Many workboat companies are small businesses and don't feel vulnerable to cyberattacks. But this is a false assumption, cybersecurity experts told a WorkBoat conference session on Thursday, as criminals don't discriminate by size, and all companies are open to cyber breaches from within their ranks.
Maritime companies should take these threats seriously and develop plans to prevent incidents and deal with them if they occur, according to Brian DiPietro, managing director, Global Technology Organization at JPMorgan Chase, which has an extensive cybersecurity program.
"If you are not having discussions about cybersecurity, you're missing the boat because these activities are getting worse and worse, and if the right (plan) is not there, you will get breached," DiPietro said. “If you have connectivity, if you have data, if you make money, you are at risk."
Vessels are becoming increasingly run by interconnected and sophisticated electronic networks involving communications, navigational and environmental systems that are vulnerable to hacking, malware and other interruptions. Digital threats in the maritime sector have become more frequent, and the concern is not just with access to a network but gaining control of it, the experts said. Cyber attacks have already been reported at U.S. and European ports.
Companies that have a plan in place are more likely to weather a digital breach, said Capt. Andrew Tucci, chief of the Coast Guard's Office of Ports and Facility Compliance. "Seventy-five percent of the companies that experience a large cyber incident and don't have a cybersecurity plan in place will go out of business within five years."
Although hackers from the outside are a concern – criminals and terrorists top that list – one of the biggest sources of digital breaches come from within a company, both DiPietro and Tucci said.
"Your vulnerability increases with every new device, every new app that you add to your system," Tucci said. “Insider threats are your biggest concern."
Tucci said that anyone can trigger a breach, and often it was an innocent, unintended action by an employee who plugs a smart phone or tablet into a company computer and transfers malware or other damaging programs to the company's network. Another source could be a contractor who plugs into the company's system. Malware can last months and can run without being detected for a long while.
Tucci relayed the story of an international cargo ship that came into a U.S. port and the crew told U.S. officials that they had lost their navigational charts. The source of the problem was traced to a mate who had plugged in his phone to charge the battery and passed along malware that damaged the charts.
How can a workboat company protect itself?
Both experts stress that having a workable, enforceable plan in place is essential. This should involve a team effort – not just the IT specialist but also the vessel operators. "Cyber is a risk problem – not an IT problem," Tucci said.
Elements of a plan might include prohibiting the hook ups of personal electronic devices into company computers, testing the plan frequently, and doing an honest evaluation of what is connected and what areas of operations are vulnerable.
Another suggestion, offered by a conference participant, is to install USB blocks, that are inexpensive and removable, to prevent a device from being connected to a system.
Tucci also encouraged maritime companies to report breaches to their local Coast Guard unit. Companies may be concerned about going public with such information, but Tucci said the Coast Guard will do its best to protect the privacy of that report.