The issue of cyber security is one of the hottest topics in shipping today – but it is also one of the most challenging to deal with. Constant demands have emerged for seafarers to do more to keep cyber threats at bay, but can all these new challenges be managed with so much else to be done?
JUGGLING JOBS
At a recent conference on cyber security, and there are so many doing the rounds at the moment it is hard to keep up, the issue of how to incentivise seafarers to engage with cyber security was discussed.
How it was asked can crews be encouraged, trained and cajoled into doing more? There is a terrible fear in the cyber security community of the “insider threat” – in which crews will actively seek to cause problems.
There have been fingers pointed at seafarers for inappropriate use of social media, for introducing viruses onboard, and for generally being fairly inept at tackling cyber problems. But are the criticisms fair or even correct?
With so many different tasks and demands of the job, can it be right to expect crews to suddenly be experts in Information Technology (IT) and cyber matters? Unfortunately it seems this has never really been a priority – and it seems the industry is now suffering as a result.
MISTAKES ARE HAPPENING
Mistakes do happen – and there are without doubt many dubious practices employed onboard. On ships where crew do not have access to computers, they are using ECDIS for displaying personal digital images – and even charging their phones.
There is anecdotal evidence, that one seafarer managed to delete an entire chart folio, as his iPhone began to update itself as it was connected via USB. You can imagine the shock and colour draining from the faces of those onboard as the charts began to vanish.
According to cyber security experts, such behaviours lead to virus infections and ECDIS operational problems, at the very least. Indeed there are strong calls for seafarers to be banned from using ECDIS for non-navigation operations so as to prevent the threat of virus infection.
Speaking on the issue, it was recently claimed by one ECDIS servicing company that the single most serious issue the face is the existence of viruses. One expert even said it was hard to believe the sheer amount of viruses service engineers are finding. Something which related to crew loading their own files, family photos, media and the likes onto ECDIS as it is all too often the only computer on the ship.
THE USB CURSE
So time and again service engineers are finding files loaded on to ECDIS via a USB port or on disk. Thus highlighting the risk of viruses accidently being uploaded by the biggest perennial technology problem, that of the widespread use of USB thumb-drives onboard.
As the capacity of remote drives has grown, so too has the potential for anyone onboard to unwittingly infect shipboard systems. Add to that the change to the shipboard architecture with ever more connected systems, then any virus entering a vessel has a chance to spread and cause problems.
There is a need to stop this – but how? Suggested solutions include providing crew with computers specifically so they do not use more critical systems for viewing images or to lock-up USB ports to block out crew equipment.
Sadly that can make it ever harder for seafarers working on less well equipped vessels, or for less accommodating owners to be hit by a double whammy. As the world around them become ever more socially linked, they are locked out.
UNDERSTANDING THE RISK
It can be too easy to react to such a situation – and caution is needed before labelling seafarers too negatively, but sadly it has to be recognised that the so-called “insider” risks posed by people onboard must be considered.
While these may not prompted by malicious intent, it is vital that any ignorance or lack of understanding is guarded against. As such there are calls for shipping to introduce the systems, protocols and cultural changes which mean seafarers move from problem to solution.
Speaking at the “Maritime Cyber Risks” event in London, KVH Media Group stressed that progress will not happen instantly nor without a plan to change. The industry needs to drive change, but it wishes to do so through guidelines, not standards.
The conference heard how cyber issues do not exist in a vacuum – they are just one of so many other problems that seafarers have to manage and understand. That needs to be appreciated before action can deliver.
KEEPING CREW CLEAN
With seafarers tackling safety, security, their day-today operations, as well as the threat of fatigue, just what can be done to incentivise crews to take cyber issues more seriously?
Experts believe that seafarers need to understand where the risks lie, and of their role in protecting the vessel and systems. Education and training are key – and it is vital that some of resilience is developed.
There are also calls for cyber-security risks to be incorporated within the International Safety Management (ISM) code, and so be laid down within Safety Management Systems (SMS). The Code does already contain provision for threats and hazards to “key equipment”, so perhaps this could be a reality east step. Just making sure safety and security embrace this different kind of problem – so by changing the interpretation and emphasis rather than the wording.
These are early days as the industry wrestles with cyber security, and as such there is no current complete picture, but there are incredibly compelling warning signs. As such the industry has to do more to manage the risk of attack or weakness and to limit its effects if the worst does happen. Seafarers need to be embraced as part of the solution, and not vilified as a constant threat.
