The June cyber attack that will end up costing Maersk an estimated USD200–300 million was considered by many a wake-up call for the maritime industry, but the results of an exclusive cyber risk survey, with responses from 284 individuals, reveal that shipowners may still be highly vulnerable to future threats.
The IHS Markit Maritime Cyber Security Survey 2017, conducted by IHS Markit, in association with shipowner representative BIMCO and supported by the “Be Cyber Aware At Sea Campaign” (an industry initiative of 85 maritime-affiliated companies), leveraged off a benchmark survey conducted in 2016 to uncover trends in how the industry is preparing for escalating cyber risks.
This year’s survey, which took place during August, was also made more comprehensive than last year’s survey by drilling down into three respondent segments – executives, managers, and crew – to better assess cyber awareness among organisation levels.
The results, for the most part, were not encouraging. Asked whether their company had experienced a cyber attack within the last 12 months, 34% of 195 respondents answered “yes” – an increase from the 21% that answered that way in 2016. At the same time, 49% answered “no” to the question, compared with 57% last year.
The results will be discussed in detail during a forthcoming webinar on 19 October.
The level of cyber-risk awareness within employee groups was just as troubling with 13% and 9% of company executives and onshore managers, respectively, answering that they “didn’t know” if their organisation had experienced a cyber attack within the last 12 months. Among crew members, 37% answered the same way.
When asked if they knew whether their company had an IT security policy, 67% and 79% of company executives and onshore managers, respectively, responded “yes”, compared with only 37% among crew members.
The availability of cyber-risk awareness training for crew also seems to be an issue, based on the latest survey results. Even though 51% of shipping company executives claimed they invested in cyber training for staff and crew, which some consider to be a low number in itself, 76% of crews responded that they had not received any cyber training.
That lack of cyber awareness among crew is costing vessel operators time and money. “Times where shore people were coming on board with their small laptop and printer are gone,” commented one ship management respondent.
“Nowadays they’re coming with memory sticks for preparing and printing their documents using ship’s computers. If the anti-virus software is not updated on a daily basis, the risk of ship’s network getting infected is very high. At my previous company, it’s happened and we had the network completely break down.”
Even more concerning was the response from a question for the vessel crew category asking if they had ever opened an email attachment without knowing who it is from – with 66% answering “yes”.
The consequences of mishandling emails can be costly as well. “One e-mail [purporting to be] from local agents required fund transfer,” noted one respondent. “The bank details were of a criminal company. We lost around USD30,000 in the process.”
The survey results show that the industry is behind the curve when it comes to preparing for a cyber attack despite evidence of increasing vulnerability, according to Andrew Baskin, vice-president of global policy and trade at Hudson Analytix, a New Jersey-based maritime security consultancy.
“While it’s easy to know if a physical attack has occurred – you can usually see, hear, and even smell it – cyber attacks are by nature intangible, so it’s difficult for everyone in the organisation to know what is actually occurring or what has already happened,” Baskin told IHS Markit. “Making sure management and crew are recognising the same threat is something that companies need to work on.”
Baskin also noted that the discrepancy in perception between management and crew with regard to training is something he sees frequently. “Shipping executives not only have to make sure there are training programmes in place to address cyber risks, but that the crew is aware that these programmes exist, because [a cyber attack] can affect the entire organisation.”
The cyber vulnerabilities exposed in the survey also seem to lag behind the heightened attention paid to cyber security among organisations that represent and provide services to the industry. Guidelines addressing cyber risk developed by owner groups, class societies, and flag states, in partnership with International Maritime Organization (IMO) and the United States Coast Guard (USCG), were created in part to head-off potentially costly regulations.
Those guidelines, however, have the potential to evolve into more enforceable requirements. At the 98th session of the IMO’s Maritime Safety Committee in June, the IMO approved a resolution affirming that vessel safety management systems (SMS) should take cyber risk management into account in accordance with the requirements of the International Safety Management (ISM) Code.
The resolution encourages IMO member states to ensure cyber risks are addressed in SMS no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
In the United States, the USCG is looking for industry input on a proposal that “provides suggestions” for how vessel terminal facility operators can incorporate computer systems and network vulnerability assessments into its existing facility security plans. The proposal, for which comments are due on 11 October, also provides guidance on implementing a cyber risk management governance programme.
Paul Zukunft, the USCG’s commandant, is concerned about the lack of government funding for cyber security within his agency as well as private investment from industry.
“What concerns me there is we’re seeing a number of [vessel operators], especially in containerised shipping, consolidate,” Zukunft said during a recent interview in Washington, DC. “And what if this was a co-ordinated event that would shut down multiple [operators]?”
In addition, “just-in-time inventory does not compensate for any disruption in any of that product moving from ship to shore to ultimate destination. So it’s a real challenge there. We need to invest in cyber [security].”
The IHS Markit survey also revealed that there is evidence of room for stepping up those investments. Sixty percent of executives responded that they had allocated an annual budget for cyber security risk management, with 21% answering “no”, and another 19% claiming they didn’t know. “We are too small” to provide for a budget, commented one respondent, who added, “We do have anti-virus [applications] and our people are trained not to open files from unknown sources or USBs.”
The move within the maritime sector to become more digitised – whereby navigational equipment becomes increasingly automated and more customer-focused processes are executed in real time – makes improving cyber awareness beyond the current state of affairs even more critical.
While shipping has embraced digital technology to drive efficiency and reliability, it has done so “without considering the impact on connectivity and security”, Gwynne Lewis, head of data and digital for Lloyds Register Marine & Offshore, told IHS Markit earlier this year.
“What systems are connected to what? Are they storing data on the cloud? Who can access the data being stored? If suppliers have access to your operating technology, what cyber-security protocols do they have in place?” Lewis said the marine industry is “way behind the curve” when it comes to resolving these questions.
“It has been like building a house without building the foundations. Now work must be done to build the foundations up, or risk damage to assets, potential loss of life, and loss of reputation,” he added.
See the results in our slideshow