When IHS Markit launched its inaugural maritime cyber security survey in 2016, few in the industry were ready to accept that a cyber breach could wreak havoc on an unprepared shipping industry, let alone that they could be a victim, or might have already been one.
Just 20% of respondents confirmed that their computer systems had been compromised – which the 10 experts who participated in a IHS Markit roundtable on the subject at last year’s SMM 2016 conference believed was conservative. They felt many more were likely to have been attacked without realising it, or perhaps had failed to attribute server problems or system downtime to anything sinister.
What a difference a year makes, especially since in recent months Maersk – with its top-flight systems and security – has been a high-profile victim of malware. The shipping industry is now on its guard, at least when it comes to talking about cyber security.
As expected, given that the 2017 survey was launched just weeks after the NotPetya attack on the Danish shipping giant, the number of respondents willing to admit that they had experienced some form of attack had grown to 34%. Reassuringly, more than half of executive respondents stated that their organisations were investing in cyber training – significantly more than the 22% who said their employees had undergone cyber-security training in 2016. Additionally, some 70% now have processes in place for staff to report cyber incidents.
However, when you break down the results, the picture becomes unsettling. Respondents were split into three categories: executives, middle management, and crew and shoreside staff.
According to crew and shoreside respondents, 76% have not received any cyber security training. Some basic work practices offer concrete evidence of this: 51% admit sharing passwords with colleagues, 66% have opened an email attachment without knowing who it is from, 80% bring their personal devices to work, and the same number have logged into their personal email and social media accounts during working hours.
To paraphrase one of the participants at last year’s roundtable, protecting against a cyber breach isn’t rocket science. Focusing on basic IT hygiene can block security holes, he stressed. Clearly, that is not yet happening.
Even worse, in my view, is that 53% of crew and shoreside respondents don’t know who to tell if there is an IT security breach. More staggeringly, 86% have never taken part in a cyber-security drill or exercise. If a vehicle hit a child outside a school, you would reasonably expect teaching staff and parents to reiterate the importance of road safety. So why has there been no action on drills and training following the Maersk attack? These are the people on the front line. They need to know what to do in the event of a cyber breach.
Maersk’s openness about its June attack has spurred more transparency from others. Singapore’s BW Group has disclosed that it has been targeted by computer hackers and others are likely to come forward. Information sharing about maritime cyber security is also set to improve when the anonymous cyber-crime reporting site for the shipping industry goes live later this month.
Things are moving in the right direction. However, one can only hope that when IHS Markit revisits this topic in 2018, some of the most basic cyber-security practices – those relating to devices and sharing – will have been squared away and drills and training exercises will have spurred greater awareness about how to manage an attack.