Cyber: Platform raises awareness of cyber vulnerabilities

“This is not a shipping problem, it is a business problem, and everybody is at risk.”

These were the stark words of Colin Gillespie, Director (Loss Prevention) at North P&I Club, following its launch of a new cyber security initiative to help its members prepare for the International Maritime Organization’s cyber security compliance deadline in 2021.

“Shipping is very much a compliance-driven industry and the compliance deadline is looming next year. There are some early adopters who are way ahead of the curve, and there are others who are now starting to think about it, but overall the level of preparedness is still relatively low,” he told SMI.

North is the first P&I Club to offer such an initiative to encourage members to better understand their vulnerabilities to cyber risk and to help them improve their cyber security processes and system ahead of the IMO’s deadline next January.

It has partnered with US-based technology provider HudsonCyber to offer members access to its HACyberLogix platform.

The secure, cloud-based HACyberLogix programme pulls together best practices and leading standards, including the IMO’s International Ship and Port Security Code and International Safety Management Code, in the market for cyber risk management and integrates them in a way that provides ship owners and operators with a cost-effective platform which allows them to self-assess their cyber capabilities and vulnerabilities.

“This then gives them the foundations upon which they can implement and sustain a cyber risk management programme,” explained Max Bobys, Vice President, Global Strategies at HudsonCyber.

“There are recommendations that are generated as part of this output in the reports and those recommendations are meant to inform the decision-making process for executives and shipping companies around how best and most efficient to allocate key resources – resources being people, properties, tools and money.”

Mr Bobys explained the need for the platform saying: “One of the things that we have seen in the maritime space in general is what I would call a lot of organisational cyber security immaturity in the market. What I mean by immaturity is that there are a lot of basic activities that don’t occur or are not acknowledged by key individuals inside organisations – influential stakeholders inside of shipping companies.”

He said one of the things HudsonCyber had been very aggressive in doing was education “because some ship owners think that you can assess a vessel or office in a vacuum”.

“They feel if they assess a specific site and a specific entity within their organisation, they can compartmentalise the approach and see if there is a risk in that entity which could be a headquarter’s office, a vessel or a division. We are trying to get senior leaders and ship owners to understand that they cannot assess their organisations in a compartmentalised fashion. Cyber risk impacts the entire organisation.”

Mr Bobys said ‘penetration test’ was a frequently used term but a ‘pen test’ would always identify a gap or vulnerability in whatever environment was being analysed.

“If a pen tester cannot find a vulnerability then I tell clients they should get their money back because pen testers should always find a way in.”

Though pen testing is part of a cyber risk management programme, he said, and something which is a best practice and should be carried out in a recurring fashion, it is not the starting point.

“The starting point is always at the organisational top,” said Mr Bobys, who said many of HudsonCyber’s recommendations revolved around getting the company organised, so they could make informed decisions.

He added that it was not so much the risk of terrorists taking over vessels and running them aground but more to do with the money and managing risks to the balance sheet.

“There is some denial in recognising that a number of companies have been compromised and have suffered losses but continue to focus on that compliance mentality. We advocate for them not to do that,” said Mr Bobys.

He said there was confusion in the market and also a shortage of expertise, which had led to the platform being developed.

Mr Gillespie (pictured right) said Members are being offered a trial of the programme (Level 1) for 120 days and this, along with webinars from HudsonCyber, allows them to do a baseline assessment of their cyber security preparedness.

“They can see where the gaps are, and the reports will tell them where the biggest risks are, and from there they can take decisions on how they want to manage those risks.”

After the 120 days, should the Member want to continue using the platform, they then go into a contract.

Mr Gillespie said: “Shipping is very, very good at risk management and cyber preparedness is just about risk managing slightly different risks. A lot of it is complementary to what they already do and it is something they should not be afraid of.”

Mr Bobys added: “Shipping companies, unlike other industries, operate at a high level of managing risk because their risk environments are so complex and so complex and so risky, but what they don’t do is do it for cyber. They can make changes which don’t necessarily need much investment or technology. It’s all about getting organised.”

North plans to attach an incident response capability to the platform by the end of Quarter 1 this year.