attacks had as little impact as possible. He concluded by reiterating the importance of educating and informing personnel. Managing and addressing cyber security should be the same as managing any other risk.