BIMCO says the shipping industry still hasn’t woken up to cyber-security. “For example during the design stage, there are no security processes for shipboard IT,” the deputy sec-gen Lars Robert Pedersen told press in Hamburg, Germany ahead of this year’s trade exposition SMM.
“More often the problems arise at shore-side sites than at sea,” Pedersen told The Marine Professional. “Phishing emails with demands for thousands of dollars apparently sent from senior employees for example, are being received at the offices and often these transfers take place even though one should be suspicious and check back with the other party if this is real,” Pedersen said, calling for people to use some common sense. “So much trust is put in emails in general, but they are only the postcards of the internet,” the sec-gen said.
Another problem seems to be that the lines of responsibility are unclear, so it is not apparent at which stage computers are checked and made safe and whose duty it is. Pedersen suggests the following process when it comes to securing IT against fraud: developing an inventory of on board IT, determine the likelihood of an attack, so owners need to ask themselves if anyone could make use of information, and finally detection and security measures need to be implemented. The latter doesn’t seem to be too easy: “Ship owners can’t just update software without talking to manufacturers,” Pedersen criticises.
Earlier this year, BIMCO has, together with other associations, developed guidelines to help shipping companies avoid becoming the victim of a cyber attack.
The increasing threat of digital attacks is also topic at the SMM fair in September. There will be dedicated stalls dealing with cyber security, piracy and theft in ports as this topic will be one of the big three topics among digitisation and green shipping.
One company that already started acting on the problem is Tsakos Group. The company has selected DNV GL to assist in preparing a cybersecurity management system for its fleet and onshore facilities – the first such management system developed by a shipping company in cooperation with DNV GL’s advisory services. The Greek shipping organisation will implement a comprehensive system of safeguards and procedures to protect their assets from cyber risks. DNV GL is the first classification society to put this kind of cybersecurity service into practice.
Tsakos has been working with DNV GL to create an information security management system which will provide a comprehensive framework for assessing cyber vulnerabilities and implementing the necessary measures for mitigating risks and responding to potential system breaches. “We follow a pragmatic approach based on a thorough risk and gap analysis. The resilience of the resulting procedures and management system will then be verified through penetration testing carried out by the DNV GL Group company Marine Cybernetics,” explains Nikolaos Kakalis, Manager of DNV GL Maritime R&D and Advisory in Greece. On board vessels, the navigational equipment and systems like the Electronic Chart Display and Information System (ECDIS), control and automation systems, as well as communication networks are considered of high vulnerability to potential cyber threats, making them, along with the user awareness, key focus areas in the development of cybersecurity management systems.