MAKING a thorough risk assessment is
the crucial first step in thwarting cyber crime at one's own institutions,
delegates to 6th Med Ports Conference in Livorno, Italy, were told by a TT
Club marine insurance expert recently.
TT Club's Andrew Huxley, freight transport specialist
insurer, said cyber
activity is a daily operational risk which needs to be addressed urgently.
"Ultimately, the main threat is
from human error - downloading malicious content, opening an unsecured web
browser or falling victim to social engineering attacks and phishing scams,"
he said.
"A BIMCO survey in 2016
suggested that more than 20 per cent of respondents admitted to cyber attacks
and SeaIntel
Maritime Analysis estimated 44 per cent of the top 50 container carriers had
weak or inadequate cyber security policies," said Mr Huxley.
"Many in the marine supply
chain business have operations characterised by widespread office networks and
a reliance on multiple third party suppliers," he said.
"Often IT systems are of an
in-house, legacy nature, which may be poorly protected by security
software," he warned.
Ports and terminals are also exposed
to threats as they are at the confluence of physical communications activity,
he said. The data interfaces are complex and the drive towards interconnected
control systems and efficient processes, provides the opportunities for outside
malicious interference.
Most of all, at the ship/port
interface there is much opportunity to cause loss and damage, far beyond the
persistent exposure to criminal activity, said the TT Club statement.
"The problem is intensifying.
At a global level reports by AV-TEST indicate that on average 4.2
new files of malware code were generated every second last year. From a maritime
supply chain perspective an example of serious IT incursion in 2017 was the
attack on over 20 ships in Novorossiysk," it said.
"This sent false signals and
resulted in shipboard equipment providing false information as to the location
of the ships. There is speculation that this incident could have been a
state-sponsored attack," it said.
A second incident, the NotPetya
strike, impacted many in the supply chain, including AP
Moller-Maersk, resulting in large scale disruption and substantial
costs for those immediately impacted and their partners.
The US Coast Guard issued a
draft Navigation and Vessel Inspection Circular (NAVIC) titled "Guidelines
for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA)
Regulated Facilities".
The circular currently under review
requires incorporation of personnel training, drills and exercises to test
capabilities, security measures for access control, handling cargo, delivery of
stores, procedures for interfacing with ships and security systems and
equipment maintenance.
Additional national and regional
initiatives, exemplified in the European Union by the Directive on Security of Network
and Information Systems (NIS Directive) and General Data Protection Regulation
(GDPR), are indicative of the development of regulatory expectations.
TT Club, jointly with UK P&I
Club and cyber security consultants NYA, has published a paper entitled "Risk
Focus: Cyber - Considering Threats in the Maritime Supply Chain".
Source : HKSG.
Tidak ada komentar:
Posting Komentar