Linkedin: linkedin.com/in/richard-wagner-621bb811

R: Good day Mate, I would like to focus our attention today on Cybersecurity.

RW: Hi Ryan, thank you for considering me. Let me answer any questions that you may have.

General Cybersecurity Threats:

R: In your experience, what are the most common types of cyberattacks targeting vessels today? (Malware, ransomware, phishing, etc.)

RW: The most common types of cyberattacks onboard today are non-targeted malware that are introduced into business systems through email (phishing), removables (USBs), and via unauthorised software downloads.

Certain news articles have highlighted potential targeted attacks on shipping recently. At CyberOwl, we have been tracking specific threat actors over the last few years, in particular “Plug X” malware which spreads via USB devices and is therefore relatively common onboard ships where USB devices are frequently used. However, in our experience the most common driver of cyber attacks – nearly 90% - track back to poor implementation of cyber security controls or human error. 

R: How has the increasing automation and digitalization of ships made them more vulnerable to cyberattacks?

RW: We can broadly split these into 3 areas: System, Supply Chain and the Human-Element.

The first relates to an increased attack surface where automation and digitalization have led to more interconnected systems and devices on board ships. This network of interconnected systems provides even more entry points for attackers to exploit and pathways to spread.

Until relatively recently, operational systems onboard were more reliant upon the “air gap” to prevent spread of malware to other networks. Increased connectivity means that this “barrier”, which often forms a crucial (and sometimes the only) protective control, is no longer effective. Whilst disruption to IT or business systems generally causes less operational impact, more networked systems means it might be easier for threats to spread into the operational technology (OT) network of the vessel, causing disruption or unavailability of critical control systems, such as navigation, cargo control, and power management.

This is problematic because these OT and 3rd party systems often contain legacy software which cannot easily be patched nor can they install enterprise endpoint protection. This creates a greater susceptibility to compromise and potential disruption.

Second, the maritime industry relies on a large and complex supply chain, including third-party vendors for software, hardware, and services. Compromising any part of this supply chain can provide attackers with a pathway to access ship systems. For example, onboard the vessel we see more reliance on remote access for monitoring operational efficiency, but this also provides opportunities for attackers to gain remote access and control if cyber security monitoring of these policies and processes is not in place.

Third relates to the human-element. The operational flexibility needed on board to run and maintain operations ultimately means “operations trumps security”. Despite best efforts to provide crew and onboard staff with training in cybersecurity practices, this is still problematic. Over 95% of the cyber incidents on vessels CyberOwl monitored during 2021-2022 could be linked back to the unintentional insider.

Unintentional human errors such as falling victim to phishing attacks or failing to follow security protocols make vessels more vulnerable to cyberattacks. The vast majority of this relates to actions that explicitly contravene the cyber security policies of the organisation, which is often directly referenced within the Safety Management System.

Richard Wagner (Left of screen), Cybersecure at Sea 2024, 23 May 2024 (Photo: CyberOwl)

R: What are the potential consequences of a successful cyberattack on a vessel? (Safety hazards, environmental damage, financial losses)

RW: CyberOwl launched a second report in 2023 co-produced by Thetius alongside HFW: Shifting Tides, Rising Ransoms and Critical Decisions (which can be downloaded: here) on the state of maritime cyber risk. In it we highlighted that cyber-attacks have cost organisations on average more than US $545,000 over the last three years. This is a 200% increase since our 2022 research and the average price paid for ransom is now US $3.2 million.

Whilst the direct financial implications can be considerable for most shipping companies, the indirect and non-financial implications can be problematic. Interruption to onboard fleet operations (ERP, email and business applications), time and costs for system replacements, and loss of vessel performance information are not uncommon. However, aside from loss of charter and the ability for the vessel to maintain operational capability, the reputational risk of a cyber-attack carries the most concern for shipping operators.

Cybersecurity Protocols:

R: What best practices can shipping companies implement to improve their cybersecurity posture onboard vessels? (Crew training, network segmentation, software updates)

RW: Often when I hear cybersecurity being discussed, it is commonly talked about in terms of “People, Processes and Technology”. Whilst best practice inevitably lies in a combination of all three and getting the balance right, I would say that best practice should start with measurement.

This means getting the visibility from your systems by collecting data, analysing, and identifying cybersecurity Key Performance Indicators (KPIs) so that you can identify areas of weaknesses and whether they are human or technical, in order to know where to improve and which security controls, training and policies might help you do that.

