As owners act to fortify their ships and shore-side operations against cyber risk in the face of evolving threats and imminent regulation, DNV GL has expanded its services to cover control systems, software, procedures and human factors.
Although the notion of a ship in the middle of the ocean being disabled by a software malfunction or by hackers was initially greeted with considerable scepticism and denial, a spate of incidents, including most notably an attack that disrupted operations at Cosco, has transformed attitudes. Today the maritime industry acknowledges the potential dangers and is taking steps to address cyber risk at various levels.
Cyber security is a moving target. Threats continue to grow in reach and complexity, with new vulnerabilities discovered on a seemingly daily basis. In the space of a few years, hacks and security breaches have jumped from being an exceptional event confined to a special breed of technology companies to becoming a fact of life-impacting everyone. No industry is immune.
While in earlier decades office IT systems were the predominant target, these days more incidents are affecting operational technology (OT) – the programmable control systems responsible for operating machinery. The trend reflects the growing complexity of such systems and a general increase in connectivity, which in turn increases the attack surface of a vessel.
This increase is borne out in the statistics: The number of attacks on OT in 2016 was double that of the preceding year and quadruple the 2013 level. So, whereas before it was mostly a company’s finances and reputation that were at risk, now the threat has escalated to confront the safety of life, property and the environment. The stakes are much higher. For this reason, cyber security must now be considered an integral part of overall safety management in shipping and offshore operations.
The human elementOf course, cyber security is not just a matter of firewalls and antivirus software. Up to 90 per cent of incidents are attributed to human behaviour. Phishing and social engineering, unintentional downloads of malware etc. remain common issues. At the same time, most crews and onshore staff are not taught how to respond to cyberattacks or major technology failure and consequently fail to contain the damage.
DNV GL has therefore expanded its options for training through its Maritime Academy. E-learning and classroom courses cover cyber security from both management and technical angles and even include lessons in hacking to give participants an insight into how cyberattackers operate. Additional new tools incorporate friendly phishing campaigns and simulations of other social engineering techniques as well as features for assessing staff alertness, so customers can fine-tune the level and frequency of cyber awareness training.
DNV GL can help vessel operators combine traditional IT security best-practices with an in-depth understanding of maritime operations and industrial automated control systems. DNV GL understands the importance of tackling and integrating the human factor when devising and implementing a cyber risk management strategy because ultimately, it is people who drive our industry.
Read the full article here.