As the shipping industry keeps moving slowly to new forms of technology and digital innovations, criminality has started to make a huge impact on the ocean supply chain. On June 27th, A.P. Moller-Maersk fell victim to a coordinated international cyber-attack, which affected several of its businesses across the world, causing the shutdown of IT systems across its business units against virtual intrusion. The impact of the attack was critically significant not only for the amount of goods being transported on a daily basis, but also for the major disruption it caused on its port-to-port communications and digital applications.
Without a doubt, the recent cyber-attack unraveled key vulnerabilities and plausible negligence given Maersk’s position as the world biggest shipping line and also, operator of 76 ports via its APM Terminals division. The Danish firm reported, “We can confirm that Maersk has been hit as part of a global cyber-attack named Petya on the 27 June, 2017. IT systems are down across multiple sites and select business units…We have contained the issue and are working on a technical recovery plan with key IT-partners and global cyber security agencies”.
It is difficult to ascertain the exact reasons why Maersk fell victim to such a criminal manoeuvre without having a look at its computer systems and IT capabilities. Nonetheless, it does beg the question: how does one of the largest container shipping companies in the world, which beyond doubt, invests huge amounts of money on IT developments, get brutally infected? During a live interview, Vincent Clerc, Maersk Line’s Chief Commercial Officer, explained that while continuous security assessments and further investigations were still in progress, the firm had been focusing on devoting more resources to business continuity and adequate protection for its customers.
As part of its response to the attach, Maersk enabled the use of manual processes and INNTRA to guarantee continuity and deter customers to keep facing disruptions. After a week of backlog and assessments for full transparency, major digital applications and APM Terminals resumed operations and productivity levels reached normality. Yet, as opposed to other insiders who failed to enumerate the causes that made Maersk a clear victim, surveys and industry experts exposed their views on this topic. These views commonly comprise a mixture of technological, human, and digital failings.
In its Crew Connectivity 2015 survey, Futurenautics found that, “Only 12% of crew had received any form of cyber security training. In addition, only 43% of crew were aware of any cyber-safe policy or cyber hygiene guidelines provided by their company for personal web-browsing or the use of removable media (USB memory sticks etc.). Perhaps unsurprisingly, given the above statistics, fully 43% of crew reported that they had sailed on a vessel that had become infected with a virus or malware”.
Phil Tinsley, Manager, Maritime Security at Bimco said, “It is the human element which we believe is the gravest concern. Why? There is unfortunately still a lack of awareness of the potential severity of a malicious cyber security attack on board a ship. Information technology systems and operational technological system protocols are often not fully understood by all ships’ crews. There is potential for an incident to occur through negligence, misuse or even deliberate acts when dealing with on board systems, which are connected”.
Digital innovations are also the newest game changers that are exposing shipping companies to new vulnerabilities. With more than 600 vessels operating in around 130 countries, Maersk created the “Maersk Advanced Analytics Team” in order to improve operational efficiencies, fuel savings, and customer service. Yet, digitalisation absorbs new issues; vessels are increasingly using systems that rely on data usage and analytics that bring a greater risk of unauthorised access or malicious attacks to ships’ systems and networks.
“One of the biggest challenges I see in the shipping and maritime sector is the pace of digitalisation in the industry versus the ever-changing threat landscape. Today a lot of critical functions, commercial and business operations must meet the digitalisation demand and this has forced industries, including the shipping and maritime sector into meeting demands, which potentially changes the way security was built and designed to secure infrastructure, protect data, customers and employees,” said Jens Monrad, Senior Intel Analyst, at FireEye iSight.
The shipping industry is waking up to a new era of technological innovations. Even so, there is an evident lack of maturity, even for the largest shipping firms, to develop a technical checklist of preventive actions that should be followed to avoid potential cyber threats. Transforming obsolete processes and fragmented supply chains into fully protected, integrated systems requires pragmatism and caution to say the least. Lars Jensen, CEO and partner, at SeaIntelligence Consulting, added:
“Many shipping companies wrongfully believe that cyber security has to be expensive. The reality is that often simple, inexpensive, actions will raise security significantly both on the landside and on the vessels. Often it is a matter of ensuring that systems get updated in a timely fashion, business processes are changed slightly, networks are properly configured, security features are tested and users properly trained.”
Valour Consultancy ratifies the importance that cyber awareness has in todays’ shipping world. By implication, cyber security should be considered vertically and horizontally, from top management ashore to onboard crews, assigning resources and responsibilities that could create a new culture based on continuous risk assessments and operational efficiencies. Perhaps, the Danish conglomerate failed to capture the educational/training benefits that cyber aware programs bring to the industry, which is the reason why many business units across the organisation were vulnerable to the crime.
Ongoing risk assessments should sequentially be employed once awareness reaches optimal results. Every employee should be aware of any potential risk and internal vulnerabilities, carry out continuous assessments and identify solutions in the event of an attack, increase protection methods and mitigate the impact of exposure, implement contingency plans (ideally non-electronic ones against data deletion and shutdown of IT systems), and follow a recovery plan that covers the inspection, detection, and deletion of threats. Following those actions is essential to minimise the risk of loss of data, revenue, and reputation.