Technical Security Alone Is Not a Black Box Solution; Human Factors Have a Critical Role in Managing Cyber Risk


Regardless of size, nature of business or company position in the energy supply chain, if your business utilizes IT/OT operations, a cyber-attack may occur. Threat actors seek vulnerabilities to breach systems security and networks, aiming to gain access to data for a variety of reasons, including potential financial extortion and financial gain. The urgent realization is that cyber-attacks are high-risk situations that may occur at any moment, and cybersecurity cannot be achieved by software solutions alone.

Angeliki Zisimatou is ABS’s Director of Cybersecurity and is responsible for leading ABS’s efforts through participation in cybersecurity and autonomous research projects and the development of ABS’s rules and guides. In this article, Angeliki reveals why training and the human factor element are key components in the battle for ultimate cybersecurity protection.

Cyber protection is reliant on human awareness and an understanding of how a single action could escalate a cyber-related incident. Human intervention backed by training, simulations, drills, and robust insights is critical in the journey to future-proof your business and its operation. 

Three critical threat actors

As port facilities and shipping vessels become increasingly interconnected, the risk of cyber incidents continues to grow. Businesses can be impacted in many ways. 

Across the U.S., there are many ports, terminals and facilities, including vessels within the commercial, civilian, government, and military sectors that have thousands of interconnected systems that control anything from port cranes to a ship’s engines or navigation systems.

Each port might have different systems – a container terminal, for example, will have more systems supporting the movement of shipping containers, whereas a cruise terminal will be focused on supporting the movement of people.

As new technologies are developed, they are often added as enhanced ‘bolt-on’ functionality to legacy company systems, yet these additions often lack the rigorous security testing applied to secure-by-design systems. These systems are often connected to the internet to provide stakeholders with remote access to control the systems. While the increasing digitalization and automation of systems and processes may deliver the opportunity for greater efficiency and competitiveness within organizations, it can also create greater cyber risk exposure through increased potential ‘attack surfaces’ – the ways in which cyber-attackers can penetrate systems. 

The CISCO Cyber Threat Trends Report 2024 outlines the three most seen threat categories: (1) Information Stealers (246 million); (2) Trojans (175 million); and (3) Ransomware (154 million). Each of these categories had average monthly blocks in the hundreds of millions.

As the report highlights, information stealers are malicious programs designed to collect various kinds of personal and financial information from an infected system. Trojans are a type of malware that mislead users of their true intent. Another common installation tactic is when a user gets a malicious link, like an email attachment disguised as an invoice, that, once clicked on, can enable cybercriminals to spy on you, steal your sensitive data, and gain backdoor access to your system. Ransomware is a type of malware that encrypts files on a victim’s computer or network, rendering the entire system inaccessible and disrupting operations. 

Rising tide of cyber-threats

In the 2023 Cyber Trends and Insights in the Marine Environment (CTIME) report(1), the United States Coast Guard noted the following:

  • Ransomware attacks increased by 80% in 2023. These attacks encrypt systems with the goal of locking users out, then extorting the victim and demanding ransom for a decryption key. Perpetrators are becoming more sophisticated and requested ransoms have tripled.
  • Maritime shipping companies, logistics and technology service providers, liquid natural gas processors (LNGP) and distributors, and petrochemical companies are common targets.
  • Very basic cyber deficiencies persist. However, essential measures like patching and updating software, limiting network access, and implementing multi-factor authentication are base-level cybersecurity measures that go a long way toward safeguarding systems.
  • Network-connected operational technology (OT) in port facilities and shoreside are being targeted. These systems are particularly vulnerable to attacks as they often rely on outdated and unsecure software and network protocols, and insufficient access controls.

While new regulations are designed to help safeguard the U.S. Maritime infrastructure and supply chain, they come with hurdles.  For a transformational change, the industry will require a large-scale approach to cyber security, covering key areas, including account security, device security, data security, governance, risk management, supply chain management, cyber resilience, network segmentation, reporting, and physical security. ABS is leading industry guidance in this area to support industry safeguards.

The importance of upskilling human awareness

According to a study by IBM(2), human error is the main cause of 95% of cybersecurity breaches. In other words, if human error was somehow eliminated entirely, 19 out of 20 cyber breaches may not have occurred!

In a security context, human error means unintentional actions – or lack of action – by employees and users that cause, spread or allow a security breach. 

This can encompass a vast range of actions – from downloading a malware-infected attachment to failing to use a strong password or even a minor unintentional change to an essential configuration file of a system – which is part of the reason why it can be so difficult to address.

With more advanced and complex work environments being created across industry, there is an increasing number of tools and services being utilized with each requiring unique usernames and passwords. This all adds up and when not provided with alternatives or secure solutions, employees can start taking shortcuts to make life easier for themselves. Examples of these mistakes/missteps include posting credentials in visible places, not changing default passwords, and using a single account for multiple operators.

Types of human error can include:

Skill-based errors

Skill-based human error consists of small mistakes that occur when performing familiar tasks and activities. In these scenarios, the person knows what the correct course of action is, however, fails to do so due to a temporary lapse, mistake or negligence. These might happen because the employee is tired, not paying attention, forgets or is distracted. Examples of this type of error include typing errors, misconfiguration settings, forgetting to log out, and accidental deletion of important files/data. 

