A Case for Maritime Cyber Security Capability
By Max Bobys
As I waited for my daughter’s decision regarding the peanuts she was contemplating, an Economist magazine headline grabbed my attention: Why Computers Will Never be Safe. We were in one of those unexceptional airport newsstands waiting for our flight, returning to reality from vacation, and the subject was cyber security. It was April, and the subject had consumed me since the previous summer as our company developed a potentially disruptive cyber security management platform for the maritime industry. One’s last vacation day is always a bit grim as the mind shifts from concerns of leisure to work. And mine was cyber security.
Of course, with my daughter’s peanuts, I purchased the magazine. I hadn’t thought much on the subject over the past week and figured it would ease my mind back into the digital. Though the iconic magazine rarely disappoints, little was offered that I didn’t already know, but a few interesting tidbits about software code error estimates got me thinking about ships.
Commercial software is often released to the market riddled – like Swiss cheese – with flaws. While programmers average between 10 and 50 errors per 1,000 lines of code, and larger companies can reduce this to .5 per 1,000, such rates suggest the presence of thousands of exploitable vulnerabilities. To emphasize the point, Microsoft Windows operating system is estimated to require more than 50 million lines of code, Google overall manages 2 billion. As ship systems become more integrated, and as data is increasingly shared with shore-based systems, the likelihood of a successful cyber attack becomes almost certain.
Since early 2015, I have spoken regularly with shipowners and executives, along with individuals spanning the maritime spectrum from insurers (including P&I Club), lawyers and vendors, to representatives of classification societies, nongovernmental bodies, associations, flag states, port state control authorities and the International Maritime Organization (IMO). I’ve participated in cyber security assessments, presented at conferences and seminars and sat in on cyber security roundtables on every continent except Australia and Antarctica. Without exception, and irrespective of language, culture, business or dress, everyone whom I’ve spoken with agrees that cyber risks are real and must be addressed. While cyber risk mitigation efforts are becoming more widely acknowledged and implemented, such as awareness training, incident response planning and assessments, the most common inquiry was: “Where do we start?”
I had faced this question before. It was in the wake of the 9/11 attacks and the subsequent promulgation of the IMO’s International Ship and Port (ISPS) Code. Even while broader objectives were being defined and a framework established, regulated vessels and facilities had to begin to implement preventative measures and comply with standards that were designed to support the detection / assessment of security threats.
Although ISPS Code language addresses the protection of electronic data, the threats originally contemplated were overwhelmingly of a physical nature. They relate to controlling physical access; to designing and establishing the processes and procedures for sustaining maritime security activities; and to ensuring security plans call out all the above. Of course, there is more to the ISPS Code, but the challenges shipowners faced after July 2004 were to implement security solutions in a manner both effective and compliant.
In this post 9/11-world, confusion reigned as the universe of security system manufacturers, “solution” providers and “consultants” burgeoned. Countless companies over-spent on technical solutions that were too complex or over-engineered for the business; proved too expensive to sustain; or simply didn’t work as promised. Globally, billions of dollars were wasted. In the maritime industry, investments in ISPS Code compliance efforts were similarly received, and for many the experience wasn’t much different.
The current confusion over cyber security carries with it similar risks of over-investment, in particular because cyber risk context is so unfamiliar. Unlike the implementation of physical defensive measures, such as access control and electronic surveillance systems, which one can physically touch and see, cyber risk mitigation goes mostly unseen. This is because cyber risk, as many have heard me remark, challenges one’s sense of space, time, contex, and attribution. Typically a non-“digital native” , maritime transportation owners and executives commonly struggle to comprehend how to think about such questions as: Who’s attacking my company? Why are they doing it? When did they attack? From where did they attack? In their minds cyber risk is intangible, which underpins the confusion surrounding the question about where to start.
Even though the challenge of cyber security remains universally acknowledged, it’s perceived intangibilities risk prolonging a sense of defenselessness among many non-digital native decision-makers facing today’s crop of cyber security ‘solution providers’. Not surprisingly, market confusion is worse today with cyber risk than in the decade following 9/11.
So where does a shipowner start?
If a shipping company has not already done so, then my recommendation is to first perform a cyber security capability maturity assessment of their entire organization. Companies engaging experts to perform assessments of one office or a single vessel are, in my opinion, wasting money. Following this approach is like performing a baseline health checkup on one’s arm or leg while ignoring the rest of the body. Cyber security technology vendors and consultants are expensive, and expending limited resources (e.g. money!) in today’s economic climate on one office or vessel is not money well spent. Here’s why I recommend this approach: cyber security capability maturity analysis provides a structure for assessing every functional area of a shipping company and a methodology for baselining its current capabilities vis-à-vis current cyber risks in order to support continuous improvement efforts. Properly executed, it enables shipowners to determine where within their business cyber security strengths or weaknesses may exist; to make well-informed decisions about how and where to invest limited funds and allocate precious resources; and to better understand why some capabilities may be more suitable for investing in than others. Employing cyber security capability maturity analysis defines an organization’s “cyber enterprise” (e.g. the entire business), calibrates capability relevance or appropriateness, inaugurates a basis for recurring benchmarking, and becomes the ongoing mechanism for informing subsequent cyber security investments.
The benefits are extensive. Performing a cyber security capability assessment should not be overly expensive, does not (yet) commit the company to expensive capital investments, and establishes a standardized framework for sustaining cyber risk management over time through recurring analysis, due diligence, disciplined investment planning and continuous improvements. Best of all, the approach is designed to enlighten decision-makers on how cyber risks can be managed in a responsible, sustainable fashion.
To operate in today’s ‘Cyberized,’ Internet – of – Things global economy, shipping companies must seek to achieve and sustain a cyber mature posture. Though cyber security technologies continue to develop and adapt to persistent cyber threats, no ‘magic bullet’ exists for achieving a 100 percent cyber-secure environment. As regulations evolve (and they will), and the march towards ever-greater connectivity onboard ships continues, cyber risks will similarly develop. They are here to stay. They are relentless, malicious, fast moving, and ubiquitous. Shipping executives must understand cyber risk is a chronic peril that can – and must – be managed.
Although answers to the who, what, where, when and why may not always be satisfactorily answered regarding cyber risk, shipping executives must advocate, fund, implement and sustain a long-term holistic cyber security strategy. Though not easy in today’s economic environment, it is achievable.
Max Bobys is Vice President, HudsonAnalytix – Cyber.