DOSSIER

 

Maritime IT managers’ views on cybersecurity


AMMITEC conducted a survey of 50 serving shipping company IT leaders to ask about their organisation's maturity on cybersecurity - and had some interesting responses.

                       
AMMITEC, the Athens-based Association of Maritime Managers of Information Technology and Communications, sent a questionnaire to 50 members, who are all IT leaders of different shipping companies, to find out their views on the maturity of cybersecurity systems.


Responsibility

Only 26 per cent had a dedicated person responsible for cybersecurity in the company (such as a chief information security officer).

AMMITEC noted that for small to medium sized shipping companies, the workload could be handled by other staff members, such as ICT, legal, HSQE, commercial, if they have appropriate training. But for larger shipping companies, a dedicated person, or even department, should be employed to undertake this role. But other company departments should not (as a result) feel that cybersecurity is no longer their responsibility. The CISO or security department "is to be the conductor or the liaison for cybersecurity within the company and of course its reporting line is of paramount importance in that context."

When asked who the CISO (where appointed) reports to, 53 per cent said to the board of directors, 35 per cent to the IT manager, and the remainder to the CEO, internal auditor, or others.

AMMITEC also noted that it is better if the CISO reports directly to the CEO, because there can be "possible conflicts of interest and security risks if reporting to the CIO or IT Manager," although this does not usually happen.
The CISO needs to "function independently, in order to provide fair and objective risk assessments and guidance. If a CISO reports directly to the IT management, it is likely that pressure could be placed on the CISO to lighten security, so as to accommodate the existing technology processes or solutions," AMMITEC said.


Being informed

When asked how they stay informed of new information security threats, 92 per cent said from the internet (social media, blogs and forums), 82 per cent said training / conferences, 76 per cent said from vendors, 62 per cent said from networking with other IT professionals, and 10 per cent said from books.


Obstacles

When asked what major obstacles they see in improving their organisation's maturity and preparedness, 68 per cent said heavy workload in the IT department, 64 per cent said insufficient budget, 60 per cent said lack of management commitment, 38 per cent said lack of awareness, 12 per cent said lack of technical knowledge, and 10 per cent said lack of independent and reliable advice.

"Our hypothesis [is that] poorly budgeted or under-staffed ICT departments are in most cases the result of lack of [poor] management commitment,” AMMITEC said.


Measures

When asked, "What security measures has your company implemented to ensure proper protection against cyber-attacks?" 94 per cent said endpoint production (such as antivirus), 84 per cent said firewalls, 68 per cent said "intrusion detection / prevention", 64 per cent said controlled use of USB sticks, 58 per cent said two-factor authentication, 50 per cent said solutions for anti-phishing, 44 per cent said sandboxing, 42 per cent said mobile device management, 34 per cent said a 24/7 SOC (security operations centre), 22 per cent said SIEM (security information and event management), only 2 per cent said e-mail filtering.

"One the biggest challenges that IT managers are facing today is the selection of the optimum mix of cybersecurity tools, finding the best possible solutions that minimise cyber risk, while remaining within budget," AMMITEC said.

"Many vendors these days are aggressively promoting portfolios of promising maritime cybersecurity tools and solutions, with some of them portraying themselves as panaceas for all our cybersecurity problems.

“Maritime IT leaders know better than that. They know that there is neither a single cure for all illnesses, nor a single size that fits all."

"AMMITEC has an initiative to create a set of ‘Guidelines for the Evaluation and Selection of Maritime Cybersecurity Solutions’. This effort will be led by a joint Working Group with members from AMMITEC and all interested Vendors."


Training

When asked if their company provides cybersecurity awareness training for employees and crew members, 94 per cent said it was provided to employees, 84 per cent provided it to crew members. 2 per cent provide information data sheets and 2 per cent said, "not yet".

When asked how training is provided, 63 per cent use outside companies, 52 per cent use online self-training courses, 31 per cent use in house experts, 23 per cent don't provide specialised training, 2.1 per cent provide computer-based training for crew and 2.1 per cent have a cybersecurity training platform.

"The main purpose of awareness training is to create a culture of security in the organisation," AMMITEC said. "No technical measures are bullet-proof. Even the strongest setup may be compromised by irresponsible browsing, greedy email reading, entering passwords in an airport or a token left unattended at the office. One user's loose behaviour is enough for the breach."

"A cyber culture needs to be built, and the IT department needs to push towards it. It takes a modern management to enforce some otherwise inconvenient policies and boring [sounding] procedures. Management determination and users' cooperation are equally required."


Third parties

Respondents were asked how much they assess the cybersecurity status of 3rd party companies considered to be critical for your business (for example, ERP or email software vendors, airtime / telecom providers / charterers / major suppliers) and how.

