Industry leaders say they hope a recent survey by a firm specializing in maritime law awakens more companies to the realization they must do more to reduce cybersecurity risks, and to recognize that they’re not as secure as they think they are.
The Maritime Cybersecurity Survey by New Orleans-based Jones Walker LLP was released in October. It produced some alarming findings, including that 69 percent of respondents said they’re confident in the maritime industry’s overall cybersecurity readiness, yet 64 percent said their own companies aren’t prepared to handle the consequences of a data breach. Jones Walker surveyed 126 leaders from U.S. maritime companies of all sizes.
Dean Shoultz, chief technology officer at MarineCFO, a provider of software solutions for the industry, said the survey paints an accurate picture of cybersecurity — or lack thereof — in the maritime sector.
A lot of companies have a false sense of safety simply by having an IT team in place, Shoultz said, a situation far from unique to the maritime industry. “But they’re not understanding the full extent of this issue,” he said. “There’s blind faith at all levels. One hundred percent of large companies may be saying unequivocally that they’re able to prevent a data breach (according to the Jones Walker survey), but in candid conversations, they’re worried. And some are extraordinarily naive and have to get on the ball.”
By and large, Shoultz said, companies are trying to address the issue. But small companies that are already struggling can’t afford to beef up security staffs like larger firms are doing.
So with the price tag a limiting consideration for many, what can be done without spending a fortune?
For starters, Shoultz said that making employees aware of common hacker scams is critical. Many hackers access maritime industry data via phishing emails — a message that looks like it’s an internal communication, or appears to be sent from an otherwise trustworthy source, in hopes that an unsuspecting employee clicks on a link and provides sensitive information.
In one recent case, Shoultz said a purchasing agent received an email that appeared to come from her chief financial officer. “Fortunately, the (agent) thought ‘this is just not his style’ and questioned her boss,” he said.
To increase awareness, some companies have sent their own internal fake emails to test whether employees will click when they shouldn’t. This helps identify where more employee training is needed, Shoultz said.
Caitlyn Stewart, director of regulatory affairs for the American Waterways Operators (AWO), which represents the U.S. tugboat, towboat and barge industry, said she applauds Jones Walker for undertaking the survey because anything that gets people thinking about cyber-risk management helps reduce those risks.
Stewart said her organization is doing a lot to promote the product of a yearlong initiative by the AWO and U.S. Coast Guard. “Cyber Risk Management: Best Practices for the Towing Industry, Version 1,” released in December and available at americanwaterways.com, includes easy-to-follow risk assessment guidelines. It also provides information on how to protect against and detect cyberattacks, how to respond to and recover from them, and how to report a cyber incident.
“Cyber criminals are targeting the industry at unprecedented rates, and cyber disruptions — whether from an attack or from an accident — can have far-reaching consequences,” the best-practices document states. “The maritime industry must focus now more than ever on protecting human life, maritime assets and the marine environment from cyber-related incidents.”
Sean Kline, director of maritime affairs for the Chamber Shipping of America, said he’s “not a big fan of absolutes” in the Jones Walker survey. But he said it did serve an important purpose: to highlight the critical need for most companies to better protect themselves.
“Awareness is always good,” he said, and sound advice — like making sure employees are trained sufficiently to recognize potential hazards so they don’t inadvertently cause a problem — can’t be repeated enough.
Like Stewart, Kline also has been involved with a comprehensive set of recommendations. “Guidelines on Cyber Security Onboard Ships, Version 3” was released in December by a coalition of international shipping organizations. It aims to show companies how to integrate cybersecurity measures into their safety management systems, and help them formulate their own approaches to cyber-risk management.
“What we’re seeing is that you can do everything, follow all the guidelines, put everything in place that you can, and still be breached,” he said. “From my perspective, I see a lot of people chasing the next threat. They’ll talk to another company or read something and put in a new defense.”
But what Kline wishes is that companies would return to the basics.
“Look at any vulnerabilities you have, all access points from your ship to the Internet, and block all those little tiny touchpoints,” he said. “If you’re chasing the next threat, they’re already ahead of you. This is the world we live in now.”
Kline suggested that all mariners and maritime industry companies make use of the excellent — and free — resources that are now available.