Decision-based errors

Decision-based errors are when a person makes a faulty decision. This can include the person not having the necessary level of knowledge, not having enough information about the specific process, or not realizing that they are deciding through their inaction. Examples of these types of errors include ignoring security alerts, weak password choices, bypassing security protocols to expedite a task, inadequate risk assessments: deciding not to implement additional security measures due to underestimating the potential risk or impact of a threat.

Reducing human error with cybersecurity training

There are a variety of factors that play into human error, but most of them can be categorized into opportunity, environment, and awareness. Employee-focused cybersecurity awareness training can improve business security by teaching people how to add more secure actions to their regular routines.

Opportunity

Human error can only occur where there is an opportunity for it to do so. The more opportunities there are for something to go wrong, the higher the chance that a mistake will be made.

Environment

The physical environment of a workplace can contribute to the number of errors that occur. As an example, privacy and noise-level are things that can contribute to a more mistake-prone environment.

Culture also plays an important role in environmental considerations. Having a culture where security is always pushed to the background will lead to errors becoming more frequent. Implementing a second line of verification, such as peer reviews or automated checks, can help catch potential human errors and reinforce a culture of security vigilance.

Awareness

Human error can result from employees simply not knowing what the right course of action is. Users unaware of the risk associated with phishing methods and similar information-extraction tricks are more likely to fall for such attempts, and those ignorant of public Wi-Fi dangers may have their credentials easily stolen. A lack of knowledge is almost never the fault of the person – but should be addressed by the organization in order to ensure their employees have the knowledge and skills they require to keep themselves and the business safe and secure.

For any company, taking the smallest of steps to reduce human error can create huge gains in security. Mitigation of this risk comes from two perspectives:

1. Mitigating Humar Error:
Implement robust security protocols and procedures to minimize the likelihood of human-induced security breaches.

2. Enhancing Cybersecurity Awareness:
Investing in comprehensive employee training programs to foster a strong security culture and reduce the risk of social engineering attacks.

The more knowledge and insight employees (working onshore and offshore) have, the less likely mistakes are to occur, even when opportunities arise. 

Companies need to see human risk from a different mindset. While untrained system users may be the weakest link, e.g., the security of port operations, the right tools and training encourage employees to be the first line of defense against attacks or breaches, safeguarding the business and your reputation.

Secure in the knowledge of a safe supply chain

All have a part to play across the supply chain. By assessing and identifying critical assets with the support of a third-party independent provider like ABS, companies can begin to build the operational and technical infrastructure required to help mitigate cybersecurity risks.

Training is critical. Upskilling teams responsible for meeting tomorrow’s industry rules and cybersecurity compliance requirements – and how companies operate alongside the regulatory process – will need significant training across the maritime supply chain.

Then there’s the vendor relationship. This is an essential part of cybersecurity preparation by enabling the asset owner to better manage expectations with vendors and the processes required for plant or vessel operational updates or optimization initiatives. While strong external vendor relationships are crucial, a clear internal framework with defined roles and responsibilities is equally essential for robust supply chain management.

Next is creating and implementing a cybersecurity plan. It is important to choose the right level of independent expertise to help kick off the cybersecurity journey – from initial risk assessments through asset management, configuration insights, vulnerability assessments, and detection analysis, including how to respond to incidents when they do happen and how this impacts the business plan and response actions.

The level of technical competence needed to implement technology-based solutions will be key. This includes network monitoring solutions, asset management and determining what are the key components and vulnerabilities likely to impact your organization, and what is needed for effective company-wide resiliency and recovery.

Next steps 

Maritime and offshore companies of any shape and size, including asset owners, operators, vendors and Flag administrations, will need to work together to enact tomorrow’s regulations. 

Leaders should empower and encourage individual workers to participate in maintaining safe and risk-aware approaches to their work. ABS supports the need to modernize ‘risk-stressed’ operations in the maritime sector and develop best practices.

Maritime and offshore assets are safer now by design thanks to advances over the past 10 to 15 years in technical construction and systems. However, weaknesses in educating the workforce, or the human element, can easily allow cyber threats to escalate rapidly.

No matter how good the technical integrity or systems are of an asset, the organizational integrity of the workforce remains the single biggest risk factor.

Promoting greater understanding of organizational cybersecurity integrity is the next frontier – a measurable quantity that relates to the operational reliability and safety of an asset. It is the human part of the interaction among people, assets, systems and processes that encourages and supports operational efficiency and responsible cyber stewardship.


1. https://www.news.uscg.mil/maritime-commons/Article/3683523/notice-of-proposed-rulemaking-cybersecurity-in-the-marine-transportation-system/ 

2. https://newsroom.ibm.com/2023-07-24-IBM-Report-Half-of-Breached-Organizations-Unwilling-to-Increase-Security-Spend-Despite-Soaring-Breach-Costs


Angeliki serves as the Director of Cybersecurity Research for ABS, focusing on the challenges and opportunities of securing operational technology (OT) and critical infrastructure in the complex maritime environment. With more than 20 years of field experience, Angeliki uses her skills in cyber policy, operations management, site inspections, and customer relationship management to design and implement effective and efficient cybersecurity programs, services, and products. Angeliki also serves as the chair of the IACS Safe Digital Transformation Panel.


Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.