Download the full whitepaper
The shipping sector has recently been facing wave after wave of setbacks as various economic and word events have caused disruption to the industry. The current pandemic has created a significant amount of challenges for shipping companies and cruise ships in particular, as global travel restrictions have been put in place and social distancing rules disrupt our usual way of working. However, BIMCO representative – Peter Sand has stressed that the industries setbacks are not a result of COVID-19, but rather a ripple effect of it’s spread, in which the introduction of the 2020 sulphur cap by the International Maritime Organisation and the failed attempt of the US-China phase one trade agreement have also had a profound impact.
In these challenging times for the Marine and Offshore sector, a cybersecurity breach could do much more harm than usual. So how do businesses within this sector manage the risk of a cybersecurity incident taking place? And what can be done to minimise the potential for further disruption as we navigate our way out of the current storm?
In the following blog post, we will take a look at four ways in which shipping companies can mitigate risk by making some quick improvements to their cybersecurity posture.
Setting strategic cybersecurity objectives
Setting a clear and decisive action plan for how your business is going to implement a cybersecurity strategy need not be a painful exercise. However, the success of your cybersecurity strategy is dependant on the ability of the organisation to implement it from the top. Without a Senior Leadership team who are on board with this, the strategy will lack vision and oversight from key decision makers within the business. This means it’s very unlikely anyone else within the business will follow your cybersecurity protocol as there will be no common goal that teams are working towards and small pockets of uncoordinated excellence will develop.
By implementing a team to focus on cybersecurity, you will be able to ensure there is a niche division of your organisation that can focus on achieving the goals of your cybersecurity strategy. However, for organisations who may not have the resources to devote a team to cybersecurity, the Nettitude and LR Cybersecurity Framework (CSF) and the NCSC cybersecurity guidelines are an excellent place to start as they provide a handrail for guiding your organisation on how to make realistic change. These frameworks should be holistic in nature and consider far more than just traditional class-based activities that are solely focused on the vessels. They should also include shore-based operations, 3rd parties and cloud services as well as the vessels themselves.
For more information on setting and implementing strategic objectives, take a look at our blog post on ‘5 steps for creating an effective cybersecurity strategy’.
Hiring cybersecurity providers with the right skills and capabilities
Having dedicated fleet security staff that are experienced in modern administration and technologies, and who are empowered to make potentially disruptive change, can make a significant improvement to security posture. Nettitude frequently see organisations that have recruited cyber specialists, but have not empowered them to effect change outside of their own department; instead forcing multi-month change processes for small amendments such as removing cleartext network management protocols. Where IT and OT systems add greater complexity, each system should be assigned a dedicated security focused member of staff, who reports into the organisation wide security committee and steering groups.
In addition, recruitment criteria can also be amended to allow for experienced systems administrators or security personnel to transfer into the M&O space. In this sense, we recommend removing restrictions such as the requirement for staff running IT systems aboard vessels to have 3-5 years of experience on a superyacht, as this narrows the recruitment pool and prevents any competent IT staff from applying and implementing modern practices and technologies.
For small and medium enterprises (SME’s), where they may not necessarily have the resources to designate staff to cybersecurity, Managed Security Services can often be a good option and more effective in making the most of your budget. Netttitude are able to work with businesses with varying budgets to create a tailored managed security solution. Visit our MSS webpage for more info.
3rd parties and appropriate Evaluation Assurance Levels (EALs)
Third party outsourcers and their products should also be validated and tested to ensure that they do not present an easier route into the target organisation. In addition, you should ensure that the third party can prove that their software was developed in a secure software development cycle or is aligned to appropriate Evaluation Assurance Levels (EALs). Larger businesses with larger buying power may be able to insist they attend vendors headquarters to verify that their administrative practices are up to standard (for example, credentials for each vessel are unique, access to vessels is prevented except for maintenance workers etc).
What’s more, assurance testing should be conducted at organisational and component levels to provide the level of assurance required to ensure that cybersecurity threats can be mitigated effectively. For more information on assurance testing, speak to Information Security Consultancy Team in your local area.
Simulating the cybersecurity response to potential impacts
Incident response, crisis scenarios and table-top exercises can all help an organisation to iron out frictions in their playbooks, as well as highlighting gaps in their defensive posture. In Nettitude’s experience, these activities and their findings often act as the catalyst for meaningful change in an organisation. For organisation with a dedicated cybersecurity team, these types of activities can easily be initiated in house. However, for SME’s where there is less likely to be a dedicated cybersecurity resource, it can be helpful to utilise external resources to help you test your incident response. For more information on incident response tests, take a look at some further helpful information on our website.
Overall, clients in the M&O space are unfortunately an attractive target to attackers. However, by implementing modern enterprise IT practices around people, processes and technology, as well as implementing a cyber security strategy and carrying out regular cyber hygiene best-practice, it is possible to drastically reduce the likelihood and severity of a compromise.
For more information on mitigating cybersecurity risk within the M&O sector, please download our full whitepaper here.