As COVID-19 and war increase pressure on supply chains, maritime cyber security needs to tighten up.
When Maersk, the world's largest container shipping firm, suffered a cyber attack in 2017, the consequences were severe. Thanks to a dose of the NotPetya ransomware, the company's entire network was brought down for days, and operations had to be halted at 76 port terminals around the world.
Since then, the Mediterranean Shipping Company, COSCO, and CMA CGM - the three other largest shipping companies in the world - have all also been hit by attacks. Indeed, in a recent report from maritime cybersecurity company CyberOwl, maritime innovation agency Thetius, and law firm HFW, 44 percent of industry professionals said their organization had been the subject of a cyberattack in the last three years.
Risks on the rise
Transport and logistics companies generally are becoming more and more attractive targets to ransomware gangs since the start of the pandemic, thanks to rocketing cargo prices and their huge cash reserves. And according to the CyberOwl survey, the consequences for maritime firms can be serious, with three percent of attacks resulting in a ransom being paid, at an average cost of $3.1 million.
As the Ever Given debacle last year demonstrated, the world is hugely dependent on efficient shipping. During the ship's time stuck in the sands of the Suez Canal, according to Bloomberg, $9.6 billion worth of traffic a day ground to a halt.
The pandemic has only increased pressure on the global supply chain - as has the continuing invasion of Ukraine. Any major maritime cyberattack – whether by criminal gangs or nation-states – could be disastrous.
"I think the main risks are that shipping will become a major target for threat groups, ranging from organised crime, activists and even nation states, as it becomes clear that there are rewards to cyber attacks on the sector and opportunities to exploit the relatively vulnerable targets," Professor Kevin Jones, executive dean of the Faculty of Science and Engineering at the University of Plymouth, tells Cybernews.
Since the beginning of last year, he says, the International Maritime Organisation (IMO) has required shipowners and managers to implement cybersecurity risk assessments and procedures – but many have failed to do so.
"There are technical and cultural reasons why the shipping industry is lagging in terms of cybersecurity. The design cycle and lifespan of ships are very long, so there are many vessels still in service that were designed when technology was at a very different level to what is expected today," he says.
"Changing regulations have required bolt-on technology, and systems have been pieced together rather than designed with security in mind. Also, they are often focused on minimizing cost and disruption, rather than ensuring security and this leaves technical holes."
The need to improve
There are now calls for maritime cybersecurity to be quickly improved, with Guy Platten, secretary general of the International Chamber of Shipping, calling for more support for the industry.
First, he says, maritime organizations must have the right structures, tools, and skills in place to prevent attacks from happening and to limit their damage when they do happen. Meanwhile, there should be more support for the industry as a whole to improve security in the supply chain.
And finally, he says, "Ship operators need support from regulators and insurers to balance the cybersecurity risks they face on a daily basis."
One of the biggest issues highlighted by Platten and Professor Jones is the low level of cybersecurity awareness. Indeed, according to the CyberOwl survey, the more senior a member of staff is, the less likely they are to know if their organization has suffered from a cyberattack.
At sea, more than a quarter of seafarers don't know what actions are required of them during a cybersecurity incident, and a third don't conduct any regular cybersecurity drills or training. Ashore, meanwhile, 38 percent of senior leaders either don’t have a cybersecurity response plan or are unsure of its specifics.
For most of history, says Professor Jones, a ship has been seen as a world unto itself, disconnected from the world ashore.
"In the age of increasing connectivity, that mindset, together with a lack of appropriate cyber training, leads to a lack of understanding of the risks that are genuinely present," he says.
"It’s clear that the sector needs appropriate regulation, sector-specific risk analysis and cyber training, and appropriate technological developments - and that they are needed at a pace that is unprecedented for the sector."