Page 38: of Maritime Logistics Professional Magazine (Q2 2016)

37 39

RECRUITMENT & RETENTION “There’s always someone somewhere doing something they shouldn’t, so why chance it?” – Philip Tinsley, BIMCO Maritime Security Manager will respond quickly to correct a safety violation, they are a cyber defense technologies as appropriate, keep ship lot less likely to say anything if they see a shipmate plug a and crew technology as separate as possible.

personal device into the ships’ USB port, or ? ip to a web site • Secure an outside assessment and audit, including while working on a ship’s computer. penetration testing

This means also avoiding being lulled into a false sense of • Implement a policy that covers acceptable use of security by technology that appears to be working. For in- allowed personal and ship technology, that encourages stance, false or corrupted charts can lead a ship dangerously incorporation of a cyber threat into any problem off course. “We need to tell people to get up out of the chair assessment, that supports and encourages crew to with a pair of binoculars and go look over the side every once report possible breaches.

in a while,” says Capt. Dickey. There is also a movement afoot • Make the crew cyber risk aware and provide training to return to decidedly non-technical back up plans – paper on safe and responsible use of technology, what documentation and charts, and the century old art of navigat- anomalies should raise a ? ag, and provide regular risk ing by the heavens. “You can’t hack a sextant,” quips Dickey. updates and drills.

It doesn’t help that crews can be comprised of multiple na- • Disseminate your policy and safety measure to your tionalities and languages, says Lance M. Savaria, managing vendors and other third-parties with the potential to director/partner, EPSCO-Ra Ltd. Or that the ships themselves infect your networks. are mechanically and technologically unique – even two of • Encrypt or use secure channels when communicating the same class of vessel owned by the same company doing sensitive data to port authorities or shore-based of? ces.

the same job will have differences. Training and the actual • Formulate a process for recording, reporting and security plan, must be customized for each particular vessel. dissecting actual and near misses. Consider sharing the data anonymously with industry groups trying

Protect, Detect, Assess & Respond to track attack trends

This is no time to panic. There is plenty of agreement on the • Write a contingency plan and build in resilience. steps to take and a wealth of free sources for guidance. Wheth- After you’ve done all that, it’s important to stay vigilant. As er you buy into the theory that cyber security is just another Hall likes to say, “It’s like Capt. Obvious from Hotels.com – If branch of safety management, or a unique area of concern, the you are not thinking about how to train folks, making sure your same steps used to build a SMS program on board apply here, systems are secure and constantly reevaluating – if you are not with a few twists. The blueprint includes: doing all of this, then you are taking on an unwarranted level • Self-assess the ship’s cyber “hygiene.” of risk.” And as Tinsley notes, “There’s always someone some- • Locate and address vulnerabilities, install appropriate where doing something they shouldn’t, so why chance it?” 38 | Maritime Professional | 2Q 2016 34-49 Q2 MP2016.indd 38 5/19/2016 11:34:57 AM