Maritime industry’s cyber security vulnerabilities hit the headlines

13 min read

maritime cyber security

Maritime cyber security probably was not high on shipping companies’ list of business priorities over the last month. With the COP 26 conference in Glasgow and the IMO MEPC 77 meeting taking place, it was environmental regulation and its impact on operations alongside supply chain disruption caused by the pandemic affecting operations that were occupying shipping companies’ attention.

However, a wave of cyber incidents and breaches of management systems around the world, including at one of the leading risk management organisations, highlights the severity of the cyber threats and the need for cyber risk management to be taken more seriously than it already is.

The most recent attacks began on Halloween when around 60 Greek shipowner clients of ship management specialist Danaos Management Consultants became victims of an apparent ransomware attack. The cyber attack reportedly blocked their communications with ships, suppliers, agents, charterers and suppliers, while some correspondence files were lost. Clearly this would have a negative impact on operations.

Danaos contacted their clients to support them, suggesting they back up all critical remaining files to an external hard drive as a contingency measure. According to some reports, several of the ships affected were unable to make use of their normal communication systems and needed to contact port agents, suppliers and others by way of using different email addresses.

Guidelines and training in the front line

Since the beginning of this year, IMO regulations have required that maritime cyber security is addressed in shipping companies’ safety management systems and has published guidelines to support them in this process. Several other international maritime bodies have also issued guidelines and many training companies have devised special courses for security officers and crew.

Much of the training material has been directed at protecting critical systems against threats emanating from crew use of communications equipment and lax control over access to ship data and digital systems such as ECDIS.

Whilst large companies – especially those that have experienced cyber attacks – will probably have taken this seriously, a high proportion of operators will have made little real effort beyond including a few meaningless words in company procedures. That could conceivably be the case with the Danaos clients.

A wakeup call for shipping

So it is perhaps a wakeup call to the maritime industry that the victim of another of the most recent cyberattacks was classification and risk management specialist Bureau Veritas, which has undoubtedly audited and approved cyber risk and information security in many shipping companies’ management companies management systems.

The attack on BV prompted it to issue a press release which merely confirmed the attack saying “The maritime cyber security system of Bureau Veritas detected a cyber attack. In response, all the group’s cyber security procedures were immediately activated. A preventive decision has been made to temporarily take our servers and data offline to protect our clients and the company while further investigations and corrective measures are in progress. This decision generates a partial unavailability or slowdown of our services and client interfaces.” It went on to say that its incident response procedure had been triggered.

Bringing in specialist maritime cyber security support

Underlining the fact that many organisations are likely unprepared in cyber security matters, BV had in January this year acquired a stake in an independent service company specialising in cyber security services. The company said that as a result of increased threats and regulations, testing, inspection, and certification services for cyber security were an emerging market sector.

Understandably, BV did not publicly reveal full details of the cyber incident’s impact or how its control systems had been breached. Presumably, stakeholders needing to access BV’s systems for booking surveys and services or verifying a ship’s status were assisted directly.

Just days after the BV cyber breach, another classification society – DNV – announced that it too was to acquire a cyber security specialist organisation. In its announcement DNV said, “The two companies will join forces with the aim to build the world’s largest industrial cyber security practice, defending critical infrastructure in maritime and other industrial sectors against emergent cyber threats. Threats to industrial cyber security are becoming more common, complex, and creative.

The maritime industry witnessed a 400% increase in attempted attacks between February and June 2020 alone, according to Naval Dome (An Israeli intelligence organisation that has an interest in marine matters).

Financial system not the only focus

As well as mentioning the financial costs to shipping companies, DNV also said that according to technology research company Gartner, cyber criminals will go beyond making attacks for financial gain this decade, and progressively weaponise industrial control systems to cause harm to human life.

“Maritime systems and assets are now at higher risk of new forms of cyber-attacks, as their control systems become increasingly connected. Life, property and the environment are at stake. DNV is investing significantly in helping our customers build a powerful force of defence. By joining forces with Applied Risk, we aim to build an industrial maritime cyber security powerhouse to support the sector in managing these emerging risks,” said Remi Eriksen, Group President and CEO, DNV.

Class takes key role in smart ship era

Eriksen’s warning is particularly pertinent to owners of newbuildings which are now being built as ‘Smart Ships’. The initial aim of the concept of concept – which is now at least a decade old – was a technology response to energy efficiency and e-nNavigation initiatives whereby the software controlling power management and navigation technology along with digital control systems on a vessel would be integrated so as to better respond to changing conditions and reduce fuel use and emissions.

Now that the very real threat of cyberattacks has been realised, shipbuilders are now looking to class societies to approve the digital control systems as being resilient to cyber threats. Various class societies have developed Cyber Secure class notations and given approval in principle to smart ship designs.

