Cyber-Security Offshore

The New Virtual Battlefield?

Our reliance on Information & Communications Technology (ICT) is stemmed deep in our everyday lives in the modern world and the Maritime and Offshore Oil & Gas industries are no different at all. Whether it’s the internet (for business or pleasure), dynamic positioning, navigation, GPS or crew welfare terminals, all these come with vulnerabilities that can be exploited by cyber criminal’s intent on causing operational disruption, financial loss, reputational damage or worse still potentially loss of life.

Over the past few years, we have seen many breaches of cyber-security offshore in the maritime and offshore oil and gas sectors including the tilting of oil rigs, malware riddled platforms and even port facilities industrial controls systems being hacked. Despite these incidents, there seems to be a distinct lack of awareness throughout organisations. From the research JWC have conducted over the last 12 months for a study with the Company Security Officers (CSO) Alliance and Coventry University, entitled ‘Cyber Security; The Unknown Threat at Sea?’, we had the pleasure of speaking to security and risk professionals from across the maritime and offshore industries. The purpose of the investigations, which were part of an overall assessment of offshore risk management was to identify how shipping companies and major offshore oil and gas producers managed the cyber threat and how well they understood the risks associated with a cyber-attack.

The findings were somewhat surprising for me as I made the mistake of assuming that most HSSE managers would be taking an orthodox risk-based approach to managing the cyber threat (and many were) but more than 50% of the personnel questioned did not believe cyber was a security or safety issue and referred me directly to their IT departments for further discussion and investigation. Many organisations I visited did not implement cyber or ICT usage policies or procedures, although this was more prevalent in the shipping industry and less so in the offshore oil and gas sectors, the findings were still significant.

It occurred to me that the maritime and offshore sectors are playing a dangerous game and the stakes are extremely high. In a world of globalisation and interconnectivity, cyber security is a threat that needs to be taken more seriously and management need to take responsibility sooner rather than later. At a recent conference I attended in London, it was highlighted that more than 80% of identified cyber security and information security breaches and related incidents offshore are as a direct result of human error, this tells us we need to start getting the basics right before we invest on advanced (and expensive) technical mitigation measures. Training and awareness for personnel are one of the biggest vulnerabilities right now and with the clear deficiencies that do not necessarily require significant investments, the offshore oil and gas sectors are high profile, lucrative and attractive targets for criminals and ‘hack-tivists’.

When you combine the absence of training for personnel, the lack of a clear and understood policy, with the current economic climate and add some fierce competition for business, it creates a natural increase in the risk appetite that security and safety managers may not be fully aware of. We are seeing many energy firms combining Industrial Control Systems (ICS) with much wider networks for the purpose of quicker information exchanges across the operational environment.

Although this may be more cost-effective and offer speed and efficiency, it also creates more vulnerable junctions within the system, that can leave operations significantly exposed to the outside world. If systems are attacked or compromised this could quickly lead to an operational shutdown, which would be catastrophic for all stakeholders concerned.

As more companies continue to increase internet access offshore for operational and also welfare purposes, it comes with an increased risk of suffering a cyber-attack at sea. The Offshore Sector and International Shipping and Logistics environments, including port facilities too are becoming more complex with less dependency on manual systems by advancing to more automated technology. For a multitude of reasons and as highlighted earlier, we are beginning to see an increase in Information Technology ( I.T.) and Operational Technology (O.T.) networks being connected together at sea which are also connected to the Internet. It is no secret that many ships and nearly all offshore oil and gas process plants are online 24/7 these days and protecting vital digital infrastructure against cyber-threats is paramount in ensuring a safe and secure operational workplace and also optimal productivity at all times.

It is often said that complacency is simply a lack of awareness and training and the offshore and maritime industries need to do more to ensure they are not the next victims on the cyber battlefield!

