Your board are blind to cyber risk: Drill them in to action
September 14, 2020 MARITIME CYBER SECURITY
Shipping executives are particularly adept at risk management. They regularly have to navigate unpredictable weather systems, climate change, persistent piracy, evolving geopolitical tensions, commodity price and forex fluctuations. They place faith in around 20 seafarers to operate each vessel worth tens of millions, in environments that would be challenging to reach quickly in an emergency. But cyber risk is new territory. And many don’t really know whether their organisation is ready to manage a cyber incident.
One way to prepare your organisation for a cyber attack is to set up a cyber drill. Here’s how to set one up with your own management team that can help improve your organisation’s cyber readiness. Register here for a free consultation with our team of experts on how to design and optimise a cyber drill and improve boardroom awareness of cyber risk.
So it has happened…
The screens on the business PCs in the engine control room and bridge have all locked down. The computers are simply displaying a black screen with a blank pop up window. No text. There is no ransom note (yet). One of the ECDIS systems is also no longer functioning properly and keeps restarting randomly.
The vessel has entered US waters and a pilot has boarded to bring the vessel into safe harbour. The crew have also received notification from the US Coast Guard of their intention to dispatch an inspector and are anticipating a Port State Control examination when the vessel is in port.
The master is on the phone to the Technical and IT Managers, trying to follow instructions in order to rapidly diagnose the problem. But the phone line isn’t great at the moment as the vessel is currently in a position with poor connectivity. In his mind, he is working out the best way to explain what is happening to the authorities, while trying to make up contingency plans on the fly. The pressure is on to avoid a detention.
This scenario is entirely plausible from 1 January 2021 when the cyber security requirements set out in IMO 2021 becomes effective and as cyber attacks on shipping operations continue to increase.
A false sense of readiness and resilience in shipping
“We thought we were prepared for a cyber attack and then we got a nasty surprise when one actually occurred.” This is a common reaction of those who have lived through a cyber attack.
Based on CyberOwl’s experience engaging with nearly 100 fleet operators, less than 5% of them would be able to answer a few fundamental cyber security questions when they are under pressure during a high profile cyber incident, such as: “what is actually happening to the onboard systems?”, ”are we sure we have been cyber attacked?”, “will it spread and how do we stop it spreading?” and “how quickly can we recover operations?”
This is before the more complicated questions that come later during forensic analysis, such as: “what has been the full scale of the impact of the cyber attack?”, “what systems have been compromised?”, “how did the attack actually happen?” and “how do we prevent the same attack in future?” In fact, there are some security teams that never properly answer these latter questions.
If you’re the Fleet IT Manager, scrambling around trying your best to quickly put fires out during such a cyber incident is not going to be a fun day at the office. One of the key decisions you are going to have to quickly make is whether you should be reporting the incident to the leadership team. If so, when do you report it and what do you say? Then, how regularly do you update them?
Effective cyber risk management approach actually starts with the leadership
Recent IMO guidelines and The Guidelines on Cyber Security Onboard Ships (version 3 produced by BIMCO et al) makes it very clear that “effective cyber risk management should start at the senior management level”.
Industry leaders in other sectors all concur. According to the annual Global Risks Report 2020 by the World Economic Forum (WEF), cyber-attacks pose an existential risk (just below climate change in terms of likelihood) to organisations the world over.
Developing emergency response plans with senior management early means you’ll already know what information they expect and when.
How does your leadership team perceive the level of cyber risk?
Siraj Shaikh, our Chief Scientist, and Kristen Kuhn, a Researcher at Coventry University, are working on an initiative addressing Cyber Readiness for Boards (CRfB) to uncover this, supported by the UK’s National Cyber Security Centre (NCSC) and the Lloyd’s Register Foundation. Initial findings suggest:
a key factor that drives a leadership team’s cyber risk perception is their trust in their organisation’s ability to respond to it. If you’re a Fleet IT Manager, that’s you and your team. And in many cases, this is likely to be overly-optimistic. Certainly, the ability to handle a cyber attack is rarely stress-tested in shipping, unlike in some other sectors .
the current focus for the shipping sector is on compliance. While timely, this doesn’t suffice to actually address cyber risk.
the responsibility for cyber risk still rests too heavily on IT or HSSEQ Managers.
Instead, cyber risk needs to be owned and managed as a core business risk, with ultimate accountability at the leadership level. If you are the IT or HSSEQ Manager shouldering that perceived responsibility, it is in your interest to get your leadership team to understand that.
