Shipping happy to accept increased cyber security risk, for now
Majority of shipping professionals surveyed by DNV said they’d be happy to accept increased cyber security if it meant greater innovation and better technology
But cyber security experts have questioned shipping’s readiness to deal with ever more threats, and warned that bad actors will soon realise the value to be had in targeting shipping
THE majority of shipping professionals would be happy to accept increased cyber security risk if it meant the industry became more innovative and made use of enhanced technology.
Class society DNV’s latest Maritime Cyber Priority Report surveyed about 500 maritime professionals from more than 50 countries. Of those asked, 61% of professionals said accepting a rise in cyber risk was simply the price of innovation. That appetite for risk is significantly higher than other industries, DNV said, such as healthcare or energy.
Perhaps that acceptance is founded in the confidence that shipping can deal with cyber threats. More than eight in 10 maritime professionals believe their organisations have good cyber security posture and 71% were confident their organisation would quickly return to business as normal following an attack.
But experts suggest that confidence could be a false sense of security. Ships now have more equipment and technology connected to the internet and shore-based systems than ever before.
Daniel Ng, chief executive of DNV subsidiary CyberOwl, said many shipowners often don’t even know they’ve been the victim of a cyber attack. He explained that because of the way shipping technology is set up, malware that would hold data to ransom on an ordinary device onshore and display a ransom message would simply shut down a bridge system, for example.
Equipment failures are therefore diagnosed as exactly that, and their root cause — a cyber attack — is never identified.
The other key aspect that differentiates shipping from other sectors is the reliance on systems, which would be outdated on land. Vessels are still heavily reliant on USB sticks for example, Ng said, and so cyber security analysts working with crews must have an understanding of how things work at sea.
Ng said CyberOwl analysts must visit a working vessel within a year of joining for that exact reason. “It’s impossible to say ‘don’t use USB sticks’. It’s impossible to say, ‘don’t let third-party equipment manufacturers remote access your systems’,” he said.
Instead, Ng said he wanted his analysts to work with crew, rather than simply issuing blanket advice that would probably be ignored anyway. Rather than advising crew to avoid downloading forms from email, for example, which are often a crucial part of port state administration, analysts could instead advise crew to complete that form on a quarantined machine and perform a scan before reconnecting it to the vessel’s core systems.
While shipping’s technical infrastructure could, in some parts, be described as rudimentary, the vast majority of attacks are not state-backed espionage either.
Ng said 99% of the threat to shipping is so-called “spray and pray”, that is, attacks not specific to shipping and not designed with vessel systems in mind. The remaining 1% is the more serious, nation-backed — or at least state-funded — kind, but Ng said those most vulnerable to these threats were aware and are taking steps to mitigate their impact.
But that might not be the case for long. Ng and DNV Cyber head of maritime cyber security, Svante Einarsson, said shipping was fortunate that it had so far kept a low profile in terms of cyber security. Criminals have so far remained somewhat unaware of the value to be had in targeting shipping.
But Ng was fairly certain that soon bad actors would realise shipping’s status as the “soft underbelly” in the supply chain, compared with say the energy sector which is very aware of its vulnerability.
DNV’s report said the ‘air gap’ that vessels had enjoyed for decades has disappeared with the advent of greater connectivity. Ng agreed that shipping’s insatiable need for data (needed to prove compliance with decarbonisation regulation or targets, for example) had opened more backdoors for bad actors to step through.
The industry seems content with that greater risk, given the huge benefits that greater connectivity has delivered.
But if the price of cyber security attacks starts mounting up, the results from future DNV surveys might start to look quite different.
Download the Lloyd’s List App — the essential tool for staying ahead in the maritime industry, anytime, anywhere! Available now on the App Store and Google Play. More information here