Features 15.08.2024
That Sinking Feeling: How Can the Maritime Industry Improve Cyber Resilience?
Do shipping companies feel anchored down by cyber risk?
Features 15.08.2024
Do shipping companies feel anchored down by cyber risk?
The maritime sector is facing a familiar challenge. As digital initiatives transform the industry, they also increase the attack surface of ship owners, port operators, logistics firms and other businesses. Their adversaries are not just traditional financially motivated cyber criminals but, increasingly, state-backed operatives. According to data from the Netherlands’ NHL Stenden University of Applied Sciences, cyber incidents in the sector have risen sharply – from none in 2003 to three in 2013 and over 60 in 2023.
Historic under-investment and lack of engagement with cybersecurity compounds the challenge. The experts agree: maritime businesses urgently need to enhance their cyber resilience.
Cyber attacks on the maritime sector can take various forms. As in other sectors, the threat of ransomware looms large. NHL Stenden’s Maritime Cyber Attack Database (MCAD) highlights several such attacks in the UK in recent years, including a significant LockBit breach of the Metapack Overseas Express Shipping Company in 2020. In that incident, a phishing email led to the encryption of company data and the theft of 5.8 million records, including PII and internal documents. Some attacks dispense with the ransomware altogether and focus on data theft for extortion, such as the breach at Clarksons shipbroker in 2018.
DDoS is also popular and is sometimes politically motivated – although attacks create noise rather than damage. One such incident knocked out the website of the London Port Authority in 2022, and, more recently, the Port of Tyne website was struck.
“It is the cyber version of sea piracy” Stephen McCombie
Then there are more obvious state-sponsored efforts like Automatic Identification System (AIS) spoofing. In 2020, the AIS location of the HMS Queen Elizabeth and other British, Dutch and Belgian navy vessels was spoofed by Russia, so they appeared to be lurking menacingly near Russia-controlled waters. This helped the Kremlin substantiate aggressive behaviour at sea in response to a phantom navy raid, the MCAD notes. It claims there have been nearly 100 such incidents involving NATO naval vessels.
Stephen McCombie, professor of maritime IT security at NHL Stenden, tells Assured Intelligence that cyber threats in the sector are mounting.
“The largest number of attacks are ransomware, and they pose a serious risk. While only a handful have impacted ship bridge systems, the future potential from a safety perspective is significant. It is the cyber version of sea piracy,” he argues.
“Having said that, state-backed attacks, while less common, are more sophisticated and targeted for effect. For example, in 2023, Russian hacktivists (Killnet) targeted a US ship carrying Bradley Fighting Vehicles for Ukraine and the ports it was travelling through. Cyber-offensive capabilities are in the arsenals of all modern militaries, and they are prepared to use them.”
The sector’s threats are compounded by relatively low cybersecurity maturity in many organisations. That’s a growing risk now that many companies invest in digital and connected technologies like cloud and IoT – enabled by low earth orbit satellite communications. Former Maersk Line CISO, Andy Jones, tells Assured Intelligence that the convergence of IT and OT with IoT in ports and large vessels is particularly concerning.
“Ships are computer controlled and connected to global networks even at deep sea, and compromise of either IT or OT systems can constitute a significant risk” Andy Jones
“Ships are computer controlled and connected to global networks even at deep sea, and compromise of either IT or OT systems can constitute a significant risk. The recent incident in Baltimore, although not believed to be a cyber attack, reminds us of the damage that can be done when a large vessel loses control,” he says.
“These issues of IT and OT connectivity and dependency are not unique to shipping and have been a contributory feature in several cyber attacks, notably Colonial Pipeline. For the shipping industry, though, digitalisation and always-on connectivity are again accelerating factors.”
Alongside more advanced technologies sits under-protected legacy kit, which adds risk and further expands the attack surface, Jones adds.
“Perhaps in common with the airline industry, shipping is an industry with considerable heritage. And with that heritage comes legacy systems which need to exchange information with a considerable number of adjacent industries – such as ports, customers and other logistical suppliers – who have varying levels of maturity in cybersecurity,” he argues.
“The shipping industry itself is dependent on lots of adjacent supply chains as well as forming a critical cog in other industry’s global supply chain. Indeed, the phrase supply chain is misleading – a supply mesh or nexus is perhaps a more accurate description.”
