Do you have a cyber pirate onboard?
You might be up to speed on digitisation but are you ready for digitisation? Digitisation is booming and is driving innovation and efficiency improvements. However, cybercrime is becoming an increasing problem and poses a significant threat also to the marine industry.
It’s not a matter of if but when
Cybersecurity is a hot topic, and many shipowners fear online pirates. A research* study from Danish Shipping shows that 50 % of all Danish shipowners fear a cyber attack, and they are right to do so. 69% of the CEO panel confirms that the company’s IT systems have been subject to an attempted attack. A tendency that is confirmed by Cyber Security Architect Per Christensen from Prevas*, who is also a member of IEC ACSEC*. According to Per Christensen, it is not a question of IF but WHEN you will be hacked. In recent years, the industry has suffered from cyber attacks, causing severe economic damage to the companies involved. One of the most well-known attacks was the NotPetya attack in June 2017, where the world’s biggest carrier of seaborne freight Maersk was victim to the cyber attack. Many container ships stood still as a result, causing massive financial losses.
Don’t have a cyber strategy? – Get it done
Given the fact that many shipowners fear cybercrime, it is surprising that not many have taken precautions in terms of making a cybersecurity strategy. Per Christensen states that many ships often have cyber pirates on board long before the attack is detected, and he urges shipowners to have a strategy, making the vessel less vulnerable to attacks and prescribing what to do under an attack.
We asked Per Christensen how to improve cybersecurity. Check out his advice below.
How to improve cybersecurity
Educate your crew
The personnel poses the most significant risk to your cyber safety, and educating the staff in potential risks and how to behave is of utmost importance to improve your cybersecurity.
Are you aware that everyday actions often open up to IT and OT systems? One common way for hackers to enter a ship’s system is through the crew’s smartphones when charging via a pc onboard the vessel. Make sure to have power sockets that are running on networks separated from the IT and OT systems. Needless to say, password security is of high importance. Nevertheless, it is often neglected and seeing password notes is unfortunately not a rare sight. It is crucial never to write down passwords and to create strong passwords that are impossible to crack. Alternatively, get rid of passwords by using new technologies, such as ID cards, two-factor authentication (2FA), Single Sign On (SSO) etc.
Build a resilient system
Designing a cybercrime proof system is not an easy task, but a lot of things can be done. Cyber Security Architect Per Christensen works with global customers, and his experience is that separate IT and OT networks, gated with firewalls complicate hackers' access to the complete system. He also strikes the importance of keeping software updated.
Integrate only proven products
According to Per Christensen, you can strengthen security by being discerning and strictly using products that have been thoroughly tested with cybersecurity in mind.
Many national and international initiatives are already underway, for example, ENISA, the EU Agency for cybersecurity, is introducing an EU-wide cybersecurity certification framework for ICT products, services and processes to increase security and trust. One way to test your control system is to perform a network storm test to evaluate systems’ performance when subjected to high network loads. At DEIF we, perform network storm tests on our controllers, pushing them to the limit before putting them on the market.
Identify your leaks and have your IT and OT security evaluated
Building a resilient infrastructure and identifying potential leaks is complex, and it is advisable to find a partner that can assist you. The market is booming with potential partners, but Per Christensen's advice is to go with a partner with industry knowledge. He also highlights the classification companies as trustworthy partners. DNV GL is one of the world’s leading classification company, and also one of the frontrunners within cybersecurity. DNV GL offers a range of cybersecurity services and certification that will ensure your system will be extremely complicated to hack.
If you are not already working on securing your systems against cybercrime, we strongly advise you to give it priority for the sake of your business and your staff.
* Prevas is a technical IT company that offers solutions, services and products to customers who are developing products with high IT content or who need to streamline or automate their operations. Prevas was founded in 1985 and has a business focus on product development, embedded systems, industrial IT, and automation.
* ACSEC deals with information security and data privacy matters which are not specific to one single technical committee of the IEC. It coordinates activities related to information security and data privacy and provides advice to the SMB on those subjects. ACSEC guides TC/SCs for implementation of information security and data privacy in a general perspective and for specific sectors.