Think about this as a balance scorecard or compliance cybersecurity scorecard. If you can measure, then you can identify areas for improvement, hold yourself accountable to improving it and support the business case for the resources for continuous improvement.

Asia Pacific Maritime, 13-15 March 2024 (Photo: APM)

R: What role can technology itself play in preventing cyberattacks? (Cybersecurity software, intrusion detection systems)

RW: As mentioned above, human error constitutes around 90% of cyber incidents observed onboard. The starting point is to identify the root cause of weaknesses in current policies, processes, and security controls currently in place. Typically this will require a company to invest in its capability to effectively monitor and measure the level of cyber hygiene in place.  Technology can then play a key role in helping improve these points of weakness to prevent a cyber attack.

But be aware that implementing traditional cybersecurity controls doesn’t necessarily work as well on the vessel.

-            Crew frequently change, which renders user-based identity management much less workable. 

-            Actively managing vulnerabilities to 3rd party critical systems can’t be managed easily (if at all)

-            Blocking access e.g. internet and for removables, creates too much inflexibility for an operational environment.

This is why a preventative approach needs more than just technology to be effective.

Before a company invests funds into new cybersecurity technology, they need to ensure that they also have the right resources to manage this tooling effectively. Otherwise, you risk deploying a range of different technologies that require more time, attention and management than most IT shore teams have at their disposal. 

International Regulations:

R: What are the current international regulations regarding cybersecurity in the maritime industry? (e.g., IMO Guidelines on Maritime Cyber Risk Management)

RW: The International Maritime Organization (IMO) has issued Resolution MSC.428(98) which came into force 1 January 2021. This regulation has since been complemented by other guidelines, the best known in the industry are those developed by the Baltic and International Maritime Council (BIMCO) for cyber risk management. These lay out high level recommendations for ship operators to incorporate cyber risk management into their Safety Management System.

Other guidance sits in the form of optional (non-mandatory) vessel cyber notations from the classifications societies, as well as a number of specific cyber advisories from port states e.g. US Coast Guard and other industry association requirements from the likes of OCIMF and RightShip.

Richard Wagner (2nd from Right), MaritimeSG Shipping CyberSafe Scorecard, 17 April 2024 (Photo: SSA)

R: Are these regulations sufficient to address the evolving cyber threat landscape?

RW: The current set of guidance is not overly prescriptive which creates some confusion and lack of clarity for many shipping operators. To help address this, IACS have published UR E26 “Cyber Resilience of Ships” and UR E27 “Cyber Resilience of On-Board Systems and Equipment” which comes into force on 1 July 2024. Whilst this promises to bring much more clarity and harmonisation across the guidance, this initially only applies to new build vessels constructed after 1 July 2024.

These are certainly aiming to address some of the key challenges notably:

1. Clarity. Address the current ambiguity by defining the minimum security control requirements that will help to defend against cyber-threats and improve the overall cyber-resilience of shipboard systems

2. Improved supply chain resilience. By defining minimum security standards required from OEMs and system integrators that sit across hardware, software, and integrated systems across the vessel, this should ensure a more consistent and higher level of cyber resilience onboard. 

But there still remains a challenge since these regulations will take at least a year to come into force and even then, it will only apply to a small percentage of a ship operators' vessels – not the whole fleet.

This fragmented approach is partly why the industry decided to step up and take matters into its own hands. Here in Singapore, the Singapore Shipping Association (SSA), with support from the MPA, launched the MaritimeSG Shipping CyberSafe Scorecard (Scorecard).

The objectives are 3-fold:

●       Identify areas of weakness: Since this was designed specifically for vessel systems and fleet operations (and not shore based systems), it only focusses on security controls that are relevant onboard the vessel. 

●       Benchmark against peers: The Scorecard allows for onboarded companies to benchmark their cyber maturity against peers

●       Supports continuous improvement: The Scorecard sets out maturity levels for each area of security control and details specific outcomes required to improve the current posture.

For those shipping companies not yet registered they can participate in the Scorecard and stay up to date with progress here: https://share.hsforms.com/1CYknBgkxTSiL62ucX1gpiw20ekh

Future of Maritime Cybersecurity:

Richard Wagner (Right), receiving The CyberCall 2021 award, officially given at the Cybersecurity Innovation Day 2022, 31 August

(Photo: CyberOwl)

R: What emerging technologies do you see playing a role in improving maritime cybersecurity in the future?

