As shipping communication capabilities continue to improve, are we at greater risk of a maritime cyber-attack?
In a recent article, Maritime Digitalization and Communications – a magazine that publishes industry-wide news concerning maritime – presented a brief outline of major technologies that would transform the industry in 2019.
From significant increases in IoT technology to AI-based predictive positioning systems, the article suggested that maritime communications will not only improve vessels’ core operations, but also other key features will be modernised, such as vessel navigation systems, internal and external communications (broadband and satellite communications), ship monitoring systems, and, of course, the adoption of greater cybersecurity measures.
The latter feature, though, describes improvements in an area where many ship owners have demonstrated lack of industry initiative towards security and safety. This lack of progress and consensus has opened doors for organised criminal intrusions that have targeted maritime companies, particularly the commercial container shipping sector. The industry has fallen victim to several digital attacks over the past few years. These continuous online attacks, either directly or indirectly, have exposed a sense of vulnerability to cyberattacks within the industry that has not, in some cases, been rectified yet.
The unexpected maritime cyber-attack that took the leading shipping behemoth by surprise
The well-known industry example often cited is the cyberattack on A.P. Moller Maersk which shook the company to its core, resulting in business and financial accounting disruptions which reportedly amounted to over $300 million in damages. Despite rapidly responding to the attack by tracking, identifying and removing malware from affected systems, the Copenhagen-based company exposed industry vulnerabilities in its IT infrastructure which could well have been prevented if industry-wide cybersecurity standards were in place.
As cybercriminals target vulnerabilities rooted in IT infrastructure and other aspects directly linked to chief characteristics of the maritime industry. These characteristics can increase the threat of malicious intrusions and are classified as follows:
- Shipping companies typically share access to key backend systems with multiple users which have their own IT infrastructure system and cybersecurity approaches/standards.
- Cybersecurity on vessels represents an issue since companies cannot control the IT structure of vessels chartered for a shorter period of time.
- Some shipping companies have a specialised IT department located at headquarters, whereas remote operations rely on technical crew with limited IT knowledge.
- Crew communications problems, mostly when employees perform in deep-sea waters, emphasizing a higher exposure to social engineering intrusions.
- As for the movement of cargo, vessels moving through the vast ocean interact with different entities whose IT infrastructures and cybersecurity standards are not congruent to the practices implemented at headquarters.
Any possible weakness represents an opportunity for unscrupulous actors to illicitly access modern Information Communication Technology Systems (ICT) in an attempt to cause disruptions for multiple reasons, which could include: unethical competition, espionage, blackmail, or in certain cases, terrorism.
As such, why has the maritime shipping industry NOT developed and implemented any cybersecurity policies considering the current vulnerabilities owing to digital growth of systems onboard vessels and their connectivity to wireless networks around the world?
Voluntary and mandatory industry-specific guidelines
In spite of lower cybersecurity awareness, The National Institute of Standards and Technology (NIST) had voluntarily presented in 2014 an industry-generic guideline which urged companies to follow a systematic approach to leverage cybersecurity measures based on 5 key functions: identification, protection, detection, response, and recovery. Whilst these functions shepherd cybersecurity specialists through a remarkable phase of recognition, analysis, and assessments against cyberattacks; shipping companies still require an additional ingredient for adopting such principles to the specific managerial demands and technical complexities embedded in maritime.
By extrapolating from the above-mention principles, the International Maritime Organization (IMO) has recently presented their own maritime-specific cyber-risk management strategy, also known as “Interim guidelines on maritime cyber-risk management”. The guideline ratifies the same practices developed by NIST, yet with a significant emphasis on involving senior management of the participating companies. Their goal is to educate shipping companies and other close actors about the importance of top-level cohesion to ensure that protection, contingency, and response planning are poised in relation to the threats, vulnerabilities, risk exposure, and potential consequences of cyberattacks.
IMO’s most relevant contribution to cybersecurity is also associated with their long-term plans after the catastrophic cyberattack that destabilised the Danish firm. The assembly has announced that they are now working on a set of mandatory guidelines which will come into effect on January, 1st 2021. Unfortunately, the IMO is not expecting shipping companies to abide by the new norms upon publication, which will delay the implementation of these guidelines further. It should also be mentioned that the possible legislation of these procedures will also take even greater time.
On a positive note, and in consideration to other companies that also fell victim to cyber intrusions (for instance: COSCO Shipping Lines and IRISL in 2018 and 2011 respectively), key international associations and institutions have joined forces to publish voluntary guidelines and awareness-rising collaterals to encourage maritime companies to integrate cybersecurity into physical security top-level strategies.
Influential actors including; BIMCO, Intercargo, OCIMF, the World Shipping Council and other maritime-related participants are committed to practical, security-conscious approaches to deter virtual criminals from weakening the industry while allowing IMO to materialize their mandatory guidelines. Their main purpose is to help companies understand the pillars of risk assessment and safety management systems to shun future cyber threats.
As for industry awareness, these guidelines will help generate greater interest, particularly for key stakeholders in the industry, that help evolve and modernise IT security strategies to augment security measures and encourage collaboration between companies. Through the management of campaigns, these institutions are planning to target a higher number of maritime organizations, customers, partners, insurance companies, and, more importantly, national governments.
Thus, under these circumstances, the final question is: will this holistic project be able to bring governments onboard as a contrivance to fast-track IMO’s cybersecurity guidelines and strengthen collaborations?