A ship-to-shore data connection seems to have been compromised. Do you pull the plug right away or wait for more details to better assess the risks? What decisions need to be made and who needs to be informed? These are just some of the questions you might face if you participate in a cyber incident exercise. How would you manage and what would you learn?
As the maritime industry becomes ever more connected and data driven, there are enormous new opportunities, but also intensifying threats. Cyber criminals are constantly finding new and clever ways to hack systems and steal data. Until recently, however, there was very little in terms of mandatory cyber security requirements on maritime equipment.
In the summer of 2022, the International Association of Classification Societies adopted two new Unified Requirements on maritime cyber security. If you contract a newbuild vessel on or after July 1, 2024, it will need to comply with these requirements. Some of the responsibility lies with the owner, some with the shipyards and some with the equipment vendors who supply the equipment for the vessel.
With new standards and equipment, the maritime industry should be a lot better prepared to face cyberattacks. But as with any safety equipment or procedures, they need to be tested regularly so that you know how to respond effectively if things ever go wrong.
Just like an office fire drill, the aim of a cyber incident exercise is to prepare you for the real thing – to give your people the experience and skills they need to make the right decisions when it really matters.
Wärtsilä regularly conducts these cyber incident exercises. In a recent exercise, participants from the Wärtsilä Marine management team were told that there had been a potential hack of the Wärtsilä connection for sending and receiving data between shoreside operations and cruise vessels.
The connection is working properly but somebody might have taken over the system with unknown consequences. Do we pull the plug immediately, causing service disruptions and costing everyone involved significant amounts of money, or do we wait for more details to assess risks more accurately? Is this even a real attack?
The aim of the exercise was not to find technical solutions but to enhance decision making, cooperation and communication skills. Participants focused on risk assessment, mitigation planning and crisis management, while the exercise evolved in real time as more information became available and new issues were thrown into the mix.
“The exercise was very realistic and pretty stressful – and that was before things took an unexpected twist. Suddenly a call came into the situation room from Leigh Carr, Vice President, Maritime Cybersafety at Carnival Corporation. This was not an actor but a genuine customer, and she wanted to know what was happening. Suddenly things became even more realistic,” explains participant Andrea Morgante, Vice President Performance Services, Marine at Wärtsilä.
At first the participants felt uncomfortable, but it soon became clear that transparency, open communication and a united front against the common threat was the best line of defence.
Because knowledge is power, the more information that is available – and the faster it is shared within the team – the more each party can bring their own experiences and expertise to the table. And this is not just in terms of finding technical solutions to the problem, but also aspects such as communicating to employees, stakeholders and, in this case, passengers.
The best teams don’t win by just turning up to the game and doing their best. They win because their skills and the way the players interact have been perfected over countless hours of practice. Cyber resilience is no different. The more you practice, the better you play together and the harder it is for the opposition to divide and conquer you.
For the participants from the Wärtsilä Marine management team, the exercise with a participant from Carnival was a great opportunity to share and develop best practices as well as to test plans and procedures. Exercises like this mean that if there ever is a real situation, the affected parties will have a big head start when it comes to neutralising the threat because the basics will be second nature. Joint preparedness raises collective resilience.
“Wherever you are in the maritime value chain – a ship owner or operator, a yard, a port or a supplier – the value of joint cyber incident exercises cannot be overstated. If you have a cyber security team and see cyber resilience as a key focus area, let’s learn and develop together,” says Morgante.
Get in touch to talk about a cyber incident exercise with Wärtsilä.
This article about maritime cyber security, describing the learnings from a cyber incident exercise first appeared as one of Wärtsilä's Insights stories.
