Interview: Mitigating Cyber-Threats in the Maritime Industry

The risk also changes hugely depending on what you are carrying (changing the level of interest for more sophisticated actors) and where you are (changing the people involved). In recent years, the main evolution of the threats has been less technical and more economic; bad actors have worked out ways of monetizing the existing vulnerabilities in the sector and, so, developing more targeted attacks.

Is the maritime particularly vulnerable to cyber-attacks compared to other transport sectors like automotive and aerospace? If so, why?

It is vulnerable in specific ways. The sector is slower to respond than other sectors due to the variety of vessels in the commercial fleet and the design cycle of the industry. Large-scale commercial operators are running with hulls that are decades old and retrofitted with various kinds of technology when regulatory mandates have made that necessary. There is also a long-standing attitude in the sector of “my ship is an island,” leading to lower awareness of cyber vulnerabilities. Unlike the airline industry, there is also a lot of personnel who are lower paid and less skilled.

What are the potential implications of a cyber-incident in the maritime sector? What are key examples of this to date?

Well, it’s a trillion-dollar industry, and we’ve seen through a recent incident that it’s easy to see costs of $10bn a day when something disrupts the maritime supply chain. To date, the worst case, the Evergiven, was accidental, but it’s the kind of thing that could be caused by a cyber-attack. Each of the four major shipping lines has been the target of a specific cyber-attack in the last few years, with a large-scale ransomware model seeming to be the new weapon of choice.

You and your colleagues worked alongside the Bank of England to create the first maritime cyber incident exercise featured in the 2022 General Insurance Test. Could you give an overview of this exercise?

“One of the things we have been doing over the last couple of years is to develop sector realistic scenarios, illustrating potential outcomes of various cyber-attacks. They range from minor inconveniences (e.g., a blank chart display) to catastrophic (e.g., closing the Suez Canal) and making sure that all are realistic both from a technical and operational perspective. For the bank of England, we designed a scenario that involved a cyber-attack taking control of the throttle and rudder of a large container carrier and grounding the ship, with the knock-on consequences to both the individual cargo and the rest of the ecosystem. We developed an appropriate risk model for this attack and the subsequent consequences.

What kinds of cybersecurity practices and technologies are particularly vital for organizations in this industry to adopt in the coming years?

I’d emphasize two things: appropriate sector-specific cyber risk assessment – e.g., the kind of assessment we do with MaCRA taking into account the dynamic factors and IT and OT, preferably making this kind of approach standard to bridge the current IT-centric gaps the industry is exposed to; sector-specific cyber awareness training, ideally with appropriate and sector realistic scenarios so the industry, from the board to the officer of the watch, is aware of, can recognize, can respond to and can develop appropriate mitigations to the kind of attacks that they will experience. After these are embedded, attention should switch to next-generation equipment developed with security from the beginning, but we have to recognize in this industry that it will take decades, even with regulatory push to move it forward.