59 per cent said they did not assess it themselves; 25 per cent asked for a relevant certification such as ISO 27001; 22 per cent sent questionnaires, 8.2 per cent used IT vendor risk management tools, and 2 per cent did penetration / vulnerability tests.

AMMITEC noted that 3rd party external cyber assessment is a relatively new offering in the market, based on publicly available data which may indicate compromise, including using the partners' known IP addresses. So, it becomes a tool like a credit risk score for banks. There is a need to assess how the usefulness is balanced against the cost.


Penetration testing / drills

Respondents were asked if they did penetration testing. 66 per cent said yes by outside companies, 14 per cent said they did it in house, 26 per cent said no.

"The above results may rather indicate that some IT departments either do not feel confident enough to engage into a 3rd party penetration evaluation, or that they do not have the budget to support it," AMMITEC said.

77 per cent of respondents said they did penetration testing in the office, 48 per cent said on selective vessels.

AMMITEC noted that traditional penetration tests, including phishing, impersonality, social engineering and attempts to get access control, are not suitable for vessels. There could be a market need for a ship specific penetration test.

When asked how often they did penetration tests, 46 per cent said, "at least yearly", 10 per cent said, "every 2-3 years", 21 per cent did not have a specific interval, the remainder had never done penetration tests.

When asked if they confirm the results to management, 68 per cent said yes and 11 per cent said, "only if asked".
When asked if they carry out vessel cybersecurity drills as part of the safety management system, 58 per cent said yes. AMMITEC noted that cybersecurity drills are a recommended part of a company's cybersecurity plan which ships are required to have under IMO 2021 regulation.


Communication

When asked if they communicate about their cyber-attacks, 80 per cent said they communicate to company management / board of directors, 22 per cent said they communicate to stakeholders such as shipowners, 16 per cent said they communicate to authorities, 8 per cent said they do not communicate them at all, 6 per cent said they communicate to the wider maritime community.

"While it is obviously important that actual or suspected security incidents are reported as early as possible, so that organisations can limit the damage and cost of recovery, the responses indicate that most companies choose to stay quiet! Senior management might be unwittingly hindering the reporting of cybersecurity incidents," AMMITEC commented.

The people who said they do not report them more widely were asked for the reason. 54 per cent say management prefers to keep it confidential, 46 per cent said there is no reliable body to report to, 31 per cent said the IT department prefers to avoid any possible implications (such as blame), and 23 per cent said it might affect company image and reputation.

                      

 

"In cases of serious cyber breaches that require public disclosure, it is often the CEO who becomes the face of the breach; however, most CEOs aren’t familiar enough with cybersecurity to be responsible for such reporting," AMMITEC noted.

Respondents were asked if they might be willing to anonymously report a security threat or incident to a database controlled by AMMITEC, with access restricted to full members only (serving heads of IT with shipping companies). 76 per cent said it seemed an interesting idea, 22 per cent said, "it seems a good idea but difficult to implement", 4 per cent said they would not trust data in the hands of any third parties.

When asked if they would be willing to anonymously share key findings from external cybersecurity audits and inspections of vessels with other AMMITEC members, 66 per cent said yes, 30 per cent said maybe, 4 per cent said no.

AMMITEC noted that many of the shipping auditing bodies, such as port state control, "usually employ old school inspectors" who may not have great cybersecurity audit skills, and so make unexpected demands. Such a database could help shipping companies understand these demands.


Insurance

Respondents were asked if they have cyber insurance. 31 per cent said yes, 63 per cent said no, the remainder were mixed between don't know, planned and not to my knowledge.

"Our estimation is that this number will grow rapidly," AMMITEC said. "There is an increasing demand for maritime insurance products and services against cyber related risks. Maritime insurance companies are offering a wide portfolio of policies such as LMA5403 Marine Cyber Endorsement Buy-Back (former CL380); Cyber H&M [hull and machinery] Cover; Cyber LoH [loss of hire] cover.

"Risk assessment and risk mitigation policies are preconditions imposed by the insurers before offering an insurance coverage. Via their enrolment questionnaires, they seek for evidence of extensive technical and non-technical measures proving the company’s approach to Cyber Risk Management," AMMITEC noted. "Cyber Insurance must be considered as a complementary measure, in addition to the already existing cybersecurity strategy of the organisation."

When asked which three areas of cybersecurity will be highest priority in the coming years, 71 per cent said remote workforce, 55 per cent said IoT, 53 per cent said cloud, 51 per cent said endpoints, 49 per cent said mobile, 45 per cent said e-mail, and 2 per cent selected each of third-party risks, cybersecurity awareness, and penetration testing. DS


Note to readers – percentages have been rounded to two significant figures for ease of reading.

 

 

 

 

  LMB-BML 2007 Webmaster & designer: Cmdt. André Jehaes - email andre.jehaes@lmb-bml.be