McCombie adds that alongside “poorly maintained and ageing equipment”, a lack of cybersecurity staff and low levels of awareness are also exposing maritime organisations to rising cyber risk levels.
Given the criticality of the maritime sector to global trade, national economies, and security, it’s perhaps unsurprising that governments are taking action. In February, the Biden administration issued an executive order designed to boost the security of US ports’ supply chains and the maritime sector in the country. It will give the US Coast Guard more powers to demand that “vessels and waterfront facilities” mitigate any cyber risks that “may endanger the safety of a vessel, facility, or harbour.” It will also institute mandatory cyber incident reporting and establish minimum cybersecurity requirements for organisations operating in the sector.
The question is how maritime companies in other countries like the UK are to respond to rising cyber risk levels. Macroeconomic headwinds and geopolitical tensions already loom large over the sector – most obviously in disruption linked to the war in Ukraine and Houthi attacks in the Red Sea. According to NHL Stenden’s McCrombie, cyber insurance hasn’t necessarily caught up with the times.
“I think it’s challenging for insurers to assess the likelihood and impact of maritime cyber attacks due to limited data available. This means the products available do not fit the needs of the sector,” he argues.
Caspar Rogers, cyber insurance broker at Assured, comments: “It’s right to say there’s limited data on cyber attacks within the shipping industry, but that has little to no bearing on how a robust cyber insurance policy would pay out if it were covering a shipping company. If the shipping company suffers either a security failure or a (non-malicious) system failure, then a proper cyber insurance policy will be triggered and will pay out,” he explains.
Where the limited data on cyber attacks for shipping companies may impact things, Rogers considers, is on the pricing point. “Because of how few attacks there have been historically, it means insurers are probably likely to take a ‘finger in the air’ approach to pricing these risks up, so there could be huge discrepancies in the premium for a shipping company.”
Bridewell threat intelligence principal lead, Gavin Knapp, also has concerns around general cyber insurance policies adequately covering maritime risk. “The unique risks associated with maritime operations, such as the potential for physical damage and environmental disasters resulting from cyber attacks, are not always adequately covered by general cyber insurance policies,” he tells Assured Intelligence. “Additionally, the high cost of incidents, coupled with the industry’s underinvestment in cybersecurity, can make it difficult for companies to obtain sufficient coverage at reasonable rates.”
“If a shipping company suffers either a security failure or a (non-malicious) system failure, then a proper cyber insurance policy will be triggered and will pay out” Caspar Rogers
Assured’s Rogers counters this worry. “Some cyber insurers offer property (physical) damage cover, resulting from a cyber attack. It is typically big manufacturing/industrial companies that buy this coverage, but it is more than appropriate coverage for shipping companies also.” Like all insurance products, the potential for enormous losses comes with a price tag. “This coverage comes at an additional cost to the standard cyber insurance policy because if it were to be triggered, the potential losses would be enormous,” states Rogers.
In addition to securing the appropriate standard of cyber insurance, maritime organisations should focus on cyber hygiene such as network segmentation, prompt patching, detection and response and “regular cyber exercises to improve readiness and awareness”, NHL Stenden’s McCrombie suggests. Former Maersk Line CISO Jones adds that the International Maritime Organisation (IMO) has run initiatives around vessel cyber hygiene and crew awareness in the past. However, “in comparison to other industries, there is a lighter regulatory approach,” he admits.
“The lesson that should be drawn from other industries is that, although cyber hygiene is crucially important and should be executed to a high level of excellence, there is no silver bullet, and no investment in security technology will reduce the risk of a cyber attack to zero,” he concludes.
“Accordingly, the watchword is ‘resilience’: being prepared and rehearsed for the inevitability of an attack; ensuring that critical systems continue to operate safely during an attack; and working with regulators and other industries to ensure that cybersecurity is built into both IT and OT products.” Securing a cyber insurance policy that will respond in the event of an incident is also crucial.
A 2023 study from DNV reveals that just 40% of maritime professionals believe their organisation is investing enough in cybersecurity. This must change. As geopolitical tensions mount, it will increasingly be the operators and owners of port facilities and seagoing vessels caught in the middle.
Thank you to Bridewell’s Knapp for sharing his five-point plan.