Empirical analysis of Cyber Security Maturity in the maritime industry

Introduction

Clearly, Cyber Security is becoming increasingly important in Shipping. Both owners and business managers have now largely recognized the role of IT in Maritime and have devoted considerable effort and budget to it. A Cyber Security strategy is not optional any more. Maritime organizations need to embark on it and practice it far beyond cosmetic measures.

In the context of the recent IMO 2021 Cyber regulation, AMMITEC conducted an empirical research on the Cyber Maturity and Preparedness of Shipping companies.  A questionnaire was addressed it to AMMITEC’s full members* (* IT Managers, CIOs and IT leaders of Shipping companies) and was answered anonymously by 50 shipping companies in May 2021.

The research questions and the results of this empirical research, as presented below, provide a very relevant feedback from the ICT leaders of the shipping industry and lay the foundation for a constructive discussion on the current ICT conditions in aftermath the Covid-19 pandemic.

The Cyber Security Role

1. Does your organization employ a dedicated person responsible for cyber security (CISO – Chief Information Security Officer, Ethical Hacker, Cyber Security expert but as a dedicated role)?

The chart graphically illustrates that only 26% of the companies already have a distinct ISO or similar Information Security executive.

In justifying the necessity for such a role, various criteria should be taken into consideration, such as a) the size of the shipping company, b) the cyber culture and maturity as well as c) the management commitment. The new cyber-challenging era imposes the need for an in-depth investigation in the cyber space. It is becoming increasingly hard to keep the balance among the heavy and often urgent IT workloads, against the ever-increasing Cyber Security requirements.

Provided that an organization is cyber mature, and the management supports and invests on their cybersecurity strategy, the below scenarios are feasible:

• For small-to-medium shipping companies, this workload can be absorbed by the internal company’s structure, by clearly defining the responsibilities of each department involved (e.g. ICT, Legal, HSQE, Commercial etc.), provided that the appropriate trainings are being held.
• For larger shipping companies, a dedicated person (or even department) should be employed to undertake this role. However, this does not mean that the responsibilities of the other Company departments should be waived. Ensuring cybersecurity within the organization still remains everyone’s duty. This person or department is to be the conductor or the liaison for cybersecurity within the company and of course its reporting line is of paramount importance in that context.

2. If so, who does this role report to?

Although it is widely recognized that the Cyber Security Role (CISO) should be reporting to the CEO, so as to mitigate the possible conflicts of interest and security risks that could happen if reporting to the CIO or IT Manager, we see that in Shipping this is not the case.

The CISO role has rapidly evolved and is primarily supposed to ensure security compliance; therefore, they must be able to function independently, in order to provide fair and objective risk assessments and guidance. If a CISO reports directly to the IT Management, it is likely that pressure could be placed on the CISO to lighten security, so as to accommodate the existing technology processes or solutions.

Sources of Information

3. How do you stay up to date / informed of new / arising threats in information security?

Let’s blow our own trumpet here and stress the importance of AMMITEC role in providing its members with the adequate knowledge and information sources, by organizing seminars, conferences with vendors and also encouraging the exchange of information between the IT professionals through the website forum and networking channel.

Major Obstacles

4. What do you think is the major obstacle(s) in improving your organization’s maturity / preparedness in Cyber Security?

Shipping companies are still in a rather early stage of their cyber maturity journey. This may be largely attributable to the lack of management commitment. As with every major change that needs to be successfully adopted within an organization, the management should decisively support every step of a Cyber Initiative. This practically means investing in all facets of cybersecurity including technical protection measures, cyber training & awareness or even investing on expanding human resources, as applicable.

The responses to this question come to confirm our hypothesis; poorly budgeted or under-staffed ICT departments are in most cases the result of lack of management commitment. It proves that this is a factor that should be seriously taken into consideration when trying to evaluate the degree of a company’s cyber-maturity.

 

Technical Measures

5. What security measures has your company implemented to ensure proper protection against cyber-attacks?

The responses regarding the technical measures for cyber security are very encouraging. It seems that the vast majority of the Maritime companies are steadily progressing on the technical side of their cyber maturity journey. Most of them have indeed adopted all the must-have solutions such as Next Gen FWs, Advanced Endpoint Protection and IPS, and also looking forward into more sophisticated solutions such as SIEM, SOCs, MDM and 2-Factor Authentication.

