Maritime cyber security, it is a problem which despite getting increasing attention, is still a major cause for concern. The sheer scale of the issue was highlighted in a high-profile new report, in which the costs and potential impacts on reputation and ability to operate are highlighted.

RISK BAROMETER

According to the 2019 Risk Barometer report from Allianz, there are a host of problems which face companies. There is one, though, which is perhaps even more troublesome than the others, that of cyber security.

With multiple stories in the media about the impact of cyber-attacks on a range of high-profile shipping companies and ports globally, it seems increasingly clear that the maritime domain is not immune to attack.

Allianz calls cyber risk, “a core concern for businesses in 2019 and beyond”, and this is perhaps magnified for shipping. According to the Allianz Risk Barometer 2019, Cyber incidents (37 percent of responses) jointly led the concerns, with business interruption (BI) as the top corporate risks globally.

It was also noted that potential BI scenarios are becoming ever more diverse and complex in a globally connected economy. These include a breakdown of core IT systems, quality issues, terrorism, political rioting, and environmental pollution. They also encompass a cyber element, as risks are increasingly interlinked.

INCREASING CYBER RISKS

Ransomware attacks or accidental IT outages often result in disruption of operations and services costing hundreds of millions of dollars. With 2018 considered a watershed year of cyber activity.

Cyber-crime now costs an estimated $600 billion a year – up from $445 billion in 2014. This compares with a 10-year average economic loss from natural catastrophes of $208 billion. While criminals use more innovative methods to steal data, commit fraud or extort money, there is also a growing cyber threat targeting critical infrastructure providers, stealing valuable data and/or trade secrets from companies.

In addition, cyber incidents are increasingly likely to spark litigation, including securities and consumer class actions. While data breaches or IT outages can generate large third-party liabilities as affected customers or shareholders seek to recoup losses from companies.

If that cyber news wasn’t bad enough, there are even calls for governments to identify companies which are not doing enough to safeguard themselves. According to a new report, academics at King’s College London have called for a campaign to name and shame companies with poor cyber security. They feel such a move would increase transparency around businesses’ cyber defences, and force poorly performing companies to improve their protections, leading to a reduction in crime.

BIGGEST PROBLEMS

While cyber incidents and business interruptions are talked of in terms of attacks, or largescale issues. It is actually the smaller scale attacks which can cause the most problems. Indeed, email phishing campaigns continue to dominate the global cybercrime arena, according to Ernst & Young (EY).

While issues like ransomware, cryptocurrency mining and state-sponsored attacks make the media headlines, it’s the lower-level cyber attacks that are impacting the most, and shipping is not immune by any means.

A phishing campaign is when a cybercriminal attempts to trick victims via email compromise into sharing sensitive or confidential information for malicious reasons. According to EY, organisations of all sizes being targeted and successfully defrauded via phishing campaigns and business email compromise attacks.

Phishing is a combination of social engineering, as the sender tries to convince the recipient they are someone they’re not. While successful phishing attacks are also down to poor cyber hygiene. Which refers to the practices and steps that users of computers and other devices take to maintain system health and improve online security.

INTEGRATED AND UNPROTECTED

Today’s shipboard systems are highly integrated, yet poorly defended. This poses huge potential risks. As vessels increasingly rely on automation and remote monitoring, as such key systems including navigation equipment could be compromised if attacked or if unwittingly, a virus is downloaded.

There have been many steps taken by shipping, and in addition to the International Maritime Organization (IMO) issuing guidelines, there have been a host of guidelines from industry organisations, such as BIMCO, the Cruise Line Industry Association (CLIA), International Chamber of Shipping (ICS), INTERCARGO, INTERTANKO, Oil Companies International Marine Forum (OCIMF) and the International Union of Marine Insurance (IUMI).

This has very recently been joined by a new strategy from the Danish Ministry of Industry, Business and Financial Affairs. The government body has launched a new sectoral strategy for the shipping industry which contains several initiatives aimed at strengthening IT security and preventing cyber threats in the maritime sector.

The objective of the strategy is to ensure that safety in Danish waters and on-board Danish ships is not compromised by cyber-attacks. Parallel to this, the Danish Maritime Authority has even established a dedicated Danish Maritime Cybersecurity Unit, to handle implementation of the strategy.

FINDING ANSWERS

One particularly challenging aspect in dealing with maritime cyber issues is the fact that maritime regulations struggle to stay abreast of the fast pace of cyber-crimes and threats. These are continually evolving, and so regulations must be accompanied by a shift in mindset. Indeed, awareness of cyber threats and how to mitigate them is vital onboard ships and also within offices ashore.

Whether it is people appreciating the potential problems with personal devices brought onboard or a malicious attack that could compromise a ship’s navigation system. Action is needed to secure ships and the entire logistics supply chain.

In the face of these growing cyber risks, Videotel has produced a multi-award-winning cyber security training programme, in association with global shipping association BIMCO.

The course addresses the concerns which various key reports have identified and covers various cyber security threats, risk assessment for ship systems, risk reduction practices for individuals and ship systems and best practice for responding in the event of a cyber security breach or attack.