Maritime Cyber Security... Like the Game of Backgammon

Cyber security is a lot like the game of backgammon. The rules are very simple but the game-play is remarkably nuanced, and luck is a factor. 

I work with a lot of maritime companies of various sizes, and I have seen all kinds of approaches and strategies that perform with varying degrees of success. What I’d like to do for this article is to share two simple observations where I think executive management make the difference between success and failure in cyber risk management.

The first observation, and frankly a good predictor of cyber security program success, is the degree to which risk is being properly identified and potential impact quantified. This applies to companies large and small and depends heavily on how engaged executive management is in the process. If executive management are taking the time to understand to what extent cyber enabled systems introduce risk or present risk to operations, then they are likely to seek to control for that risk. 

If executive management either doesn’t believe the risk is worth considering or worse believe that cyber risk is a matter for IT to deal with on their own, then the cyber risk management process is more or less dead on arrival. Companies whose executive management aren’t engaged in the cyber risk management process are doomed to have the outcome determined for them by external forces. The analogy we like to use is it’s like “driving with your eyes closed.”

Every company is different, so the risks and approach to mitigation will vary quite a bit.  In some cases cargo is extremely valuable and has specific handling risks associated with it, LNG for instance. In other cases it may be lower value or involve older low tech vessels. Regardless risks presented by cyber enabled systems should be identified in order to make informed decisions about how much time/effort/money is worth expending on mitigation.  

Your company’s approach to controlling for cyber risk will depend on multiple factors including risk appetite. In some cases when a risk is identified as highly unlikely or not very costly it may be determined that it’s cheaper to accept the risk than mitigate it. There is nothing wrong with accepting a risk in this manner as long as this is done as part of a process based on actual knowledge of the potential impact of the risk identified. In other words, you’ve done your homework. 

I’ve seen some cases where the entire cyber risk category was approached in this manner, that is to say, fully accepted rather than mitigated. The sentiment being “it won’t happen to us” or “it’ll be cheaper to just clean it up.” Because the assessment portion of the process was not completed however, cyber risk is literally unmanaged. In every case like this I’ve ever come across, the decision was not an informed one and as you would imagine the consequences have eventually caught up by now in most cases.

The second observation is one of process documentation. Having your risk assessment process documented and mapped to explicit controls that are effectively communicated to and enacted by IT operations is another predictor of success. After you have taken the time to quantify the risks introduced by cyber enabled systems you must decide on controls and processes to mitigate identified risks. In some companies I’ve worked with over the years there was almost no direct connection between the controls implemented at the operational level and the risk assessment process at the executive level. That’s recipe for failure. 

Luckily you don’t have to reinvent the wheel here. Cyber risk management is simply an extension or part of every other risk management process companies have ever had to deal with. As such there are a wide variety of tools to bring to bear on the problem. One of my favorites is the National Institute of Standards and Technology (NIST) Cyber Security Framework. This freely available framework provides an excellent way map risks to controls and results in a roadmap that can easily be communicated to operations. Removing ambiguity between executive management and IT operations pays huge dividends in my experience. Full disclosure, the NIST framework isn’t the only player in town, just one I have a lot of experience with.

In summary and in very non-technical terms, these two practices separate the effective managers from the wishful thinkers. The process should sound familiar as it’s used in other areas of almost every business at some level. As cyber enabled systems push further into maritime operations getting the cyber risk management process right becomes increasingly important. Both the continued adoption of new technologies on board and the rapid rate with which new threats can develop require that cyber risk management be an ongoing process with a matching frequency. If you take the time to understand your risks, document your controls and communicate your strategy effectively, you will greatly reduce the likelihood of a career ending catastrophic incident that you’re not prepared to manage.

Gideon Lenkey is Director of Technology at Epsco-Ra.