We realize, however, that one the biggest challenges that IT managers are facing today is the selection of the optimum mix of Cyber Security tools. How can we find the best possible solutions that minimize cyber risk, while remaining within budget? Many vendors these days are aggressively promoting portfolios of promising maritime cyber security tools and solutions, with some of them portraying themselves as panaceas for all our cyber security problems! However, Maritime IT leaders know better than that. They know that there is neither a single cure for all illnesses, nor a single size that fits all.

AMMITEC, recognizing this important issue has decided to proceed with an initiative to create a set of ‘Guidelines for the Evaluation and Selection of Maritime Cyber Security Solutions’. This effort will be led by a joint Working Group with members from AMMITEC and all interested Vendors.

Training & Awareness

6. Does your organization provide cyber security awareness training to the employees and crew-members?

7. If so, is the training provided by 3rd party companies / By in-house expert(s)?

For the above 2 questions, we see that many are yet to be convinced about the benefits of security awareness training. It is well recognized that human error accounts for most cyber security breaches. Therefore, the main purpose of awareness training is to create a culture of security into the organization.

One should always remember that no technical measures are bullet-proof. Even the strongest setup may be compromised by irresponsible browsing, greedy email reading, entering passwords in an airport or a token left unattended at the office. One user’s loose behavior is enough for the breach. A Cyber Culture needs to be built, and the IT Department needs to push towards it. It takes a modern management to enforce some otherwise “inconvenient” policies and “boring” procedures. In fact, Management determination and users’ cooperation are equally required.

Cyber Risk Environment

 

8. Do you assess the cyber security status of any 3rd party companies which are considered to be critical for your business (for example, ERP or email software vendors, airtime / telecom providers / charterers / major suppliers)? If so, how?

3rd party external cyber assessment is a relatively new offering in the market. These offerings often utilize publicly available data such as black lists, source IPs of Trojans or other indicators of compromise and the partner’s known range of IPs to produce meaningful insights into a partner’s cyber exposure. They produce a Cyber Risk Score f for selected external partners, or the company itself, pretty much like the well-known Financial Credit Scores used primarily by the banks.

This is certainly a very useful tool especially for maritime companies which by nature cooperate with a great variety of global partners such as charterers, agents, commercial partners etc. The balance, however, of usefulness against cost should be assessed per case depending primarily on the degree of exposure to external 3rd parties and their participation in the overall cyber risk profile of the shipping companies.

Penetration Testing

 

9. Do you carry out Penetration testing?

We see that more than a quarter of the respondents do not carry penetration tests. In an effort to explain this, we can safely exclude the possibility that any IT professional could underestimate the usefulness of pen-tests. The above results may rather indicate that some IT departments either do not feel confident enough to engage into a 3rd party penetration evaluation, or that they do not have the budget to support it.

Adequate budget, is a basic prerequisite for Cyber Security preparedness. In many cases, a tight budget might be the root cause for not carrying out Penetration Testing. In such cases, where even some of the necessary technical measures are rejected due to cost, a Pen-test proposal might look as merely an ephemeral and costly benchmarking tool.

 

10. If so, at the office or also on vessels?

Clearly, the best way to ensure security and develop a plan for cyber response, is through a penetration test. In a traditional office environment, the process is quite straight-forward and easily translated into technical steps. The traditional penetration tests, however, comprised of phishing, impersonation, social engineering and (local) attempts to subvert access control, are not suitable for vessels. There is an obvious need for simple, practical, non-intrusive and affordable ship-specific penetration tests, especially for large fleets where the one-by-one implementation is almost impossible.

Furthermore, the IT community needs to find ways to change the perception that “our ships are not at risk because we can always switch to manual systems if something goes bad” and convince the involved parties that an organization’s cyber security is as weak as its weakest link!

 

11. How frequently do you carry out penetration tests?

The responses in this question indicate that less than 50% of the companies have penetration testing as a standard practice in their security policies, while others simply “hope” that they will not fall victim to an attack. A surprising 23% replied that they have never carried out a penetration testing.

 

12. Do you disclose the results of the penetration testing to the Management?

The majority of the respondents confirm that the Management becomes aware of possible vulnerabilities in the organization’s systems, which, as previously explained, is a prerequisite for any successful cyber security policy.

 

Cyber Security Drills

 

13. Do you carry out Vessel Cyber Security drills (as part of your SMS)?

IMO 2021 regulation has taken effect from January this year. Depending on the anniversary date of the Document of Compliance (DOC), each company may have some months before it’s required to demonstrate compliance.

