Experts warn of shipping’s vulnerability to escalating cyber risk and argue that it will take a digital disaster for shipping to take cyber security seriously.
Significant disconnects still exist between the industry’s expectations of cyber security and the realities on the ground. The assumption that regulation was going to improve industry readiness has proved woefully wide of the mark and the lack of basic training is still leaving the industry vulnerable
WHEN the Ever Given (IMO: 9811000) became grounded in the Suez Canal 12 months ago, blocking a major global trade artery in the process, there were initial rumours circulating that a cyber attack was to blame.
“It wasn’t of course, but perhaps that would have been sufficient for the industry to finally sit up and pay attention,” said Julian Clark, global senior partner at Ince.
A year on and ransomware attacks, costing shipowners an average of $3.1m each time they pay up, have doubled.
Hacking attacks have increased 25% since the beginning of this year and the prospect of a cyber war spilling over from Russia’s invasion of Ukraine is looming large over all sectors.
And yet there is a disconnect between the increasing risk to maritime businesses posed by cyber attacks and the defences being erected in response.
More than half of all ship operators spend less than $100,000 a year on cyber security management and the results of multiple industry surveys point to inadequate training, awareness and cyber security protocols being endemic among shipping companies.
The likelihood is that it will take a digital disaster for shipping to take cyber risk seriously, according to industry experts.
“I think we all recognise that shipping has a bad record of thinking it is not a problem until it is a problem,” Mr Clark told a Lloyd’s List cyber insurance webinar. “It is only when we see something really horrendous happen that, unfortunately, we tend to sit up and take notice. I think we’re looking at a disaster looming and it’s really concerning.”
According to Lloyd’s List’s industry survey only one quarter of the industry feels enough is being done to spread awareness of the cyber threat, while just two thirds have knowledge of measures in place if online systems are compromised.
That message of under-resourced defences was reinforced by another survey published earlier this month by maritime cyber security company CyberOwl and the law firm HFW, which revealed significant gaps in cyber risk management across shipping organisations and the wider supply chain.
While 87% of respondents reported that their organisation had “appropriately addressed cyber risks in the fleet’s safety management system”, that awareness was not reflected across companies.
The survey concluded that more than 25% of seafarers do not know what actions would be required of them during a cyber incident and only 55% of industry suppliers are asked by shipowners to prove they have cyber risk management procedures in place.
“I think the issue is that you have to assume that you are going to get hit at some point and the question is, what you do about it, and how do you reduce the vulnerabilities,” Astaara’s chief cyber officer Bill Egerton told the webinar.
The spillover of the situation in Ukraine is already increasing the rate of cyber attacks, but that trend is not an anomaly.
More than half of all publicly reported cyber incidents in the marine industries sector have been due to war-like or terror-related events — where nation states or their proxies (that is to say, hacking groups with known links to nation states) are the authors of the attack.
The 2017 ‘NotPetya’ attack that so publicly devastated Maersk’s IT systems was not a direct hack against the shipping firm, rather the company was collateral damage from a Russian-origin attack targeting Ukraine that spiralled out of control.
According to analysis of publicly available information, Mr Egerton concluded that terror made up a third of all claims in 2016, but this had risen to more than half (53%) in 2021.
“While the increased level of criminal attacks is to be expected, there has also been a sharp rise in the frequency of attacks or incidents where pecuniary crime does not appear to be the prime motive. Systems are being damaged; sensitive data is being exfiltrated — and while responsibility is not being admitted, there is clear evidence that tools and techniques are being deployed that are known to be used by groups with known links to nation states,” he said.
But while the growing threat of shipping companies getting caught in the digital cross-fire is well understood, if not easily protected against, it is the more mundane risks of lax internal company training and unintentional insider breaches that present the most frequent problems.
According to data from CyberOwl, more than 95% of the cyber incidents on vessels it monitored during 2021 could be linked back to an unintentional insider. The vast majority of this relates to actions that explicitly contravene the cyber security policies of the organisation.
“It doesn’t need to be an attack for it to be serious,” said Päivi Brunou, head of cyber security technology at Wärtsilä Voyage told the webinar. “When we look into problems found in operational technology networks, the events are usually non malicious. But of course, impact can be the same.”
Training, or lack of it, appears to be at the heart of the issue.
Within maritime organisations, there is a disconnect between the perceived and actual readiness to respond to an attack. Whether at sea or on shore, the more senior a member of staff is, the less likely they are to know if their organisation has suffered from a cyber attack.
According to the Cyber Owl-HFW survey, at sea, 26% of seafarers do not know what actions are required of them during a cyber security incident, and 32% do not conduct any regular cyber security drills or training. Ashore, 38% of senior leaders either do not have a cyber security response plan or are unsure if their organisation has one.
Similar response rates for a physical safety threat would be unthinkable.
“In the event of a collision or a spill, everyone in the industry would now how to respond, but with cyber that is a major issue that the industry still needs to grapple with,” said Mr Clark. “We had hoped that the change in International Maritime Organization regulation would have dealt with that because of course now there is a requirement of compliance under the Safety Management Code, but I don’t think it has.
“Shipping has always moved so slowly responding to changes, we have got to move a lot quicker on this.”