Aufrufe
vor 2 Jahren

HANSA 07-2020

  • Text
  • Hansaplus
  • Maritime
  • Hansa
  • Hamburg
  • Shipping
  • Cyber
  • Ships
  • Schiffe
  • Schifffahrt
  • Ports
  • Vessels
Port-Hub | Shipmanagent & Corona | Schmuggel an Bord | Lifesaving | Neue Feuerlöschboote | Brandschutz | A&R-Mehrzweck-Neubauten | 115 Jahre Nobiskrug | Car Carrier & Auto-Häfen | Cyber Security | Piraterie

Schifffahrt | Shipping

Schifffahrt | Shipping »Risk assessment is not a one-time exercise« It may have been a while since the last big cyber attack in shipping has become public. But behind the scenes shipping companies are working towards compliance with a new IMO resolution, Rachael Bardoe, Director of Operations and Cyber Center of Excellence at Digital Container Shipping Association (DCSA) tells HANSA © DCSA The IMO Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems, set to take effect in January 2021. What does it mean for the industry? Rachael Bardoe: The resolution is a critical turning point for the shipping industry. As the pace of digitalisation increases, the opportunities for m alicious actors to compromise vessels increases. Systems that were once standalone are increasingly integrated, which means any cyber attack could have an immediate and widespread impact on the ship and safety of the crew. The IMO Resolution is driving carriers and shipowners to understand the risks onboard vessels today and to be prepared to apply appropriate control measures to ensure not only data security, but more importantly, crew safety. Will compliance be enough to make the industry a little more cyber-safe? Bardoe: Cyber security is a constant journey. The threat landscape is dynamic and cyber adversaries are becoming increasingly sophisticated in their approaches to compromise systems. What is important to understand is that the risk assessment process, a fundamental aspect of compliance, is not a one-time exercise. As organisations move towards a riskbased approach to manage their cyber security, the application of appropriate controls will move from a reactive stance to a more proactive one. This behaviour will undoubtedly increase cyber safety, as will a more vigilant cyber security culture within shipping organisations. What is DCSA’s advice, what should shipping companies do with regard to the resolution? Bardoe: Organisations should start their efforts to address the resolution with a risk assessment. The identification of their most critical risks enables an organisation to target their investments correctly and thereby derive the biggest return on that investment. Cyber security risk is really a matter for the Board Room and should be considered as integral to the business as any other type of business risk. Whilst technical and procedural controls are being implemented, there will be a period of change, so clear ownership from the top down is necessary to instil cyber security into the culture of the business. However, cyber security is not just about firewalls, network segmentation, boundary devices and monitoring solutions. Staff must undergo training and awareness exercises. The majority of successful cyber attacks happen due to human error. Phishing tactics are becoming increasingly sophisticated and are often the first step to a threat actor maintaining persistence in your environment. Where are DCSA’s members in the compliance process? Bardoe: One of the main reasons DCSA published the Cyber Security Implementation Guideline was because our carrier members were focused on meeting the IMO mandate and asked DCSA to provide guidelines for a standardised yet adaptable approach to achieving compliance. We know that our members have been engaging in risk assessments and working on their own security roadmaps and implementations. However, we are not in a position to comment on the status of their internal security compliance efforts. What does cooperation between DCSA members on cyber security look like? Bardoe: DCSA works closely with all of our members on cyber security. We see engaged, passionate contributions from Rachael Bardoe our members and a willingness to work together to do the best for our industry. Naturally, cyber security is a sensitive topic, especially when there are incidents that could cause significant disruption to the carrier’ business as well as reputational damage. However, recently we have seen a number of maritime organisations, including ocean carriers, publicly share information about cyber security incidents and take definitive actions to remediate. This builds an environment of trust within the industry and with customers, which is key to fostering collaboration. Do you also talk to other stakeholders like terminals, ports, forwarders etc.? Bardoe: Yes, DCSA is very keen on cross-industry collaboration. We are stronger together. To drive meaningful change and innovation, we need everyone to embrace digitalisation and adopt a standardised approach to make container transportation services transparent, reliable, easy to use, secure and environmentally friendly. Our engagement with the industry stakeholders is broad, including shippers/BCOs; logistics chain participants such as terminals, ports and freight forwarders; government authorities and regulators; other standards bodies and alliances; financial institutions involved in shipment transactions and solution providers. We welcome feedback from all parties to validate our roadmap and improve our standards. Once published, our standards are free for all to use. Interview: Felix Selzer 26 HANSA – International Maritime Journal 07 | 2020

Schifffahrt | Shipping » LINER’S PERSPECTIVE: MAERSK Integral part of investments Since the cyberattack in June 2017, we have made significant progress in fixing immediate issues and then invested in a cyber security programme to develop a sustainable cyber security maturity level in the company. We are driving a strong cyber security education, awareness and training campaign to ensure that we sustain it as part of our culture. The improvements of our cyber security programme form an integral part of our ongoing investment in technology. The programme covers not just our transforming IT capability, but also the increasingly connected operational technology that runs our vessels, ports and warehousing. As part of our governance process we continue to audit our cyber security maturity both internally and with external specialists so we can properly benchmark our progress and ensure we achieve and sustain business advantage. « » LINER’S PERSPECTIVE: HAPAG-lloYD Permanently exposed We arm ourselves against cyber attacks on ships or the shore organization by prevention, e.g. through user awareness sessions. We are prepared on the IT side to fully restore all our systems within a defined period of time. We are permanently exposed to cyber attacks. The number of spam and phishing emails alone is exorbitant and growing. However, our protective measures work very well in these cases. In the ship area, a cyber attack on the corresponding systems could theoretically endanger physical security (e.g. by attacking the navigation systems). Here too, however, we consider ourselves to be very well protected. We believe it is important that public institutions such as the Federal Office for Information Security (BSI) are further strengthened in order to fend off and sanction attackers even better. « Addressing IMO MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management Addressing IMO MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management Get rid of uncertainty KEEP CONTROL OVER YOUR MARITIME NETWORKS KEEP CONTROL OVER YOUR MARITIME NETWORKS fights unknown cyber attacks against complex networks fights on board unknown ships, cyber in shipping attacks companies against complex and in ports networks on board ships, in shipping companies and in ports • Fully automated and autonomous real-time discovery of • Fully anomalies, automated adaptive and and autonomous self learning real-time discovery of anomalies, adaptive and self learning • Easy to install; no rules or manual configuration required Easy to install; no rules or manual configuration required • Low data transfer volumes; only test results are transmitted • Low to control data transfer centers for volumes; displayonly dashboards test results are transmitted to control centers for display on dashboards wehowsky.com ApS, Sauntesvej 13, DK-2820 Gentofte, Denmark wehowsky.com +45 21242487 ApS, aw@wehowsky.com Sauntesvej 13, DK-2820 | www.wehowsky.com Gentofte, Denmark +45 21242487 aw@wehowsky.com | www.wehowsky.com Representative Germany: AS Maritime HANSA – International Maritime Journal 07 | 2020 Representative GmbH, Kehrwieder Germany: 9, 20457 Hamburg AS Maritime +49 40 GmbH, 80010771 Kehrwieder – info@as-maritime.de 9, 20457 Hamburg +49 40 80010771 – info@as-maritime.de 27

HANSA Magazine

HANSA Magazine

Hansa News Headlines