Disconnects Pose a Significant Challenge to Maritime Cyber Risk

Shipping has changed more in the last two years than it did in the entire decade before that. Digitalization has given the industry new ways of working that have kept world trade moving through a global pandemic and enabled many new efficiencies.

But the shipping industry’s increasing reliance on digital tools is not without risks. Today, it makes no difference if you work at sea or ashore; there is no escaping the need to properly manage cybersecurity risks and protect against those attempting to harm the industry.

A new report by Thetius, ‘The Great Disconnect’, focuses on what it perceives as three significant disconnects. Within maritime organizations, there is a disconnect between the perceived and actual readiness to respond to an attack. Whether at sea or ashore, the more senior a staff member is, the less likely they are to know if their organization has suffered from a cyberattack. The second disconnect occurs across the supply chain between the security standards ship operators are working to and the standards that the industry’s suppliers work to.

Finally, this problem is compounded by the fact that many operators have little to no control over the security of systems that are installed onboard, creating a disconnect between the exposure for the ship operator and their ability to control the risks. This supply chain disconnect is built into regulations, too, with the IMO Cyber Risk Management resolution placing the burden of regulatory compliance solely on ship owners and operators.

“In recent years, we have made amazing strides forward in digitalizing our sector, and indeed over the last two years probably done more during that period that we have done in the previous ten years,” Guy Platten, Secretary General, International Chamber of Shipping, said. “This has made our sector more productive, more efficient, and of course, more environmentally friendly. However, the more digital we become, the more susceptible we are to cyberattacks from hackers and malware. There is no escaping the need to properly manage cybersecurity risks and protect those that may attempt to harm the industry.”

We have seen this risk materialize with well-publicized attacks on significant shipping companies. But according to Platten, that is just the tip of the iceberg, with many mundane attacks going unreported. The recent events in Ukraine have highlighted just how critical an issue cybersecurity is with hostile organizations and rogue states resorting to cyberattacks on industry infrastructure. “As the facilitator of 90 percent of global trade, maritime faces an even heightened risk of cyberattacks; it is a valuable target, Platten added. “Maritime cyberattack not only poses risks to individual businesses, but they also threaten the global supply chains that transport our food, our fuel and medicine, and all the other necessary commodities to keep the world moving.”

“Up until now, there has been a reluctance to accept just how significant this threat is, but we must take real action rather than be an easy target. And many practical steps can be taken. There is no one size fits all solution. Companies should take a risk-based approach and identify the biggest threats unique to their organization. Given how susceptible our sector is to cybercrime, it is clear that we should be doing far more.”

The authors make four recommendations to support the industry in overcoming these cyber risk disconnections. The first two recommendations are aimed at tackling the organizational disconnect. They include establishing a dedicated cyber security directorate within fleet operations and implementing a comprehensive cyber incident training and drill program. The third aims to tackle the supply chain disconnect and involves developing minimum security standards for suppliers and partners. Finally, the fourth aims to close the risk disconnect and includes conducting an urgent review of insurance policies and seeking specific legal guidance on ransom payments.

Source: The Maritime Executive