Many of the world’s leading shipowners and port operators are undertaking a rapid digitalisation of their businesses in the pursuit of greater operational efficiency, profitability and growth.
The increased use of computerised systems for everything from navigation to container inspection has enhanced the safety of mariners and vessels at sea, and improved the efficiency of our ports. But the industry migration towards ‘smart’ ships, systems consolidation and global connectivity has also multiplied the potential impact of – and criminal rewards for – cyber attacks.
Because the present systems were designed for the needs of the 20th century rather than the threats of the 21st century, maritime companies are vulnerable to attacks. Global maritime logistics is highly integrated so it is possible to become a victim without having been the target: any assumptions of low-probability risk will always be flawed because of this high level of integration and the wide reliance on transitory labour that raises the probability of insider threats.
Warnings from the cyber-security community are on the rise, despite relatively infrequent evidence of breaches. For commercial and reputational reasons, most victims shun the spotlight and are largely not required to report attacks.
Other than for cyber-breaches in the US of financially regulated data and ‘personally identifiable information’, there is no mandatory reporting. It was hoped that mandatory reporting would become law in the European Union during the present fiscal year, but gaining consensus is proving a tortuous process, with implementation at least two years behind what was anticipated.
So, like rogue icebergs, the scale of the threat remains unseen. But the vulnerability of some of the systems being adopted has been exposed.
For example, merchant shipping is in the midst of a wholesale adoption of various e-navigation and integrated automatic identification systems (AIS) to supplement marine radar, the main method of vessel detection, positioning and collision avoidance.
The International Maritime Organization (IMO), through International Convention for the Safety of Life at Sea (SOLAS), has made mandatory the adoption of AIS for vessels above a specific size; ensuring the resiliency of AIS against cyber attacks, however, is not part of that requirement.
Shipping is also embracing GPS and electronic chart display and information systems that are often integrated with a company’s AIS.
Both AIS and GPS have been proven vulnerable to hacking. Moreover, the devices reportedly used to identify the security gaps in these systems cost less than US$2,000, making them available to the full range cyber-criminals from nation-state actors and organised crime to hacktivists and talented teenagers.
Gaining access to these systems could give criminals the ability to disable one or multiple ships transiting strategically important waterways such as the Panama Canal, greatly impacting world trade.
Ports are using similar integrated systems and software to track and manage the transit, handling and release of cargo, as well as terminal operations. In one recent event, the vulnerability of container-release codes was exploited to steal cargo at the port of Antwerp.
It is not inconceivable entire container ports could be shut down. A recent study found that cyber-related disruptions at Long Beach or Los Angeles could impact 20% of the maritime transportation system in the US, removing about US$1bn a day from its economy for the duration of the attack.
While potentially pervasive, the cyber-challenges faced by the maritime sector are not insurmountable. On an industry level, we could start by ensuring that all verification processes that attest to the integrity of industrial control systems include an assessment of cyber-resilience. At present, most do not.
Secondly, mandatory reporting of all cyber breaches would go a long towards establishing the scale of the problem and the current capabilities, techniques and targets of the many cyber-threat actors, information that can be used to design risk-based cyber-defences.
On the corporate level, the responsibility for creating a cyber-resilient company must quickly transition from those manning the industry’s IT rooms to those in the C-Suites. Those senior executives then need to ask themselves: Which digital assets really matter to my company’s business (i.e., data, applications, the infrastructure that supports those applications and the third-party service providers who provide the IT infrastructure and applications)?
To drill down to the operation-critical issues, digital assets need to be assessed through three lenses:
- In what ways do they affect my financial stability?
- In what ways do they affect my ability to comply with my regulatory compliance obligations?
- How could they reflect the reputation, trust and existential issues in my business?
Using those lenses will help companies to understand what security should look like for access to those assets, how to restrict access to your computer systems, how to configure any security devices, and how to apply security controls.
It will be a lot of work, but an effective cyber-defence strategy is now intrinsically tied to the protection of profit and operational resilience.
This post originally appeared in Ship Management International.