Cybersecurity Offshore: A New Virtual Battlefield?
Our reliance on information and communications technology (ICT) runs deep in our everyday lives, and the maritime and offshore industries are no different. It is increasingly clear that the security risks of ICT extend to the maritime industry too: whether it’s the internet (for business or pleasure), dynamic positioning, navigation, GPS or crew welfare terminals, all come with vulnerabilities that can be exploited by cyber criminals intent on causing operational disruption, financial loss or reputational damage.
Over the past few years we have seen many incidents of cyber attacks in the maritime and offshore sectors, including malware-riddled offshore platforms, an oil rig left listing by malicious hackers, and the exploitation of port facilities' industrial control systems. Despite these incidents there seems to be a distinct lack of awareness throughout maritime and offshore organisations.
In the course of recent research JWC has conducted with the Company Security Officers (CSO) Alliance and Coventry University, I have spoken with security and risk professionals from across the maritime and offshore industries. The purpose of the investigations (part of an overall assessment of offshore risk management) was to identify how shipping companies and major offshore oil and gas producers managed the cyber threat and how well they understood the risks associated with a cyber-attack.
The findings were somewhat surprising for me. I made the mistake of assuming that most HSSE managers would be taking an orthodox risk-based approach to managing the cyber threat. Many were, but more than half of the personnel questioned did not believe cyber was a security or safety issue and referred me directly to their IT departments for further discussion. Many organisations I visited did not implement cyber or ICT usage policies or procedures. This was more prevalent in the shipping industry and less so in the offshore oil and gas sectors, but the findings were still significant.
The risk is only increasing as operators' systems grow more interconnected. We are seeing many energy firms combining industrial control systems (ICS) with much wider networks for the purpose of quicker information exchanges across the operational environment. Although this may be more cost effective and offers speed and efficiency, it also creates more vulnerable junctions within the system. If systems are attacked or compromised this could quickly lead to operational shut down, which would be catastrophic for all stakeholders concerned.
It occurs to me that the maritime and offshore sectors are playing a dangerous game and the stakes are extremely high. In a world of globalisation and inter connectivity, cyber security is a threat that needs to be taken more seriously and management need to take responsibility sooner rather than later. More than 80 percent of identified cyber security and information security breaches and related incidents offshore are the direct result of human error, and we need to start getting the basics right before we invest in expensive technical mitigation measures.
Until the shipping and offshore industries can resolve this clear deficiency, they will be high profile, attractive targets. Complacency is mainly a lack of awareness and training, and maritime operators need to do more to ensure they are not the next victims on the cyber battlefield.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.