The Maritime Sector and Virtual Stowaways
Another shipping company experiences a cyber attack. Whilst light on detail, (BW Group should be commended for sharing their incident), initial reports indicate that in July 2017, a cyber event occurred at BW group, that was initiated by unauthorised access to BW Group's computer systems resulting in the temporary non-availability of some business systems. It has been reported that future mitigation efforts to address this unauthorised access include “fool proof security products” and “dedicated personnel managing these products”.
As with many cyber incidents in the maritime sector, this raises more questions than answers:
“Fool proof security products” Security products are but one of the measures to manage cyber security risks – it is too easy and foolhardy to assume that the security products alone will secure your business. Cyber Security is a risk management activity and needs to consider people, process and technical measures in the round.
“Dedicated personnel managing” security products. There is clearly a requirement to have specialists on the team, but an holistic approach to cyber security training should be implemented to include everyone who interacts with your enterprise networks, and that includes people in your supply chain!
Sharing cyber incidents/best practice. As with any security and/or Health and Safety issue, the sharing of lessons identified is a critical step forward in improving the resiliency and the maintenance of an effective safety culture. Cyber security incident sharing initiatives led by the CSO Alliance are a step forward in the right direction for the maritime sector. Anonymity is important, but should not be a hurdle, if we want to be able to share the critical insights. The sharing of cyber situational awareness is a key activity in countering cyber threats. Cyber Security is a Board Issue. One of the big challenges, in identifying appropriate technical and organisations measures, is communicating cyber security risks at the Board level. It is clear that companies are struggling to understand the right mix of people, process and technology solutions that will meet their desired security posture and risk appetite. Accessing impartial, independent, expert and sector specific cyber security advice at the strategic level is a prerequisite for the successful management of cyber risks.