Focus Turns To Cybersecurity During IMX Education Session

Whether it’s credit card data, files stored in the cloud, power grids, cryptocurrencies, emails, key fobs, computer systems or communications, anything connected to the internet or that uses wireless technology could be vulnerable to cyber attack.

That’s certainly true on the waterways today as well, with technology increasingly integrated into the transportation system at large. Just a year ago, 17 terminals around the world operated by APM Terminals came under a cyber attack as part of the global impacts of the Petya ransomware. The attack left the APM-operated terminal at the Port of Mobile, Ala., closed for a day.
Analysts have long warned that ships plying international waters and inland towing vessels are equally vulnerable to cyber attacks.

A panel of experts gathered at the Inland Marine Expo (IMX) May 22 to discuss the multifaceted steps operators can take to not only defend against and avoid cyber attacks but also recover quickly should one occur.

The panel included Matt Hahne, vice president of global marine practice for Marsh USA; Bob Evans, vice president of information technology for Marquette Transportation Company; Todd Epperson, lead maritime security specialist and risk analyst at the U.S. Coast Guard’s Sector Upper Mississippi River; Michael Fitzgerald with the Maritime Administration; Krystal Scott, a partner with the Jones Walker law firm; Matthew Partyka, senior electrotechnical plan appraisal specialist for Lloyds Register; and Dean Shoultz, chief technology officer and founder of MarineCFO.

Sign up for Waterway Journal's weekly newsletter.Our weekly newsletter delivers the latest inland marine news straight to your inbox including breaking news, our exclusive columns and much more.

Shoultz, whose company markets the Vessel 365 app, which this month will launch dedicated cybersecurity checklists, chaired the session. Each panelist looked more closely at the cybersecurity issue from a different perspective of the maritime industry. Hahne looked at cybersecurity from an insurance policy perspective.

“It’s real simple: there’s a standard cybersecurity policy,” Hahne said. “Everyone needs one, but not everyone is getting one.”

Hahne said the standard cybersecurity insurance policy covers things like loss of data, third-party litigation if private information is stolen, and issues from credit card information being compromised.

“Most of your companies, if you’re operators out there, have an [oil spill removal organization] that comes in and helps you with a spill,” Hahne said. “You should also have a company prepared to come in and help you with the forensics and the rebuild of your data program, whether that’s your servers, your computers, your onboard systems or the way you communicate with each other.”

Hahne added that cybersecurity insurance policies are still fairly reasonable, although there has been an increase of about 3 percent on the average policy this year. He said most standard insurance policies exclude cyber attacks and that, oftentimes, obtaining a cybersecurity insurance policy is a good place to start for a company assessing its risk of cyber attack.
Evans offered some insight into how a towing company deals with common cyber threats.

“For us, the No. 1 thing is educating and making sure all our crews on our boats and people in our offices understand the risks,” Evans said. “In my nine years at Marquette, all of the incidents we’ve had have been from the email attack vector, either from attachments or social engineering to gather passwords.”

In light of that, Evans said one easy thing the industry could do to lessen the threat of cyber attacks is to stop sending PDF attachments.
“It’s the biggest weakness that’s out there right now,” he said.

Limiting Access
Marquette has taken steps to limit internet access on board the company’s vessels to a “white list” of approved websites, Evans said.
“USB ports are locked, all the systems are standardized, all of them have images to be rebuilt from,” Evans said.

Evans added that Marquette is constantly reassessing the company’s policies and protections due to the rapidly-changing world of cybersecurity.
“What’s the issue this year is not going to be the same next year,” he said.

Evans later recounted a time when Marquette experienced a cyber attack through an email attachment. The company became aware of the attack within minutes, because it shut down printing on their vessels. That fast notification allowed the company to respond rapidly.

“Of our fleet of 130-something boats, I believe 13 got affected, and on only three was it long enough for it to get off the main computer and spread to the navigation computers that have Rose Point,” Evans said. “And those we quickly rebuilt.”

Each vessel has three computers on board, Evans said, and Marquette has a cyber attack and systems failure protocol in place. Under that plan, if one computer goes down, another can be immediately reprogrammed and repurposed, thus sealing off the threat and limiting loss of communications.

Understanding Risks
Speaking from the Coast Guard’s perspective, Epperson said a good place to start is to understand the risks. Resources to aid in that include the Coast Guard’s 2015 cyber strategy and the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, commonly called the Cybersecurity Framework. Epperson also mentioned the U.S. Computer Emergency Readiness Team’s National Cyber Incident Response Plan as a good resource.

Epperson underscored that cybersecurity is a priority for officials at federal agencies, but it also has to be a priority for operators and boardroom leaders at the local level.

Fitzgerald encouraged companies to weave cybersecurity protections into their safety management systems to foster a resiliency in the face of cyber attacks. Many times, the issue isn’t the formidability of the attack but the lack of a robust response plan.

“A lot of times, you’re your own worst enemy,” he said.

Scott then looked at the cybersecurity issue from a legal standpoint, giving particular focus to notification policies for data breaches. She said there is no standard data breach notification law among states, so companies much be very careful about notifying customers, shareholders and business partners if private information is compromised. And because operators often do business with a wide range of customers, a data breach could open the company up to a number of lawsuits, from shareholders to business partners and even employees.

“The question is not if you are going to have a breach,” Scott said. “The question is when and how you are building your story now for when you are in a legal dispute about this.”

The panel closed by discussing what’s in the works with regard to cybersecurity in the maritime industry and some simple steps companies can take. Scott stressed the need for an incident response plan specific to cyber attacks and urged companies to incorporate encryption into communications. Shoultz called for a section in a company’s safety management system dedicated to cybersecurity. Epperson encouraged companies to assess data systems and policies. He also mentioned money designated for cybersecurity in the Port Security Grant Program. Evans agains stressed redundancy in computer systems for a fast recovery.