The biggest cybersecurity challenges

Speakers from G2 Ocean, OSM Thome, Omny and BASSnet discussed the biggest challenges with cybersecurity in a panel in Bergen, moderated by Erlend Erstad, Business Development Manager, Norma Cyber​

“Being responsible for overall cybersecurity both on the fleet and shore side, what worries me the most is the speed of technology,” said Kristin Helen Andersen, Vice President IT, G2 Ocean.

She was speaking in a panel discussion at People Tech Maritime Bergen in November, “How is the cybersecurity threat evolving?”

“As a team we don't control everything, we are dependent on business partners. And we are never stronger than the weakest link.”

“Hackers go for our vulnerabilities and insecurities as human beings. Where we had situations, it was because people were not thinking. You have time to reflect, use it. If something seems weird, it probably is.”

“At some point, at some time, we may experience the worst. And are we prepared for that?”

“We need to bring in information security as part of our safety culture,” she said. Crew need to be “capable of dealing with the threats at the time that they need to.”

It is not possible for everyone in the company to be a cybersecurity specialist. There has been a shortage of cybersecurity professionals in the past, but the situation is getting better now, she said.

G2Ocean has used game-based cybersecurity training. It also does role play based training of threat situations, with the board of directors, and managers at different levels being involved.

Technology for monitoring potential attacks “must improve,” she said. “As humans we are not capable of doing that kind of monitoring.”

“Patching sounds really boring, but it’s one of the things that makes us more secure,” she said. “It is not always done to the level of expectation.”

It is important to standardise how things are done with IT in the company, she said.

OSM Thome

The constantly changing digital environment is a big challenge to maintaining cybersecurity, agreed Arne Sørensen, Senior IT Manager, OSM Thome.

“It is difficult to predict what kind of system we need to have one year ahead.”

Crew need to understand cybersecurity. Crewmembers from different cultures may have different levels of concern about security in general, he said. “Training of the crew is very important. Inform them as best as possible again and again.”

OSM Thome brings in outside companies to do penetration tests on its on-premises IT system and its cloud system. “We work with vendors a lot,” he said. “It takes a lot of resources to do those things completely right.”

OSM Thome is subjected to many cybersecurity audits from customers and others. The auditors ask to see evidence that these tests have been done.

Omny

With cybersecurity. “the human factor is one of the biggest challenges,” said Andreas Grefsrud, Director, Omny.

“This is about psychology really. Any adversary knows that people are gullible. We tend to believe what we are told. That [weakness] is being exploited.”

When using digital tools for training, “I found that gamification beats everything else,” he said. For seafarers, it is like playing Candy Crush on their phones. It means that people have more active participation. “Passive learning doesn't work.”

Omny has implemented scoreboards so crewmembers can see how they compare with others in the games.

Many seafarers had already seen computer game type learning tools for safety, so they were familiar with the approach, he said.

Cybersecurity should be seen in the same way as other areas of safety, he said. Maritime safety departments have managed to integrate good practise into everyday work.

Operations technology cybersecurity is many years behind maritime safety management in its ability to do this, he said. “Most business owners see cybersecurity as a cost centre.”

Cybersecurity competency can be seen as a competitive advantage, such as if a supplier who is certified against ISO 27001 might be more attractive to a customer. “If you can claim that you are NIS2 compliant, that will get you a long way.”

Achieving NIS2 compliance may require a company to change the way it is organised, for example the CISO may need to report to senior management, not the head of IT, he said, to avoid a possible conflict of interest.

Mr Grefsrud recommends that you “try to understand what is written in the regulations and why it matters.”

BASSnet

If shipping companies use cloud hosted software, then many aspects of cybersecurity are taken care of by the software company, said Haakon Dalan, Vice President of Sales, BASSnet.

About 35 per cent of vessels using BASSnet software use the cloud hosted version, he said. “We are taking on the [cybersecurity] burden for shipowners and ship managers.”

“All the cybersecurity patches can be applied automatically by the software provider, he said. “We are plugging the hole.”

“It is a challenge for many shipping companies to keep themselves up to speed on these issues. This is maybe not their core business.”

BASSnet works with a cybersecurity provider called Datadog for threat detection and anomaly detection, providing alerts. BASS staff review the alerts manually. This shouldn’t be fully automated, he said. There is a risk that fully automated systems might shut business critical systems down unintentionally if they see a threat.

Contracts with suppliers

Mr Grefsrud recommends that you write cybersecurity clauses into your contracts with providers, including in service level agreements (SLA), with a definition of roles and responsibilities.

Otherwise, you will only get what you paid for. “The vendor is responsible for what they deliver but it ends there,” he said.

“If you didn't get the SLA into the contract on signing, it is almost impossible [to add later],” added G2Ocean’s Ms Andersen.

As a supplier, BASSnet was required to meet NIS2 standards in a contract it signed with a German government customer, said BASSnet’s Mr Dalan. “We had to step up for that customer,” he said. “You will always be better when you have challenging customers.”

Mr Dalan recommends that all shipping companies “put requirements on suppliers to get applications designed for security, put security requirements on the cloud hosting part of it, get upgrades regularly.”

Insurance

It is very difficult to get good cybersecurity insurance, said Mr Sørensen of OSM Thome. “When we look at the different companies and their terms, there are a lot of exclusions.”

The contracts often require the shipping company to be able to prove they have followed ‘best practise,’ he said.

Insurers require that companies comply to various standards, but “if you do those things you don't need the insurance,” said Mr Grefsrud. “That is almost a scam in my view.”

“Most Norwegian insurance companies would be bankrupt if they were insuring Jaguar Land Rover,” he added.

Cybersecurity risks from AI

If you are implementing AI it is important “not to run too fast with it,” Ms Andersen said. “This is a complex area. Understand what you implement, what you are trying to solve. You shouldn't do that without careful consideration, especially when we talk about opening this up to our vessels.”

“There are risks [with AI] but you don't really know them, so you need to do the assessments,” Mr Grefsrud added.

“You should think twice before injecting company data into the AI platform. In operations technology, it could be quite problematic. Anything that is operations critical, you should be quite wary of automating using AI.”

“Using AI as an augmentation tool is the way to go. It is not that smart yet,” he said.