What does a cyber-ready leadership team look like? The leadership team needs to more clearly understand the cyber risks the organisation faces, ensure there is sufficient budget to ensure cyber resilience and set clear roles and responsibilities to preserve business continuity. This includes knowing what their roles are during a cyber attack crisis.
This is where cyber drills are useful
The concept of a drill isn’t new to shipping. Safety drills have long been a requirement either by legislation or as part of a ship manager’s Safety Management System (SMS).
A scenario-based cyber exercise provides an ideal means for leadership teams to engage with and to rehearse for an effective response to a potential cyber-attack. The scenarios offer a creative license to run through both common incidents and also simulate low probability, high impact situations (also known as ‘black swan’ events). It is easy to write off the need to prepare for such black swan events. And yet, COVID-19 shows us how the lack of preparedness may pose an existential threat to an organisation. Indeed, other sectors have shown how ‘doomsday exercises’ have been important to them to cope with the current crisis.
Ultimately, the goal here is to build increased awareness and understanding of cyber risks in your leadership team. It prepares them for when (rather than if) a cyber attack occurs. The drill also helps you identify ways to improve your organisation’s ability to execute effective mitigation strategies.
How would they react?
What information would they need to make decisions?
Who do you need to communicate with and when?
Designing and running an effective “boardroom cyber drill”
Leverage IMO 2021 as an opportunity to encourage a drill. The upcoming deadline of 1 January 2021 to address cyber security as part of the SMS is an ideal opportunity to get senior buy-in. It brings with it direct responsibility for the board on cyber readiness. In fact, being able to demonstrate specific initiatives, such as a boardroom cyber drill, driving cyber readiness is part of evidencing a robust cyber risk management system.
Focus on business risks, not just technology risks. Gain clarity on what risks you want to raise and those that have a significant impact on your organisation. You can then link technology-related and cyber attack events back to those business risks; this is a key tip to designing meaningful scenarios for the drill. A structured mapping of business risks could be a useful resource for this purpose: the Cambridge Business Risk Hub provides a Taxonomy of Business Risks serving as a useful guide for such scenario writing, covering financial, governance, geopolitical, technological and environmental risks.
Do not focus purely on black swan events. While meaningful lessons can be gained from testing an extreme scenario, focusing the drill solely on such doomsday events may be counterproductive and lead your management team to conclude that cyber attacks are unlikely to impact your organisation. Consider an escalating drill that incorporates more commonplace cyber attack events.
Contextualise the drill to your organisation. The scenarios need to be customised to meet the specific practices of your organisation. Do you technically manage your fleet and crew directly, or is some or all of it outsourced? What type of cargo, voyages and ports of entry are involved? How do the responsibilities and liabilities in the charterparty work? While the drill should be grounded in deep expertise in cyber security and organisational resilience, ultimately the scenarios need to be made accessible for the leadership team (in terms of content, format and presentation). It is also important to consider whether there are suppliers and partners that need to participate in the drill.
Collect and visualise some hard data and metrics. This will help you demonstrate cyber security weaknesses and visualise this to the board after the drill. It will also set a baseline for improvement. Critical dimensions to measure include:
How long did each part of the incident response take? There is no right answer for how long response should take, but measuring this sets up a discussion on how much risk the leadership team are willing to live with. If the drill is a tabletop exercise and measuring response times is not possible, then consider getting the participants to estimate how much time each response action is likely to take, challenging them on how realistic their answers are.
How clear were the roles and responsibilities during the drill? This is often where interesting debates and tension points can develop. Especially when there is a lack of clarity.
How clear were the lines of communication? Record what information is given to whom and when. This can be used later to improve protocols for communication.
What were the main gaps of information? Ask any executive that has lived through a cyber attack incident and they will tell you that the first three questions are normally: ”are we sure we have been attacked?”, “how badly are we affected?”, “how quickly can we recover?” Use the drill to discover how easily you can gather this intelligence.
Plan enough time to gain consensus on the lessons learnt. The key here is to capture insights from the discussions and tension points through the drill, which could later be a source of strategic guidance for the organisation to achieve operational cyber resilience. Consider using the metrics above to develop team report cards. These can then be referenced in future once incident response processes have been improved.
Document a report of the drill. The exercise and the lessons they derive should form part of your cyber risk management approach and SMS. The report may also serve as useful evidence for inspections and to build reputation with customers, demonstrating that you are taking proactive steps to managing cyber risks.