Digital Defence to Counter Cyber Crimes at Sea

1999

  • DNV GL is seeking to reduce the cyber risk at sea by offering digital defence IT solutions.
  • The cyber security system is important as operational technology cyber attacks had increased doubled from 2013 in 2016.
  • As the human behaviour is responsible for most cyber crimes, DNV GL will be training people in their maritime academy.
  • Courses will include management and technical angles, even lessons in hacking to operate vessels during a cyber attack.
  • DNV GL will help vessel operators combine traditional IT security best-practices with an in-depth understanding of maritime operations.

In a recent development, DNV GL has announced that they have expanded their services to cover control systems, software, procedures and human factors, as owners act to fortify their ships and shore-side operations against cyber risk in the face of evolving threats and imminent regulation, says a report published on their website.

The Dangers of Cyber Attack

Although the notion of a ship in the middle of the ocean being disabled by a software malfunction or by hackers was initially greeted with considerable scepticism and denial, a spate of incidents, including most notably an attack that disrupted operations at Cosco, has transformed attitudes. Today the maritime industry acknowledges the potential dangers and is taking steps to address cyber risk at various levels.

How cyber crimes affect?

Cyber security is a moving target. Threats continue to grow in reach and complexity, with new vulnerabilities discovered on a seemingly daily basis. In the space of a few years, hacks and security breaches have jumped from being an exceptional event confined to a special breed of technology companies to becoming a fact of life-impacting everyone. No industry is immune.

While in earlier decades office IT systems were the predominant target, these days more incidents are affecting operational technology (OT) – the programmable control systems responsible for operating machinery. The trend reflects the growing complexity of such systems and a general increase in connectivity, which in turn increases the attack surface of a vessel.

This increase is borne out in the statistics: The number of attacks on OT in 2016 was double that of the preceding year and quadruple the 2013 level. So whereas before it was mostly a company’s finances and reputation that were at risk, now the threat has escalated to confront the safety of life, property and the environment. The stakes are much higher. For this reason cyber security must now be considered an integral part of overall safety management in shipping and offshore operations.

Regulatory response

Fortunately industry policymakers have not been asleep at the wheel. Last year saw two particularly significant milestones in the regulatory environment. A section dedicated to maritime security – including cyber risk – was introduced in the third edition of the Tanker Management Self Assessment (TMSA), which came into effect in January 2018, as well as in the seventh edition of the Vessel inspection questionnaire (VIQ7) from the Ship Inspection Report Programme (SIRE), effective from September this year. Because TMSA and SIRE are imperative to gaining charters, tanker operators now have a commercial incentive to demonstrate they have given systematic consideration to potential vulnerabilities and implemented appropriate mitigations and safeguards to address them.

Shortly after, IMO’s Maritime Safety Committee inserted Maritime Cyber Risk Management into the list of ISM Code requirements. Strongly encouraged to start on 1 January 2021, the amendment leaves non-tanker vessel owners with little more than two years to achieve a similar level of preparedness as their tanker-owning colleagues.

The human element

Of course, cyber security is not just a matter of firewalls and antivirus software. Up to 90 per cent of incidents are attributed to human behaviour. Phishing and social engineering, unintentional downloads of malware etc. remain common issues. At the same time, most crews and onshore staff are not taught how to respond to cyberattacks or major technology failure and consequently fail to contain the damage.

How to counter this?

DNV GL has therefore expanded its options for training through its Maritime Academy. Courses cover cyber security from both management and technical angles and even include lessons in hacking to give participants an insight into how cyberattackers operate. Additional new tools incorporate friendly phishing campaigns and simulations of other social engineering techniques as well as features for assessing staff alertness so customers can fine-tune the level and frequency of cyber awareness training.

DNV GL can help vessel operators combine traditional IT security best-practices with an in-depth understanding of maritime operations and industrial automated control systems. DNV GL understands the importance of tackling and integrating the human factor when devising and implementing a cyber risk management strategy because ultimately, it is people who drive our industry.

Did you subscribe for our daily newsletter?

It’s Free! Click here to Subscribe!

SourceDNV GL