According to IBM’s 2016 Cyber Security Intelligence Index transportation was the 5th most cyber-attacked industry in 2015. Even with such high stakes, recent research from Futurenautics makes it clear that the shipping and maritime industry could use a wake up call when it comes to IT security. Arriving at troubling conclusions about the industry’s lack of cyber safety in their Crew Connectivity 2015 survey, Futurenautics writes: “Only 12% of crew had received any form of cyber security training. In addition, only 43% of crew were aware of any cyber-safe policy or cyber hygiene guidelines provided by their company for personal web-browsing or the use of removable media (USB memory sticks etc.). Perhaps unsurprisingly, given the above statistics, fully 43% of crew reported that they had sailed on a vessel that had become infected with a virus or malware.”
Why is this happening? A survey of recent blogs and papers on the subject brings up potential factors such as: outdated software, human error, lack of knowledge about/concern for the issue from management, increasing sophistication of global cyber attacks, and increasing digitisation in shipping. I shared these ideas with several industry experts and asked them to choose what they thought was the most pressing issue in cybersecurity for shipping and maritime. What follows is their advice on what shipping organizations should try to tackle first in the ongoing battle to fend off hackers.
Knut Ørbeck-Nilssen, CEO, DNV GL Maritime @DNVGL_Maritime
With ships and mobile offshore units becoming increasingly connected and reliant on software-dependent systems, cyber security emerges as a key property needing attention in order to control operational and safety risks. Maintaining the integrity and resilience of critical cyber-physical systems therefore requires a holistic approach to both safety and security. Owners and operators are now seriously contemplating third-party verification of their assets’ cyber security, whether during new build construction or for vessels in operation. This is an area where we foresee increased demand over the next few years as the industry gains awareness of the vulnerabilities and related cyber threats to their business.
Norma Krayem, Sr. Policy Advisor and Co-Chair, Cybersecurity and Privacy Team, Holland & Knight @HK_Privacy, Former Deputy Chief of Staff, U.S. Department of Transportation
Cybersecurity risks to critical infrastructure (CI) including shipping and maritime, continue to grow exponentially around the globe. Nation-states, non-state actors, hacktivists, organized crime and modern day “pirates” represent the range of attackers against ports, port operators, vessel operators, shipping companies and others as they face constant attacks focused on 21st century theft to potential operational risk.
The industry is challenged from the continued reliance on legacy systems, the need for cyber specific training, increasingly digitalization of the sector and in many instances over, relegation of cyber risks to the IT departments, without an awareness that cybersecurity is a systemic risk to the maritime sector. Vessel automation, cargo and container tracking systems, global navigation systems and supply chain security are all at risk of cyber attack. Risks can also come from other sectors, for instance, a cybersecurity attack against satellites providing GPS could cripple the industry. A major cybersecurity attack could represent both the potential for injury and loss of life as well as physical damage to the maritime, shipping and port infrastructure. The devastation could be dramatic, carrying economic impacts potentially in the billions of dollars.
At the same time, the U.S. Department of Homeland Security (DHS) and U.S. Coast Guard (USCG) have been working with the maritime sector to evaluate and mitigate risks to the sector, issuing an alert in 2016 to raise awareness of the risk. The global community has come together to discuss the threats to the industry, working with the International Maritime Organization (IMO), which recently issued "Interim Guidelines on Maritime Cyber Risk Management." However, more needs to be done to quickly address the challenges to the industry.
Phil Tinsley, Manager, Maritime Security, BIMCO @BIMCONews
All your potential answers have some merit - but we would stress it is the human element which we believe is the gravest concern. Why? There is unfortunately still a lack of awareness of the potential severity of a malicious cyber security attack on board a ship. Information technology systems and operational technological system protocols are often not fully understood by all ships’ crews. There is potential for an incident to occur through negligence, misuse or even deliberate acts when dealing with on board systems which are connected. Additionally there are certain individuals, as listed below that see a criminal opportunity in an industry that has not yet grasped the potential impact of a cyber security incident.
- Activists (including disgruntled employees) are motivated to commit reputational damage and disruption of operations with the objective of destroying data, publicizing sensitive data or getting media attention.
- Criminals are looking for financial gain, or are involved in commercial or industrial espionage; their objectives include: selling stolen data, ransoming either that stolen data or system operability, or arranging fraudulent transportation of carog.
- Opportunists are looking for the challenge of getting through cyber security defences, often for financial gain.
- States, state sponsored organizations or terrorists who are looking for political gain or to commit espionage. They intend to gain knowledge and/or disrupt economies and critical national infrastructure.
In order to address this, BIMCO and supporting industry organisations are raising the issue of awareness throughout the maritime industry. We base our awareness approach around the diagram below which sets out a graphic display of the various aspects of awareness.
Jens Monrad, Senior Intel Analyst, FireEye iSIGHT @FireEye
One of the biggest challenges I see in the shipping and maritime sector is the pace of digitalisation in the industry versus the ever-changing threat landscape. Today a lot of critical functions, commercial and business operations must meet the digitalisation demand and this has forced industries, including the shipping and maritime sector into meeting demands, which potentially changes the way security was built and designed to secure infrastructure, protect data, customers and employees.
