Lately, the industry has been fully focused on dealing with cyber-crime, with the International Maritime Organization (IMO) adopting of the Resolution MSC.428(98). This resolution calls companies to report any cyber risk in their ISM Code no later than January 1, 2021.
Cyber security expert Lars Jensen of Improsec, recommends that companies get their systems ready for potential attacks.
Lack of preparedness leads to serious cyber-attacks, which disrupt operations of both shipping companies and vessels.
Thus, Ian Bramson, Global Head of Cyber Security, ABS Group commented
Everything is becoming more connected, autonomous, data-driven, and new technology onboard vessels is introducing more cyber risk.
Therefore, it is crucial that the industry prioritizes three key actions presented herebelow, to mitigate the risks arising due to the pandemic:
- Risk assessing existing and new remote access systems to ensure critical security patches have been applied, secure configurations have been used and the solutions are resilient. Particular attention should be paid to systems used for remotely administering and monitoring IT and OT vessel systems. Where possible, these systems should be segregated from the network used by the crew;
- Configuring remote access solutions, e-mail and identity management systems to log all authentication events especially those on vessels that were typically not logged in the past. Preserve logs and analyse for anomalous activity;
- Reviewing any systems deployed to allow employees to work remotely, and ensure that key security controls are applied (web filtering, encryption, antimalware protection, data loss prevention, backup solutions and detection and response tooling).
Challenges of working from home
The COVID-19 pandemic brough several restrictions and health measures, such as working from home, which means that employees have to have a decent cyber security plan in their network.
Many shipping companies have had to rapidly introduce new remote working tools, such as video conferencing, laptops, that may lack certain security controls or policies resulting either in security gaps or inconsistent application of security protocols.
Consequently, it is advised that companies hire security consultants that will be able to find the main weaknesses in their systems and then start thinking about where to invest.
Concluding, a major tip is to focus on your employees training and education around cyber security.
Educate your workforce on:
- Phishing emails and how to detect them
- USB sticks and the risks
- COVID-19 scammers asking for money
- Outdated or missing antivirus software and protection from malware
- Upgrade and software maintenance