Cyber security: combating the human element

In the first part of this blog, I took a broad view of the cyber security threat facing the shipping industry, and explained Inmarsat’s role in helping to protect on-board systems through the development of Fleet Secure, the first independent Unified Threat Management (UTM) service designed to detect vulnerabilities, provide alerts, and respond to threats.

However, software is only part of the answer: vigilance for ‘the human element’ and a well thought-out recovery strategy to mitigate against multiple, automated assaults are also critical approaches in tackling cyber crime. Failures in processes and mistakes by people can present the security loophole that, if unchecked by the UTM, compromise the entire network.

Weaknesses at the first line of defence (to phishing, plugging in an infected USB, downloading from an untrusted source etc.) are common but, in the case of satellite-connected ships, it is also common to see updates turned off and no anti-virus software in operation. Today, cyber security training is not compulsory for the world’s 1.6 million seafarers, while expertise in antivirus software is inevitably more likely to be based ashore.

As far as awareness is concerned, it is fair to say that there is likely to be more temptation to risk plugging in a memory stick once a vessel is under way. Creating awareness for seafarers and staff is a continuous task because good cyber security practice is shipping’s first line of defence against attack.

Reinforced training

Inmarsat recently participated in discussions with academics at the World Maritime University in Malmö over what future classroom-based and e-learning cyber security course content might include for Maritime Safety and Security Diploma students.

Inmarsat is not and does not aspire to be a training company, but we are an interested party. As such, we are fully aware that training is not just a tick box exercise and must be backed up with monitoring and reinforcement. We also know that using tools to identify breaches of policies, such as USB usage, help reinforce the message: constant reminders and real-life examples are often the quickest ways to stop bad practice.

But to address the cyber security risks of the future effectively, we need the involvement of ship designers, builders, regulators, verifiers, equipment manufacturers, service providers and, of course, owners and operators. We were one of the founding partners in a Joint Working Group run by the International Association of Classification Societies (IACS), whose members survey and certificate more than 90% of the world’s commercial vessels, ensuring that ships are fit for purpose and comply with safety and quality regulations. The Working Group, which includes representatives from across the maritime sector, has developed a cyber security framework that is likely to form a basis for risk management that will contribute to future seafarer training requirements and the International Maritime Organization’s (IMO) International Safety Management (ISM) Code, a standard for the safe operation of ships. A further outcome is likely to be a recommendation relating to how a cyber security module can best be integrated into standard seafarer training courses, probably as part of the Standards of Training, Certification and Watchkeeping (STCW) Code.

Increasing security and awareness

For our own part, Inmarsat does issue guidelines covering best practice, but we are also evolving capabilities that support greater cyber maturity in the seafaring community, most recently through Fleet Secure Endpoint and Fleet Secure Cyber Awareness. The first of these has been developed together with digital security specialist ESET and is powered by Port-IT to protect desktop computers and other devices connected to shipboard networks.

Fleet Secure Cyber Awareness, meanwhile, has been developed in collaboration with Stapleton International and the Marine Learning Alliance to help seafarers educate themselves on the possible tactics that cyber criminals can use to infiltrate a company’s IT infrastructure.

There is no doubt that digitalisation and new smart technologies are transforming ship operation at an exponential pace but Inmarsat’s view is that, to accelerate this transformation, all stakeholders interested in optimising the efficiency of ships and crew welfare must exert themselves if the industry is to be carried over the line.

This means we must not only be training our seafarers more effectively, better managing our processes and protecting our systems, but nurturing awareness of best cyber security practice even on vessels that have little or no cyber security protection at all. There is a long way to go, but we have started on the journey to seeing improvements implemented.