Themistoklis Sardis, IT manager, AMMITEC focused his presentation on the ‘’Cyber Security at Sea’’ during the 2016 SMART4EA Forum. He provided a brief introduction of cyber security in general and then referred to cyber security issues related to the shipping industry. To enhance maritime cyber security awareness in the industry, he suggested addressing the issue in a risk based approach in order to avoid cyber threats and possible attacks on ships.
Computers are very secure things, if you lock them in a room and not connected to the Internet. In that case, they are the safest thing in the world. They won’t attack you, they won’t do anything. That was a good principle back in the old days, when the ships couldn’t connect to the Internet.
Back in 1998, we had the change of management. The old generation passed the management to the new generation in our company. Then, we started the process of modernizing operations. One thing that we did immediately afterwards, was the permanent connection to the internet, mail server etc. The first six months, we didn’t have mail filters, anti-virus on the mail server. Zero incidents. The following shows one-hour statistics of our messaging gateway. We have 35 threats detected. Six months – 0 threats. 1 hour – 35 threats.
Things are changing fast. Especially, as far as it concerns security. Here below, we have the U.S Government’s statistics showing the progress of attacks for the past ten years. These are the reported attacks; I guess there are things that they don’t want to disclose. In that event, we went from 5,500 in 2006 to 67,000 nowadays. Concerning only the U.S Government, no corporation, no foreign countries. The Cyberattacks have increased up to 48% in 2014 and nearly 1 million new malware threats are released every day. That’s scary!
Is shipping affected? Yes. Nothing too serious yet, but we are getting there. According to the report of the Cyber Security of the USCG, in 2010 the off-shore drilling was shut down due to a malware. I guess this meant damage of thousands of dollars. In 2012, over 120 ships, including major Asian Coast Guard vessels, jammed of GPS signals. It is about ECDIS and what happens when you don’t know where you are. This can happen. We have major port facilities being attacked. We have companies receiving e-mails asking for payments to be made to the wrong bank accounts etc. No disaster yet. But, we are getting there unfortunately.
According to the site hackmaggedon.com, which reports monthly statistics concerning the cyber-attacks and the type of attacks, the main motivation is cyber-crime, making money out of potential victims. 27.7% goes to hacktivism. Therefore, there is the potential of extreme hacktivists making attacks on your ship or your company. Moreover, we have cyber-espionage and cyber-warfare, which they don’t really affect us.
Ships are increasingly connected to the Internet (FBB, VSAT, etc.). Furthermore, modern ships are increasingly dependent on IT technologies (Integrated bridge systems, AMS/IMS, electronic engines, ballast system, AIS, GPS etc.). Everything that it is on the network and has an IP address is a potential victim to cyber-attack. And all the systems, especially ECDIS, need to be updated. In this respect, we need to have the internet connection. We cannot unplug it. The ships are effectively now remote offices. It is like you have your office in New York, in London, wherever. It is the same thing and we have to address them like the same thing. And of course the bad guys are always ahead of us. As a consequence, the cyber risks are evolving quickly and constantly. Everything that is connected can be affected. We have the ECR, the Passenger and Crew Data. On board a cruise ship, we may have 3,000 or 4,000 people using their credits for buying goods, enjoying themselves, etc.. As a result, it is a very nice target for someone, who can hack into the systems and get the credit card details or personal data. On a commercial ship, you have the cargo controls, you have the engine controls and anything that is connected to an IP network. All these can be affected.
Cybersecurity is not only one thing. Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.
I would like to highlight some tools like the policies, the security concepts, the guidelines, the risk management approaches are not technology. These are processes, which don’t affect only the IT department, but the whole company. Thus, we have three main cyber security objectives that we need to cover. Firstly, the availability of the information. Secondly, the integrity, which may include the authenticity and the fact that it cannot be tampered with. And lastly, confidentiality of information.
In order to approach the cyber security, first of all we need to identify the threats. We have to make sure that we know what we are dealing with. Then, we need to find the vulnerability to our systems and our processes. In the sequel, we need to assess the risk exposure that we run. Accordingly, we have to develop detention and protection measures. After that, we need to establish a contingency plan. And if we have incidents, we need to respond to them. And then, we go all the way back, because we are never perfect. New threats are going to arise. The bad guys are ahead of us. And this is going on all the time.
Keys points to be considered
Cyber security is an organization-wide problem, not an IT-only problem. We need the processes, we need the people to know what they are doing. Regarding the ships, the cyber risk management should be seen as complimentary to ISM and ISPS. Keep in mind that the bad guys are always ahead, so contingency and disaster recovery plans are very essential. Perhaps, the most important topic is that the users either ashore or on board ship to be fully aware of the processes and what the risks are.
Above article is an edited version of Mr. Themistoklis Sardis presentation during the 2016 SMART4SEA Forum
Please click here to view his video presentation
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
About Themistoklis Sardis
Mr. Themistoklis Sardis is the head of IT of Costamare Shipping Company having joined the company in 1998. He has been involved in a large number of IT projects and has a long experience in shipboard systems and applications. His previous employers include firms in the ICT consulting sector and a large Greek bank. He holds a diploma in Electrical Engineering from the National Technical University of Athens (NTUA), an M.Sc. in Data Communications from the University College London (UCL) and an MBA from the Athens University of Economics and Business (AUEB). He is a member of the PMI and PMI-Greece and a founding member of AMMITEC.