Having just received an AiP for its SVESSEL smart ship solution from BV, Hyun Joe Kim, vice president of Korean shipbuilder Samsung Heavy Industries expressed a similar sentiment to many other shipbuilders saying, “Strong cyber security is key to enable shipping to move on to the next level of digitalised and connected ships. For years, SHI has been at the forefront of innovative design and equipment, helping our clients address the risk of cyberattacks while complying with the current rules and regulations.”

Global support from the port industry

Maritime cyber security involves more than just shipping companies and their vessels with other related stakeholders such as ports and cargo interests also under threat. Some national governments and maritime industry bodies have recognised that maritime transportation and the supply chain are critical systems that need protection. 

In the same way that the International Safety Management Code was initially about physical safety and working practices, so the International Ship & Port Facility Security Code (ISPS) was about physical threats to assets and infrastructure. Both have now taken on a cyber security dimension.

Earlier this year, the International Association of Ports and Harbors (IAPH), a major actor in operational matters, issued its Cyber security Guidelines for Ports and Port Facilities. The guidelines were drawn up by maritime cyber security specialists to serve as a crucial, neutral document for senior executive decision makers at ports who are responsible for safeguarding against cyber security risks as well as ensuring the continued business resilience of their organisations.

The document aims to assist ports to establish the true financial, commercial & operational impact of a cyber-attack. It also is intended to help make an objective assessment on their readiness to prevent, stop and recover from cyber incidents.

Pascal Ollivier, Chair of IAPH Data Collaboration Committee and President of Maritime Street and who was the driving force behind the new Guidelines said “The digitalisation of port communities means ports will need to pay increased attention to maritime cyber security risks”.

Singapore’s focus on maritime cyber security

In November, Singapore’s MPA announced a sector-wide maritime cyber security exercise to put the sector’s coordination on cyber security incident management, emergency response plans, and crisis communications to the test.

The exercise would be conducted over the course of three days in a hybrid format involving all actors in the supply chain. Some 90 participants from MPA, terminal operators PSA Corporation and Jurong Port will be present with shipping company, Pacific International Lines also taking part.

The exercise focuses on the cyber-physical implications of potential cyber-attacks and the increased risks in data theft and loss. The scenarios will cover data leak, ransomware, web defacement, distributed denial of service (DDoS), supply chain attacks, and compromise of critical maritime and port infrastructure and systems. 

Niam Chiang Meng, Chairman of MPA, said, “The maritime industry is undergoing rapid digitalisation. It is imperative to better prepare against the threat of cyber-attacks which have become more sophisticated. As the world’s busiest transhipment hub and a key node in the global supply chain, the maritime sector in Singapore will be more vulnerable if it is not prepared to deal with such cyber security threats. I am glad that the exercise has brought together our partners to test not only our readiness, but also enable better coordination in crisis response amongst all stakeholders in the maritime sector should an incident occur”.

News of the exercise came shortly after a Singapore-based shipowner reported a data breach after a cyberattack. No further details were given beyond the company involved saying it had notified the appropriate authorities. Singapore’s government has strict rules on data breaches that include a mandatory requirement to report every instance.

Co-operation between class and flag

Government action on maritime security depends in many cases on the importance that countries put on maritime transportation. Many will merely put into national law, the recommendations of the IMO while others will go further.

Panama is a small nation but its importance to the maritime industry cannot be understated. It is notionally the home of more merchant ships than any other state and it is also the location of the Panama Canal – a vital artery for global trade.

In November 2021, the Panama Maritime Authority (PMA) established its Cyber Incident Voluntary Reporting Scheme (CIVRS). This is an initiative aimed at helping the authority to better understand the cyber threats that vessels face and seeks effective measures to control these risks.

The PMA has reached an understanding with Japanese class society ClassNK which has agreed to provide its knowledge and experience in ship operations while also analysing information collected from the CIVRS to help the PMA further ensure maritime cyber security.

A long way to go with maritime cyber security

The incidents and initiatives mentioned above are by no means the only action the shipping industry has taken to reduce the cyber threat. Indeed, they have all come within a period of around three months and indicate the increasing problem of cyberattacks and the operational importance some within the shipping industry are putting on understanding key issues and means to reduce or eliminate cyber risks or at least secure their business interests as best they can.

Unfortunately, there are other pressures on ship operators and limited resources are being stretched in trying to meet all of the demands the international community is putting on the maritime industry. Some have called the push to decarbonise ships a  trillion-dollar challenge.

Shipping companies get little sympathy from the public or national governments when the perception is that cybercrimes only impact company finances while the environmental impact of vessels is sometimes very visible. 

Nevertheless, the world relies on maritime transportation for the wheels of commerce to keep turning and the impact of cyber threats on world trade and safe and secure ship operation is a key message the industry needs to focus on regardless of other demands put upon it.