Dryad Global Annual Report 22/23: Cyber Security in the Maritime Domain

Dryad Global CEO Corey Ranslem talks to Professor Kevin Jones, Executive Dean of Science and Engineering at the University of Plymouth about cyber security in the maritime domain.

World trade and supply chains chiefly depend on shipping, a singularly complex, profitable and now vulnerable sector. However, despite its importance to the global economy, the maritime industry, it’s people, vessels and infrastructure rely on disparate, outdated information and oerational technology. 

Dryad Global talked to Prof Jones about the existing maritime cybersecurity landscape and how it is likely to evolve. He shared his views on what the industry ideally needs to do to mitigate cyber threats, and what the potential consequences of inaction or delayed action could be for global supply chains, commerce and security. Professor Jones is the head of the University of Plymouth’s Cyber-SHIP Lab. This government-partnered hardware-based maritime cybersecurity R&D platform is part of the University’s Maritime Cyber Threats research group. 

The regulatory landscape has changed over recent years - it’s improved through initiatives like IMO 2020 and additional regulations implemented by the US Coast Guard. It’s also inevitable that more regulations will follow. But what are the prominent vulnerabilities regarding maritime cybersecurity? 

There are several answers here. The first industry problem is awareness: there are still many people who think that even progressive regulations like IMO 2020 and the US Coast Guard’s implementations are unnecessary, because the industry “doesn’t have a problem with cybersecurity”. There’s now irrefutable evidence that this is no longer true - while it may have been a while ago, it certainly isn’t today. Until the sector catches onto the idea that this is an enduring problem that needs appropriate attention, there’s going to be a ‘follower’ mentality: where people are not proactive in pre-empting and preventing problems. 

The lion’s share of goods we use are transported by ships - so any attack on the shipping infrastructure (ships, fleet management and physical companies) could potentially have devastating effects on the global economy. How has the attack landscape changed in terms of attack types from five years ago to today? 

There were very few targeted attacks on the maritime sector. If there were, they tended to be at nation state level - things like large-scale GPS spoofing to investigate the attackers’ capability for doing those things. Maritime cyber-attacks are becoming a profitable mechanism that can be exploited by organisations up to the level of worldwide organised crime. Most of the major shipping lines have been hit at some level or another in the last couple of years, and this wasn’t the case five or six years ago. So that change has happened, in the same way as the banking sector: two decades ago they went from “we don’t have to worry about it” to “we are a prime target.” 

With the evolution of cyber and criminal targeting against the maritime industry, do current regulatory frameworks adequately address cyber threats, or is there more that needs to be done? 

Firstly, it is good that something is being done, because something is always better than nothing - and the fact that the IMO now has a regulatory framework that requires cyber risks to be considered is clearly a positive step forward. If you really look at the meat of that regulation, it simply states that “cyber risk has to be considered.” It doesn’t say you have to be able to do anything about it or fully understand the nuances of your consideration.  

We’ve gone from obliviousness and not caring about cyber to driving an awareness that hopefully instils a more responsible future stance and actions from the industry. How do you think the maritime cyber-attack landscape will change over the coming years? 

The attack landscape is going to get worse - more and more people will realise the benefits they can get from maritime cybercrime. More and more tools will be developed to specifically target the sector. 

If you look at other parts of the space, there are tools that were originally only accessible by the NSA which you can now buy for a couple hundred bucks on the darkweb. So now, fairly low-end criminals have capabilities that were nation state-level just a few years ago. 

What we’re seeing is increasing numbers of purpose-designed tools being developed by criminals. Maritime is going to be part of that mix. 

In summary, the sector’s had a bit of a respite that the rest of the world hasn’t, in terms of the classic situation of “we’re out at sea, we’re an island, we don’t have to worry about this cyber internet stuff” existing until now. 

That period is over: there will be a rapid escalation until the maritime sector achieves the same security level as banking, road transport, power or any of the other sectors. Then it’ll be a level playing field for where attention will go - and the intelligent will say, “Maritime is still actually an interesting place for malicious activity, so it’s also an interesting place to develop mitigations.”