It is somewhat ironic that the biggest threat to the cybersecurity of organisations might also be the best defence against it.
According to the Verizon 2022 Data Breach Investigations Report, 82% of data breaches involve a human element, like a user clicking a link in a phishing email. That is pretty damning for the humans involved, but it ignores the fact that of the many millions of cyberattacks made daily, the majority are unsuccessful due to human alertness
Onboard ships there are many ways in which human fallibility can allow a cyber threat to succeed. They can be trained against, but no human is infallible and even the most alert can be fooled or even click on a link accidentally.
Because ships rely on their communications systems and on many other electronic devices such as ECDIS and engine management systems for safe sailing and navigation, cyber security should be an integral part of the ship’s safety management system under the ISM Code. That would imply procedures should be in place to identify and protect against threats.
However, that introduces the first aspect of the human element. Unlike shore staff, ships’ crews are often transient employees provided by a crewing agent and therefore unlikely to be familiar with the cyber security procedures put in place by the ship operators. Every crew member should undergo a familiarisation process when joining a vessel but often this is ignored or poorly carried out.
Getting to know the systems
Familiarisation should ensure that a new crew member is fully acquainted with the ship, the equipment that they will be required to use as part of their duties, and the ISM procedures that affect them. While the first two may be addressed albeit to a sometimes limited extent, familiarisation with procedures is often little more than a box ticking exercise as the crew member would have almost no chance to absorb the whole of the ISM system procedures in the short time allowed.
Another factor is that familiarity with equipment comes quite naturally to crew who would likely have encountered the same or very similar kit on numerous vessels. Familiarity with procedures is less easy to gain as the processes can be very different from ship to ship. It would be of great benefit to protect from cyberattacks against ships if operators worked together to adopt a common industry wide standard for procedures.
Such procedures should cover use of data transfer devices (USB sticks, CDs and DVDs and SD cards and similar media), use of passwords and permitted use of personal equipment such as smartphones, tablets and laptops. Wherever possible, use of data transfer devices should be limited to checked and approved equipment permitted only for company purposes. Using networked computers for viewing family photos or other personal uses should be prohibited or permitted only on isolated standalone computers.
In the early days of shipping companies allowing crew calling communications, it was normal for there to be a single dedicated telephone or maybe a computer terminal allowing emails. Although a massive advancement in crew welfare, this arrangement was not ideal and often caused conflict and resentment when crew could not access the equipment in their spare time in periods of high demand for its use. The modern alternative of allowing crew to use their own devices over a network may have solved the conflict issue but has also multiplied the potential avenues for attack.
Operators that allow use of personal devices should set up a rule regarding their use. If personal or mobile devices are allowed, then they must be equipped with the necessary security measures, including password protection and data encryption, and they should be monitored by the IT department. Some crew may see this as intruding on privacy, but the integrity of the ship’s systems should be the priority.
Ships may not be a prime target for cyber attacks aimed at stealing customer and client personal and credit card data, but they are equally at risk from phishing and ransomware attacks. It has been estimated that the number of cybercrimes is increasing at a rapid rate and costs related to it are expected to reach $10.5 trillion by 2025.
The presence of the human element means relying on tech tools and solutions is not enough. Crews and shore personnel need training in practising good digital hygiene and guidance on what to be alert for. This training can be a combination of discussion meetings or workshops on board at regular intervals and also some form of testing whereby harmless spoof messages are sent from shore that encourage recipients to click through on a link in the same way that a phishing email does. Crew who are repeatedly caught out by these messages can be identified and given further training and guidance.
A good example of this is the anti-phishing feature on GT Maritime’s GTMailPlus. This provides a means of ensuring that staff are educated on how to spot and deal with a potential phishing attack. To help customers assess how vigilant their staff are at spotting potential phishing attacks, GTMaritime are offering customers the chance to take up a free anti-phishing penetration test.
The test will send an email to staff requesting information, and upon completion a report will be provided detailing if any staff complied.
To be effective training needs to be interesting, entertaining and above all avoid a blame culture developing. There are specialist service providers that can assist in this regard. Given the multinational makeup of ship crews, it is also recommended that the training should be understandable to a wide range of people. Using jargon to describe how to deal with threats may be counter productive if it is not understandable.
Part of the training should be to make clear to crew the consequences of a cyberattack succeeding. Some may believe that cyberattacks are all about stealing credit card details or some other financial crime and may not be aware that a malicious virus could actually stop vital equipment on board functioning. If they are made aware of the problem, they will likely be more vigilant.
One final thing to consider is ensuring that at least one person on the ship has the necessary knowledge to manage the cyber threat. He or she should be able to make checks on equipment to ensure that password protection is in place and that the passwords chosen are strong enough and to help crew improve the security of personal devices.