Maritime cyber risk management forum

Programme

08.15 Registration

08.50 Welcome address from the conference chairmen

Philip Roche, Partner, Norton Rose Fulbright
Edwin Lampert, Head of Content, Riviera Maritime Media

09.00 Keynote: Maritime and Cybersecurity coordination

• Specificities of the maritime domain – the French cross sectorial approach.
• Similarities between digital and maritime approaches.
• Global maritime cyber coordination – avoid the fear to share.

Bruno Bender, Maritime Cybersecurity coordinator, Secretary for the Sea - France

Session one: Regulations, compliance and risk

This session provides up to date information on legal, regulatory and liability considerations and gives you the tools you need to build and develop an effective risk management strategy.

Session Chairman:Edwin Lampert, Head of Content, Riviera Maritime Media

09.15 Legal and regulatory compliance in the cyber incident response context

• Positive obligations under GDPR and how to comply with them in the cyber incident context.
• Other obligations which may be of relevance, including NIS.
• Going beyond “mere compliance” – how best to respond to cyber incidents in a way which mitigates.
• the risk of losses and liabilities more generally?

Steven Hadwin, Head of Operations – Risk Advisory and Cyber Security, Norton Rose Fulbright

09.35 Cyber risk management - the guidelines on cyber security onboard ships

• Identifying roles and responsibilities.
• Identifying systems, assets, data and capabilities that pose risks to ship operations when disrupted.
• Protect, detect, respond and recover: implementing risk control measures and contingency plans to provide resilience and restore systems vital for ship operations impacted by a cyber incident.

Michael Hawthorne, CEO, Cobweb Cyber

09.55 Insurance cover for liability and property damage arising from a cyber incident

• Distinguish between the different aspects of the term “cyber”.
• Ensure that you are acting with reasonable care in your approach to managing cyber risk.
• Exclusion clauses - What losses are and aren’t covered by Norwegian Hull Club, which could arise from a cyber incident, and are not in the nature of third-party liabilities arising from the operation of the ship?

Leif Olav Sætenes, Senior Claim Handler, Norwegian Hull Club
Morten Aalén, Head of Loss Prevention and Emergency Response, Norwegian Hull Club

10.15 Q&As

10.35 Coffee and networking break

Session two: A view from shipowners and ship operators

As there still seems to be an attitude of ‘it won’t happen to me’, how many shipping companies have understood the risks that satellite and onboard equipment bring? These case study presentations allow you to understand what ship owners are doing and not doing. How are they trying to cope, and which measures are they taking?

Session Chairman: Philip Roche, Partner, Norton Rose Fulbright

11.15 Vendor Risk Management: Overcoming Today’s Most Common Security and Privacy Challenges

Managing third-party vendor risk before, during and after onboarding is a continuous effort under global privacy laws and security regulations. While outsourcing operations to vendors can alleviate business challenges, managing the associated risk with manual tools like spreadsheets is complex and time consuming. To streamline this process, organizations must put procedures in place to secure sufficient vendor guarantees and effectively work together during an audit, incident – or much more. In this session, we'll breakdown a six-step approach for automating third-party vendor risk management and explore helpful tips and real-world practical advice to automate third-party privacy and security risk programs.

• Review the drivers and challenges organizations face when managing third-party vendor risk
• Identify priorities before, during and after vendor procurement
• Takeaway a six-step approach for automating the third-party vendor risk lifecycle
• Hear real case studies from privacy experts on how to practically tackle the third-party vendor risk

Jacob Eborn, Privacy Consultant, OneTrust EMEA

11.35 Implementing the lessons learned from a major cyber attack

In June 2017 Maersk suffered a major NotPetya cyber-attack, this session explains lessons learned, and how they are now being applied within Maersk.

• How the Cyber-attack happened?
• How was it dealt with and what steps were taken?
• What were the consequences?
• What were the cost implications?
• What was the follow up to the cyber threat? Contingency plan.

Andy Powell, CISO, A.P Moller – Maersk

11.55 Cyber lessons learned from Industrial Control Systems - What can the maritime industry learn from the ICS

• What changes have happened in the post-Stuxnet era ICS world and the what challenges control system asset owners are facing?
• What kind of approaches are the advanced manufacturing companies using in protecting their critical control systems?
• What are the main challenges we still face nearly 10 years after Stuxnet?
• How can maritime industry best utilise the ground work laid by the ICS community? ICS standards, frameworks and best practices applicable to the maritime industry.

Janne Taponen, Maritime Cyber Security Expert, F-Secure

12.15 Q&As

Session three: Cybersecurity incident simulation

Session Chairman: Edwin Lampert, Head of Content, Riviera Maritime Media

12.35 What is the magnitude of cyber risk?

Based on a cyber-attack scenario, you will be able to discuss the possible outcomes and solutions and highlight the complexity of the maritime cyber security sector. This will give you the opportunity to verify your own ideas and plans

• The problem is now, but what is the real magnitude of cyber risk?
• Business security challenges to the exponential growth of the IoT. Are you on the verge of being attacked?
• How do we convince the main boards of shipping companies to take cyber risks seriously?
• Find the right balance and allocate a budget to reduce risk exposure and implement it.