When we look at the shipping industry the threats are not one-dimensional, there are many different threats against the industry. Potentially the threat from nation states, in conflict, might engage in hybrid like operations, attempting to disrupt an adversary, by targeting the shipping of goods used in conflicts.
Nation state threat actors can target the industry to enrich country or nation owned industries
Other nation state threat actors can also target the industry to enrich country or nation owned industries, by conducting industrial espionage, which might be carried out due to the goods transported, rather than targeting a specific company.
On top of that, the cybercriminal ecosystem is on a global scale a billion-dollar industry; this means that cybercriminals will keep pursing victims who can secure a pay out. The shorter the ROI is for a cybercriminal the more attractive it is.
Disruption attacks, carried out by politically motivated threat actors, is a concern in all industries, especially those utilising industrial control systems, relying heavily on availability and uptime, where any downtime causes significant losses for any company. The shipping and maritime sector is not different in this aspect and a disruption attack carried out against vessels or ports could potentially damage reputation and generate financial losses.
All the above, could potentially affect the shipping and maritime industry as it is transforming its operations to meet the digitalisation demands and ambitions of the future of shipping. The maritime and shipping sector, must make sure that they have the right resources in place, to monitor and contain any cyber threat. Closing the gap between discovery of a cyber threat and recovery from it, is essential to successfully minimise the risk of loss of data, revenue or reputation.
Jens Monrad has been one of the distinguished speakers at our Shipping2030 events. You can read more about the series here.
Lars Jensen, CEO & Partner, SeaIntelligence Consulting , Partner LinerGame @SeaIntel
The most pressing issue in maritime cyber security is that most organizations need to realize they already have the tools they need to materially improve cyber security. However, they tend to lack either the specific skills or – more often – the organizational focus to implement actions which are tedious but necessary.
Most organizations need to realize they already have the tools they need to materially improve cyber security
Many shipping companies wrongfully believe that cyber security has to be expensive. The reality is that often simple, inexpensive, actions will raise security significantly both on the landside and on the vessels. Often it is matter of ensuring that systems get updated in a timely fashion, business processes are changed slightly, networks are properly configured, security features are tested and users properly trained.
Don't miss Lars Jensen at our Global Liner Shipping event in Hamburg this May.
Jordan Wylie, Campaign Director, becyberawareatsea, Managing Director, Sovereign Global Solutions @MrJordanWylie
The reality is that most information security and cyber related breaches often occur as a direct result of human error. Failing to address the human factor when protecting data or networks used for information or operational purposes, severely reduce the effectiveness of next generation defence in depth technologies. Shipping poses a very different exposure to the large data breaches that frequent the news on a daily basis and this industry is concerned predominately with business interruption from loss of operability on-board or transactional e-theft, through our supply chains for the business. The most pressing concerns I see when speaking to ship owners, masters and crew is that they do not fully understand the risks yet. It is the mass workforce that shapes the culture in every organisation and the maritime sector is no different, which is why the Be Cyber Aware at Sea campaign and on-board blended training are the most effective way of changing behaviours which will help in driving a cyber aware culture. We can effectively mitigate cyber risk with continuous security training and awareness programmes by investing in our people first. Training seafarers on information and cyber specific policies address the continuous evolving threat landscape in shipping.
Peter Broadhurst, Senior Vice President, Safety and Security, Inmarsat @InmarsatGlobal
With the current awareness and profile of cyber security in shipping the threat to shipping is a reality that needs addressing. Traditionally connectivity and ITC in shipping has been an evolution so the maturity and security of the on board IT infrastructure over the installed base is very fragmented. Taking shipping to a mature secure level is going to be an enormous challenge for the industry. Coupled with this is the increase in ITC demand from the increasing use of data to drive efficiency and operational excellence. Inmarsat will launch its own maritime Unified Threat Management system that will inspect, detect and protect suspicious data being sent from and to the vessel. Owners will get continuous updates, highlighting security compromise causes, and receive intelligence on emerging threats, taking shipping to a mature secure position for the first time.
Andrew Wadsworth, Managing Consultant, Global Energy & Utilities, PA Consulting @PA_Consulting
Complacency about cyber security is the biggest single issue the shipping and maritime industry must guard against. Whilst cyber is, undoubtedly, rising up the management agenda, it is too easy to think that it’s other companies who will be attacked and not take it seriously enough now. And it will only get more important as automation increases, demand for access to real-time data continues to grow and, ultimately, autonomous ships are launched. The pace of change and extent of disruption to the industry should not be underestimated either. Good cyber security will increasingly be critical to sustaining a successful shipping company. Management needs to invest now to be ready for the future.
Additionally, there are lots of other issues such as: different and immature standards; how to do deal with regulation in a global industry; dealing with new builds vs legacy ships/systems; building a security culture in a diverse, multi-cultural, multi-lingual, mobile workforce and dealing with the insider threat as mariners jobs are threatened by increasing automation. All of these topics are, or will be, important for the shipping industry to face.
Andrew Wadsworth has been one of the distinguished speakers at our Shipping2030 events. You can read more about the series here.
Check out events like Shipping2030 Asia that are addressing the challenges of an increasingly digitised world.