Top 5 Cyber Security Vulnerabilities at Sea

1. Cyber Security Training & Awareness

2. Highly Vulnerable & Outdated Industrial Control Systems

3. Lack of Information Security Policies

4. Insufficient Separation of Data Exchange Networks

5. Poor Network Protection Between Onshore & Offshore Operations

Jordan Wylie has spent the last 7 years Jordan has spent the last 7 years as a maritime security advisor to governments, international shipping companies and offshore oil and gas majors worldwide. Jordan holds a Bachelor’s Degree in Security & Risk Management and a Masters in Maritime Security Operations. He is the Principal Consultant at JWC International and the Managing Director of Sovereign Global. Jordan pioneered the global ‘Be Cyber Aware At Sea’ campaign, which is a non-profit initiative to raise awareness of increasing cyber threats to ship-owners and seafarers.

Share133

133 Shares

Leave a Reply Cancel reply

International Security Expo: 2022 conference programme unveiled

The International Security Expo, the market leading security event, has unveiled its CPD-certified thought leadership programme ahead of its return to Olympia, London from 27-28 September. Security professionals can learn from world-renowned speakers who will deliver thought-provoking talks discussing mitigation strategies, best practices and high-level policy.

Industry News – At A Glance

We cast our eye over the main stories impacting the security industry. Here’s what’s appeared on the radar since the last issue. Including, attack in Afghanistan, Boko Haram Leader dead, severed heads in Mexico and Kevin Durant’s Bodyguard charged.

Industry News At A Glance

We cast our eye over the main stories impacting the security industry. Here’s what’s appeared on the radar since the last issue.

Training for When Time is Life

The 21-foot rule has long been an established firearm training standard. Simply put, it means an average man can close 21feet in 1.5 seconds, as we look at the below data of attacks on law enforcement officers the previous standard far from reflects the reality of the dynamic encounters in both distance and timing in enhancing your ability to prevail in a violent close quarter firearm encounter.

From Nightclub Security to Executive Protection

2009, I started working as a bouncer at an Irish pub called McNally’s. I worked alongside my older brother, as he taught me how to check ID’s, handle ejections, read a room, and make friends with guests. The 3 years I spent there created a foundation and taught me many learning experiences, both good and bad.

Keeping Your Edge: The Right Tool For the Job

Spend any length of time conducing protection work in the entertainment industry, and you’ll find that things work in cycles.

There are recording cycles, tour cycles, award show cycles and even sporting event cycles. A big portion of these trend annually, and are grouped with similar events, creating momentum, but being careful to avoid overshadowing or encroaching on another event’s moment.

The Death of Journalist Marie Colvin

I’m not writing this piece to get into her personal or professional life, her ambitions or any other side of her character (that’s all been done). I’m writing this piece because I see media management in general, as a huge failing for far too many media deployments gone badly in conflict areas around the world. And I’m using Marie’s death as an example of just one of those failings.
I’m still angered every time I see a write up about the sad death of this journalist, and here’s my reasons why:
I knew Marie for years, first meeting her in Jerusalem during the Second Intifada between the Israelis and Palestinians back in the early noughties.

Foot Steps Episode 1 – Kevin Ghee

My transition was a tricky one. Coming from a field where we are trained to address crime once it happens, mentally it leaves you in response mode. EP is very proactive, as such, we must anticipate what could happen and work to mitigate that. Also, as an Law Enforcement Officer, you have control over almost every situation that you’re in. The law gives you that authority and that luxury. In Executive Protection, not so much. So there’s another shift in mindset that one must have. As an EP professional you don’t have the same authority that LEO’s have, so you can’t bark out commands, stop traffic, block public access, etc., as such, the transition was tricky. The best way I can describe it is, not difficult but also, not “easy,” so to speak.

The New Virtual Battlefield?

Buy The Latest Issue

Sign Up For News and Updates

Promoted Event

Latest Podcast Episode

Latest Issue

Issue 64

The New Virtual Battlefield?

Buy The Latest Issue

Sign Up For News and Updates

Reader Interactions

Leave a Reply Cancel reply

Promoted Event

Latest Podcast Episode

Latest Issue

Follow us