To tackle the cyber threat, shipping must change its culture
The Naval Architect: April 2018
Though Maersk was not the specific target of the 2017 NotPetya ransomware attack, which hit a wide range of companies using the Ukrainian accounting software MeDoc via a malicious update, it didn’t much matter. The vast majority of the shipping giant’s systems crashed, compromising operations at ports and on vessels around the world over 10 days as the company scrambled to re-install their network. Maersk have since reported attack- related losses totalling a huge US$300m.
Such a shocking incident has compelled the shipping industry to confront the neglected issue of cybercrime, and consider its readiness to prevent future attacks. Lagging behind the likes of aerospace and finance when it comes to cyber security preparedness, the industry recognised that it is something of a soft target. NotPetya may not have discriminated, but it still caused a huge amount of damage. What, then, would be the cost of a more targeted cyberattack?
This is especially pertinent given that shipping has now entered the digital age, with so-called ‘smart’ vessels becoming increasingly connected, both in terms of on board systems and their links to shore-based service stations and third-parties offering remote performance monitoring and navigational assistance. Whilst cyber security technology has undoubtedly improved over recent years, the number of systems aboard a vessel that might be vulnerable to attack has proliferated, presenting hackers with far more opportunity to do damage. This will be further compounded by introducation of autonomous vessels in the coming years.
DNV GL’s principal consultant of shipping advisory, Jan Hinnerk Haul, echoed this idea at an Immediasea cyber security round-table last month, suggesting that modern vessels are basically a “floating data center,” reliant on an array of both standard IT (information technology) systems and OT (operational technology) systems, such as navigational platforms and remotely-controlled valves and pumps. While a data breach in IT might risk a company’s finances and reputation, Haul noted that an attack on OT, which might mean overriding the ship’s navigational systems, or causing equipment to malfunction, poses far greater risks to life, property, and the environment.
The human element
The quick-fix of updating cyber security software is only half the battle, as systems are compromised most often by the actions of untrained crew and seafarers who can introduce malware themselves through an act as simple as plugging their phone charger into a bridge USB port, or carelessly opening a phishing email. This can then play havoc with the interconnected systems on board the vessel. Ports and shore-based offices are also at risk from human cyber security negligence, and are arguably the more lucrative target.
The significant cyber risk posed by the human element is the focus of industry-wide initiatives such as Be Cyber Aware At Sea, which offers training and guidance to seafarers and attempts to raise awareness about cyber security best practice. It takes a prevention rather than cure approach, seeking to limit opportunities for criminals by instilling the concept of ‘cyber seaworthiness’. As JWC International founder Jordan Wylie, who led the Be Cyber Aware at Sea campaign, suggests: “Training and awareness for me is still the biggest vulnerability, the human factor as we often call it in the maritime sector.” A firm advocate of the need for training from the bottom up, from seafarers to executives, Wylie warns that “cyber- attacks are not a case of if but when. Fortune favours the prepared.”
However, whilst training equips seafarers against cyberattacks, attempts to quantify the scale of the problem are hampered by shipowners’ tendency towards opacity when it comes to cybercrime. A scan of the news brings up few examples besides major stories such as Maersk and the Clarksons data breach in December. This can be attributed less to shipping’s immunity from cybercrime, though, and more to the tendency amongst shipping executives to keep news of cyberattacks out of the public sphere in order to protect their reputation and, by extension, profits. As an industry that relies on trust – to deliver goods safely, and on time – a breach of cyber security is potentially catastrophic for business, even if it is averted. It could also result in legal action by cargo owners and the need to complete extensive paperwork for law enforcement, creating further disincentives to reporting attacks.
Security through community
Attempting to circumvent this secrecy culture is the CSO Alliance, a network of company security officers (and related professionals such as CTOs and PSCOs) that facilitates the sharing of information about physical and cybercrimes in the shipping industry, to achieve ‘security through community.’
Speaking at the Immediasea round-table, director Mark Sutcliffe noted that the state of disorganisation amongst CSOs, prompted by disincentives to report crime put upon CSOs by their employers, is a panacea for criminals. To combat this, the CSO Alliance have created an anonymous crime reporting platform in collaboration with Airbus, which allows CSOs to report incidents without compromising their own or their companies’ identities, and spread awareness about threats in real time. It is hoped that the platform will play a role in affecting a much-overdue culture change, in which shippers, having benefitted from information sharing, will choose to collaborate with other shippers, flag states, ports, industry bodies and P&I companies to tackle cybercrime as a united front. In Sutcliffe’s words: “It’s all about teamwork if we are really serious about looking out for our industry.”
Cyber security advocates are keen to point out the strong commercial basis for taking a more transparent approach to cyber security in shipping, which is ultimately the strongest driver of behavioural change in the industry. Firstly, as awareness about maritime cybercrime grows, companies that openly demonstrate the efficacy of their cyber security arrangements are likely to appear more trustworthy to cargo-owners, who will worry less about disruptions to their supply chain. As Haul pointed out at the round-table, quoting Møller-Maersk CEO JimHagemann Snabe’s words at the World EconomicForum, Maersk decided post-attack to “make cybersecurity a competitive advantage. Being good at [cybersecurity] is good for making money.”
Secondly, as the EU’s GDPR (General Data ProtectionRegulation) is set to come into force in May this year, andthe IMO has announced that all shipowners will berequired to incorporate cyber security risk management into their vessels’ safety management as part of the ISM Code (audited by flag states), cyber security compliance has become essential in order to avoid harsh financial penalties and even vessel detainment.
Thirdly, transparency around cyber security will allow classification societies to develop more relevant and effective cyber notations, which are likely to positively impact P&I insurance premiums by lowering the risk of certified Club members’ vessels. At present, P&I Clubs do not exclude liabilities to carriers and shipowners caused by cybercrime, but if the number of attacks rises as expected and shipowners cannot demonstrate some kind of compliance, the increased risk may force the Clubs to do so.
As with many issues in shipping that require owners and operators to adjust their behaviour and commit funds, such as ballast water management, the sulphur cap, and the Hong Kong Convention, there will be those who delay action on cyber security, as well as plenty of doubters about the cyber threat. The newness of cybercrime and its complexity also mean many shippers find it difficult to understand.
The IMO released MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management in July last year, marking the first significant global attempt to address the issue, but has not yet set out any regulations, which are likely to be goal-based if/when it does.
The suggestion at the roundtable was that the class societies will take the lead on cyber security, with Bureau Veritas, Lloyd’s Register and the American Bureau of Shipping having released basic notations and China Classification Society a set of guidelines so far. DNV GL is also working on a set of class notations. These will give shipowners something concrete to work towards,and begin to generate a competitive advantage for those who achieve the notations.
The growing commercial and institutional support given to initiatives such as the CSO Alliance and Be Cyber Aware at Sea that are trying to open up the conversation and, more importantly, are providing concrete training and reporting solutions, further suggests that shipping is finally starting to treat the cyber threat with the seriousness that it deserves. It may take another Maersk to truly convince the industry, but as the stakes get higher, the winners will be those who see cyber security as an investment rather than a tax – and take decisive action now instead of remedial action later.