Kieren Niĉolas Lovell, Incident Management Specialist, Tallinn University of Technology
Jack Lienert, mentor, CyberNorth, Startup Wise Guys and Simulation Centre Member, Estonian Maritime Academy
Elisa Cassi, Product Manager, Lloyd’s Register EMEA
Ken Munro, Consultant, Pen Test Partners
Merike Kaev, Data Protection Office, Swedbank Group Estonia

13.35 Networking lunch

Session four: Threats to cybersecurity in ports

This session will help ports and maritime operations understand and appraise the cyber security threats, balance digital opportunities with new cyber threats and raise cyber security to an acceptable level.

Session Chairman: Philip Roche, Partner, Norton Rose Fulbright

14.45 Innovative Risk and Security Management solutions for protecting European Ports and their Supply Chains

• How can we enhance the security and resilience of the ports’ critical infrastructures?
• How can we help port operators anticipate and withstand potential cyber, physical or combined threats?
• How can we effectively estimate risks in port supply chains?
• Are there appropriate efficient and effective tools that provide risk and security management?

Prof Christos Douligeris, Department of informatics, University of Piraeus
Dr Spyros Papastergiou, Technical Manager, University of Piraeus Research Centre

15.05 Resilience planning - Maritime ports to up their game in cybersecurity

• A solid cyber security plan is a must in any modern port. How ready are you?
• Identifying actions for when a cyber event will occur.
• Planning for protection against threats or categories of threats.
• Creating a response plan that clarifies action and provides an incident response team.

Daniel Ng, CEO, Cyber Owl

15.25 Using AI for Real-Time Threat Detection across OT and IT

• How to use artificial intelligence to detect emerging threats and latent vulnerabilities.
• Achieving 100 per centvisibility across OT, IT and Industrial IoT.
• Real-world case studies of stealthy cyber-threats identified early by cyber AI – before a crisis occurred.

Andrew Tsonchev, Director of Technology, Darktrace

15.45 Q&As

16.05 Coffee and networking break

Session five: How to prevent cyber-attacks from happening?

What should the industry do to reduce cyber risks? Should cyber security responsibilities be moved up a level and from IT to Operations? A change in approach to the problem needs to occur. Stakeholders are spreading the risk awareness beyond those who are ready and engaged to those who aren’t to defeat the cyber threat.

Session Chairman: Edwin Lampert, Head of Content, Riviera Maritime Media

16.45 Panel discussion: The weakest link: the role of human error in cybersecurity

• The importance of crew awareness to achieve more integrated risk management.
• What tools are available to train staff onboard and ashore?
• What resources and capabilities do ship companies have?
• Security through collaboration - Combining ideas and experiences, such as a global Cybercrime reporting portal, for the benefit of the maritime community.
• What are your legal obligations as a shipowner?

Panellists include:

Kewal Rai, Policy Adviser for Cyber Security, Department for Transport
Philip Roche, Partner, Norton Rose Fulbright
Anu Khurmi, Director, The Maritime Cyber Emergency Response Team (MCERT), Templar Executives
Dr Rikke Bjerg Jensen, Information Security Group, Royal Holloway, University of London

17.10 Q&As

Session six: Riviera Maritime Media Cyber Security Hub

Session Chairman: Edwin Lampert, Head of Content, Riviera Maritime Media

Riviera Maritime Media Cyber Security Hub serves as an innovative start-up and pioneers’ incubator, designed to help develop ideas and early stage projects by tapping into the knowledge, skills and connections of attendees. Riviera Maritime Media Cyber Security Hub is for people who care about cyber technology and risk, to get fresh ideas, identify new opportunities and expand business and professional networks.

17.20 Challenges in maritime incident response

Take the journey as we explore responding to a cyber incident in 2 hypothetical scenarios involving a vessel at sea and at a port.

• How did the vessel get impacted? What actions can we take? Where do liabilities land?
• What preparations can be taken?

Jason Dely, Director, ICS and Critical Infrastructure, Cylance
Steven Hadwin, Head of Operations – Risk Advisory and Cyber Security, Norton Rose Fulbright

17.40 The CIRM Cyber Risk Code of Practice for Providers of Marine Electronic Equipment and Services

CIRM will soon release a voluntary Code of Practice and associated Guidance to encourage implementation of cyber security best practice by CIRM member companies.

The Code of Practice is based on the principle that cyber risk management is a chain of trust where every participant is responsible for providing the elements needed to establish a complete chain of cyber security.

This presentation will introduce the six guiding principles for Vendors of Marine Electronic Equipment and Services to establish their role in the chain of trust for a secure digital maritime environment.

Philip Lane, Technical Officer, CIRM

18.00 Q&As

18.10 Closing remarks from the conference chairmen

Edwin Lampert, Head of Content, Riviera Maritime Media Philip Roche, Partner, Norton Rose Fulbright 

*Programme subject to amendments/change