Cyber Security Drills are part of the recommended contents of the Cyber Security Plan. Their purpose is to test the ship’s and shipboard personnel’s response to cyber security incidents.

IT staff should be involved in drills and exercises to act as subject matter experts, in the event that a cyber security scenario is injected. Of course, operations & technical personnel and crew, that normally operate IT/OT equipment, can and should help IT staff and security staff identify shortfalls in network security during a drill/exercise and provide subject matter expertise.

Therefore, the “NO” answers in this question depict that either the relevant companies have not YET carried out any Cyber Security Drills, or, that the Drills are regularly taking place already, but the IT department has not been involved, which somehow justifies the negative answer (meaning they are not aware of this process).

Information Sharing & Reporting

14. In cases of cyber – attacks against your organization, do you communicate the incident(s)?

This is a very critical point: While it is obviously important that actual or suspected security incidents are reported as early as possible, so that organizations can limit the damage and cost of recovery, the responses indicate that most companies choose to stay quiet! Senior management might be unwittingly hindering the reporting of Cyber security incidents.

15. If you answered “No” to the previous question, please specify the reason why you do not communicate any cyber incidents:

There are many reasons why most companies avoid reporting, but the most obvious is that they don’t want their investors and competitors to know the full scale of the cyber-crime and think that the organization is in existential jeopardy. But, do managers know what to do when confronted with security incidents?

In cases of serious cyber breaches that require public disclosure, it is often the CEO who becomes the face of the breach; however, most CEOs aren’t familiar enough with cybersecurity to be responsible for such reporting. The lack of a true reporting policy or having an inexperienced executive or manager making crucial decisions may end up hurting the organization’s security posture.

16. Would you be willing to ANONYMOUSLY report a security threat or incident to an AMMITEC controlled Data Base? Access to the DB will be restricted strictly to Full Members. The purpose is to increase awareness and to enhance pressure to management to take Cyber Security more seriously.

This is a positive vote by the maritime IT leaders, giving AMMITEC the stamp of approval to take an initiative and consider possible ways to implement such a solution.

 

17. Would you be willing to ANONYMOUSLY report the key findings / remarks / recommendations from external Cyber Security audits / inspections of your company’s vessels (the point being to share information with other AMMITEC members)?

Clearly, such a targeted knowledge base would be a great source for enhancing and improving our security policies, technical measures, procedures & checklists, especially onboard vessels. To further improve the usefulness of such data, this data could also be correlated with time and ports. Standard shipping auditing bodies, such as PSC & Rightship, usually employ old school inspectors, who may probably be gradually replaced by Cyber Security skilled ones in the years to come. Therefore, creating a Database with inspection Cyber Security findings is invaluable in order to keep up with the particular demands of the local inspectors.

Again, AMMITEC must play a key role in finding ways to implement such a database, with emphasis on anonymity and Shipping-oriented profile.

Cyber Insurance

 

18. Does your company have Cyber-Insurance?

It is encouraging to see that a third of all respondents already have a cyber security insurance coverage. Our estimation is that this number will grow rapidly. There is an increasing demand for maritime insurance products and services against cyber related risks. Maritime insurance companies are offering a wide portfolio of policies such as:

1. LMA5403 Marine Cyber Endorsement Buy-Back (former CL380)
2. Cyber H&M Cover
3. Cyber LoH Cover

We should note, however, that a Cyber Insurance policy is not an alternative to adequately planning and implementing Cyber Security in our companies. Risk assessment and risk mitigation policies are preconditions imposed by the insurers before offering an insurance coverage. Via their enrolment questionnaires, they seek for evidence of extensive technical and non-technical measures proving the company’s approach to Cyber Risk Management.

In this regard, Cyber Insurance must be considered as a complementary measure, in addition to the already existing Cyber Security Strategy of the organization.

 

Short to medium term Priorities

19. In the next two years, which areas of cyber security do you think will be the highest priority for your organization? Please choose the top 3.

The Covid-19 restriction and the ongoing “work from home” policies seem to have affected the feedback of this question making the “Remote workforce security” a clear winner. The rest of the answers seem to follow a normalized distribution, meaning that most of the abovementioned Cybersecurity areas will battle for our attention in the years to come.

The above results give a clear indication of the increased cyber maturity and awareness of the Maritime ICT leaders. They also point to the indigenous dynamic nature of the cybersecurity sector, imposing the need for continuous engagement of all the ICT fields involved!