Giles Noakes, head of security, at BIMCO, said ‘Two years ago we were way behind the curve….now we are motoring and making progress.’
The end game - as suggested by Noakes: ‘We’ll know that we’ve gone past the curve when owners start looking at the construction of cyber-resilient ships.’
With interconnected devices and systems (not to mention passengers coming aboard with devices, unique to cruise) , the business is no longer the ‘closed loop’ referred to by the ABS svp and cto, Howard Fireman. Rather, current systems are what he termed ‘an open loop’.
Panelist Paul Rosen, recently with the US Department of Homeland Security (DHS) echoed this point- saying the cyber vulnerabilities will need to give rise to a whole new way of thinking about how vessels, with all their interconnected systems, are built.
He noted that, fortunately, the cruise sector has not experienced a ‘boom event,’ as has been experienced by the airline industry, retailers/ banks, or by utility providers. One consequence of this, in the words of panel member Alex Soukhanov, from United States Maritime Resources Center (USMR) who said, ‘we are not seeing the same information flows from maritime [on incidents] as we are seeing from other industries.’
Though the discussion covered the broader shipping landscape- one aspect that came up at various times during the hour-long session - the idea of ‘reputational damage’, is very relevant to the cruise industry.
Much like retailers such as Target and Home Depot (mentioned by multiple panelists) have seen an exodus of customers after breaches of confidential credit card data, the cruise companies are in the consumer spotlight.
A number of threads were woven together under the expert moderating of CLIA’s Bud Darr. Noakes talked about threats being dynamic, asking rhetorically- ‘How can you write regulations dealing with something changes every day?’
The panel did offer a view that cyber practices could be integrated into the existing scheme of Safety Management Systems and ISM certifications.
The importance of training was also discussed, with the suggestion from multiple panelists that training regimes be geared to levels of access to sensitive systems. Purchasing protocols also came up - with one audience member noting that outside systems brought aboard vessels had the potential to disrupt critical vessel systems, with Rosen noting that Department of Defense procurement requires vendors to comply with cyber security protocols.
An important issue that asserted itself throughout concerned corporate treatment of matters related to cyber matters generally. Noakes said, ‘we have to operationalize it.’
One commenter from the audience (working with one of the top cruise corporations) urged all concerned to ‘stop thinking about cyber as a specialty area…get it out of the IT department.’
Rosen talked about making thinking about cyber matters a 'horizontal' (corporate wide) activity, rather than a 'vertical' (separate silos for operations, finance and IT) endeavor.
US Coast Guard (USCG) Captain Verne Gifford, director of Inspections and Compliance, suggested the need to get cyber issues into the bucket of ‘general operational risk.’
He explained that the USCG will be working on a project of developing a detailed profile, with sub-categories and a prioritization, of the passenger cruise industry (including terminal interfaces) along the lines of an analysis recently implemented for liquid bulk terminals.
Following on the concerns of BIMCO’s Noakes about the difficulties in taking a ‘regulatory’ approach, multiple forms of ‘guidance’ were identified, notably the recommendations emanating from the USCG (in the bulk terminal project mentioned above).
The Class societies have also published guidance, and BIMCO’s guidelines on cyber-security are continuing to evolve; Noakes indicated that updates to its earlier work (which was closely coordinated with CLIA) are being updated.