Are we the weakest link when it comes to cybersecurity?
A recent survey by independent satellite communications provider NSSL Global has revealed that although crewmembers understand that they are partially responsible for maintaining cyber security on board their vessels, an astonishing 84% claim they have received limited or no cyber security training from their employers.
Couple this lack of training and therefore awareness with the fact that approximately 90% of successful cyber-attacks have a human element to them, and it becomes clear that every crew member has a critical role to play in the cyber protection or hygiene of a vessel.
If it’s too good to be true…
The threat of cyber-attack is varied and constantly changing; it ranges from the highly sophisticated to remarkably simple, from specifically targeted to completely random, from intentional to accidental; the common strand is generally that the person behind the threat wants some information that you are connected to. However, increasingly the impact is financial and is capable of causing physical harm or damage.
Our world is becoming more and more connected; we are generating online content at an ever-increasing rate and as a result the traditional boundaries that kept us safe are blurring or even disappearing. This is not going to change anytime soon, but it is imperative that as individuals we understand better what is happening around us and maintain a level of awareness. It is an old adage, but one that holds its value in the modern world – if it’s too good to be true….
We don’t want to delve too deep into the details of threats and techniques here, however as an example, let us consider Phishing. This is the “art” of sending out large numbers of convincing emails with the aim of getting a user to click on a link or open a file, and the result is that malicious software (or malware) becomes installed on that user’s device. A phishing email is often based on information that you have shared on social media, or may look like an invoice from a supplier that you regularly deal with, meaning it can be very convincing. This is Social Engineering at play.
The consequences of a successful cyber-attack, such as a phishing scam, can include:
- Theft of confidential business data
- Ransom demand for stolen compromising photos or return of encrypted data
- Interference with navigation systems
- Monitoring and interference with crew’s social media (Facebook, etc)
- Loss of control of key vessel operating functions
- Communication systems compromised
Part of the defence is technical; making sure your system is up to date, making regular backups, installing operating system updates, having anti-virus software and other technical barriers. The remainder of the answer is to do with people and their awareness, which means education and a continuing flow of awareness messages are needed. Yet this education must be personal to the individual. It really has to mean something to crew members to make sure that the message registers, and so educators must find a way to relate.
New courses announced
One option for this is the training recently announced by Cyber Prism Maritime, the cyber protection business from which Strategic Advisor Roy Isbell (Prof.) FIET FBCS wrote one of the only Code of Practices on maritime cyber security. The training is comprised two new courses; the Cyber Security Foundation Course and the Cyber Security Principles Course.
The Cyber Security Foundation Course is designed to address the problem of individual awareness and develop a person’s understanding of the cyber threat, common attacks and simple mitigation measures that they can use including safe use of social media. The course has been specifically written for the maritime community and draws on relevant examples and events to illustrate the key points and ensure a greater understanding. The Foundation course is available as an online e-learning course, which takes between one and two hours. It can also be delivered face to face, either in a classroom or on-board your vessel.
The Cyber Security Principles Course is intended for Captains, First Officers and ETOs, to help them understand the risks to their vessel, explain the baseline steps they should be taking to mitigate the cyber threat for their vessel and undertake a simple assessment process. The Principles course is only available as a face to face offering, which takes two hours and can be tailored to address each vessel’s specific concerns.
OT vs IT awareness
What makes this training different is that Cyber Prism Maritime recognises that the range of systems onboard your vessel which could be affected by a cyber incident consist not just of Information Technology (IT) (generally the user facing computers and systems), but also include Operational Technology (OT) (the systems which control how the vessel functions and operates safely). This understanding allows the company to address potential weaknesses which can affect both IT and OT systems in its training, making the crew aware of possible cyber-attacks and providing guidelines on how to help prevent them.
The choice is yours: on your yacht, humans can either be first line of defence or an open door to your valuable information. Though not every cyber weakness will lead to an attack, you never know which slip up could cost your yacht millions. It is always best to be prepared. Education is the solution.