“We make sure we are doing everything we can to ensure that the company does not have a bad day from a cyberattack perspective,” said Devon Bryan, chief information security officer at Carnival Corporation.
He said it was a matter of layering the right technologies, maturing supporting risk-based process and investing in the right people skills.
Leigh Carr, vice president of maritime cyber safety, said her role involved protecting critical assets on the ships, from navigation to safety management systems.
“We identify vulnerabilities and threats that will impact those assets and then work to protect them, monitoring 24/7,” she said, in an interview with Cruise Industry News.
“We don’t want to have a bad day, and we want to make sure the company is prepared to recover,” she added, noting enterprise-level backup and recovery systems.
Carr explained that meant working across the industry with other maritime organizations including, the IMO, class societies and flag states to get ahead of any bad actors.
Among company initiatives has been to roll out more secure remote-access protocols.
“When we had a pause in our operation during the pandemic, we had technicians that could not come to the ships, so we came up with creative ways for them to get in remotely. We are securing those systems even more,” Carr explained.
‘Layered Defense’
“We think about defending in depth. That is a layered defense model that starts with identifying our critical assets and what they are and where they are, and ensuring they are adequately protected commensurate with the associated risks. We are continuously enhancing our ability to detect so we can respond timely and recover if necessary,” said Bryan.
“We think about that in the context of the simplistic NIST Cybersecurity Framework, meaning to identity, protect, detect, respond and recover. If protection fails, we have to be able to respond and recover with as minimal downtime as possible.
“We want to be cyber-resilient so we can “withstand” so we do not have to recover at all,” Bryan continued.
Increased connectivity to the ships has kept Bryan and team on their toes.
“With it comes additional concerns with what bad actors might be able to do. With us staying true to our layered security defense, threat intel led risk-based approach and applying industry best practices, it does afford us some degree of confidence in our ability to protect our business operations.”
Bad Actors
“What are we really worried about? It’s not just about loss of financial data and loss of systems,” Bryan explained. “In our maritime environment it’s about safeguarding lives. Those OT systems may have life-impactful consequences. That urgency is not lost on us.
“There is also potential environmental impact. We think about a bad actor corrupting systems aboard that could potentially lead to an environmental disaster. We factor that in as part of the equation.”
Bryan said the company spends time on cyber threat intelligence, monitoring what is happening globally as offense informs defense.
“We leverage our intelligence providers to help with the filtering,” said Bryan. “Filtering the signal-to-noise ratio is a key component of our threat intelligence platform.”
Among recent concerns has been satellite jamming and spoofing.
Complex and Diverse
Carr credited the support of the executive leadership at Carnival Corporation.
“We get the executive support,” she said. “If you do not have executive support from the cyber perspective, you cannot effectively operate a program like this.
“We don’t focus on just one area. If you look at a cruise ship, we have water treatment navigation, satellite, hotel systems and more. It’s complex but offers a diverse field of systems. We are constantly learning and being challenged.”
Another initiative is bringing together shipboard, shoreside, IT and OT items together into the company’s fleet operations centers, so analysts can see even more in real time.
“We can respond quickly, everyone is on the same page,” Carr said. “Cyber is a team sport; it’s a team event. If we can get people thinking of this at the top of their minds on a regular basis. We want the seafarers focused on the job, which is operating the ship.
“Our motto is, if they see something, they need to say something, and we tell them who to say it to. On the back end we can correlate that with the experts and respond together.”
Bryan said that putting it all together, it’s about making sure that the company’s cyber security strategy is directly aligned with the corporation’s key strategic imperatives.
He noted his organization’s tagline, “Ship & Shore, Always Secure,” isn’t just a slogan. It serves as the guiding principle for not just what his global cybersecurity services (organization does but extends to the human firewall layer that each employee of Carnival provides.
“We’re in the business of delivering unforgettable happiness from the cruise experience to our guests. Those guests will not be happy if their data is compromised or if there’s disruption with the systems onboard the vessels. We make sure the technologies we invest in and the processes we deploy are laser-focused on helping our company meet its commercial objectives.”
Bryan, citing his military days, added: “Mission first, people always” as a key component of the approach he takes to help secure the world’s largest cruise company.