RW: There is an instinctive response these days to answer this type of question with AI or machine learning! However, in practice and working closely with the sector, there are some more basic improvements required before moving to adopt emerging technologies. This is exactly the reason the industry decided to work together to develop the Scorecard, so that we could better understand systemic risks across the industry.

There are some technologies that are helping to improve the position, especially in the short to medium term. For instance, we know that better connectivity enables improved visibility to support onboard security and compliance management. Technologies that assist the crew to follow more secure behaviour onboard and better ship-shore data exchange will also improve the ability to identify systemic risks.

Ultimately the key outcome should be focused on how we manage to embed security and resilience into the technological infrastructure and supply chain. This is always going to be  cheaper and more efficient than attempting to add it on afterwards.

Across maritime cybersecurity, I believe the key focus should sit around addressing the human behavioural element, which is so often the root cause of the majority of cyber incidents. So, technology that enables us to positively measure, manage, and mitigate (or reduce) the human behavioural risk factor should play a pivotal role in improving the overall cyber posture in the future.

R: How can collaboration between governments, shipping companies, and cybersecurity experts be improved to address cyber threats?

RW: Collaboration – not competition - is what helps create a stronger supply chain resilience. Exploitation, compromise, and disruption will occur where the supply chain is weakest.

Unfortunately, there is no silver bullet. I was involved in setting up the Maritime Cybersecurity Roundtable in 2022 through an MOU between SSA, MPA and seven industry partners (BW Maritime Pte Ltd, Eastport Maritime Pte Ltd, Ocean Network Express Pte Ltd, Orient Maritime Agencies Pte Ltd, Pacific Carriers Limited, Pacific International Lines Pte Ltd and Thome Ship Management Pte Ltd) to strengthen cybersecurity capabilities of the maritime industry in Singapore.

The objective is to establish initiatives to improve maritime cybersecurity collaboration through information sharing, growing a leading talent pool for maritime cyber skills in Singapore, and facilitating greater awareness and access to maritime cyber solutions.

Fortunately we have a strong focus across the working group and support from its leadership to help deliver on some of these initiatives. Alongside the Scorecard launch we expect to announce a maritime cybersecurity training programme in more detail later this year. So stay tuned for more information.

R: What is your overall outlook on the future of cybersecurity in the maritime industry?

RW: I wish I had a crystal ball! I think a different way to reframe the question is, are we putting in place the right foundations now so that we can be confident in the outlook for the future. I think we are definitely heading in the right direction after a very slow start at the turn of the decade.

We are seeing improvements at each part of the ecosystem that simply wasn’t there even 1 or 2 years ago.

1. At the operator level, there is generally better alignment and co-operation between internal teams on cybersecurity (we certainly aren’t there yet, but its definitely a marked improvement).

2. At the governmental and association level, there are a number of initiatives across key shipping markets in the US, Norway, and Singapore for example, which are setting the benchmark for what is possible. The challenge is how these initiatives work together for the greater good and encourage wider adoption outside their core markets .

3. At the regulator level, there is more harmonisation and clarity across minimum security standards. We are human and sometimes we do need very prescriptive information on what is required. Shades of grey create more complexity and uncertainty. Regulation is starting to take shape and provide the “stick” that many in the industry have been asking for, for several years.
   

Richard Wagner (2nd from Right), Singapore Shipping Association 37th Anniversary Gala Dinner 2023 (Photo: Richard Wagner)

Bonus Questions!

R: Can you share a specific example of a cyberattack on a vessel and the lessons learned?

RW: For good reason we can’t publicise many of the cyber incidents that we see and monitor within the CyberOwl managed security service, but we have published a cyber incident case study in one of our recent maritime cyber risk reports called “The Great Disconnect”. This can be accessed directly from our website: www.cyberowl.io

What I can say with absolute confidence is that when a cyber attack happens, this is not the time to be writing your incident response plan and your playbooks!

R: What resources would you recommend for someone who wants to learn more about maritime cybersecurity?

RW: There are plenty of resources available and but a good starting point would be to read one (or both) of the maritime cyber risk management reports that Thetius produced on behalf of CyberOwl and HFW in 2022 and 2023. These can be downloaded from the website: www.cyberowl.io