Fairplay survey reveals drop in cyber attacks as shipowners bolster defences

According to the latest cyber-security survey
For increased digitalisation of ships increased cyber security resilience needs to be implemented says DNV GL. Credit: IHS Markit

Attention-grabbing high-profile cyber attacks in the maritime sector continue to remind shipowners and operators of the costly effects such incidents can have on service and their income statements, with companies taking more decisive actions to reduce their cyber risk.

That trend was reflected in the third annual IHS Markit/BIMCO Maritime Cyber Security Survey, supported by class society ABS. In a poll of more than 350 individuals (the majority of whom were ship managers, shipowners, seafarers, and maritime service providers), those responding that they or their company were a victim to a cyber attack within the last 12 months fell to 22%, compared with 34% in last year’s survey.

Likewise, those responding ‘no’ as to whether they were attacked increased from 49% last year to 78% this year.

It is difficult to know precisely why reports of incident attacks have declined, but a bolstering of cyber defences could be a contributing factor. Last year, 37% of survey respondents stated that their company had an IT security policy in place, whereas more than half of respondents (58%) confirmed in the latest survey that cyber-security guidelines had been incorporated into their company or their fleet.

Shipowners and operators are also stepping up when it comes to investing in cyber defence, with 70% responding that they have allocated up to USD50,000 on cyber security annually and 30% allocating more than USD50,000 per year.

What has not seemed to change is the way that cyber attacks are most commonly carried out. According to those affected, phishing, spear phishing, and malware continue to rank highest. One change is that theft of credentials climbed the list from just a 2% response rate in 2017 to 28% this year, moving ahead of ransomware, at 23%.

For those attacked, the detection time most prevalent (35%) was between 7 and 24 hours, with 44% detecting the breach in less time, and 21% detecting it anywhere from days to months later.

Service disruption and downtime, along with financial loss and reputational damage, were the top responses when those surveyed were asked about the consequences of attacks, with related costs ranging from less than USD5,000 (69%) to between USD100,000 and USD1 million (14%). One respondent revealed that the attack cost their company USD1–10 million.

The implications of those effects and their related costs may not yet be widespread enough for shipowners to improve their response after an event has occurred, at least as reflected in the survey. Those responding ‘yes’ when asked if they had a business-continuity plan in the event of a cyber incident decreased from 73% in 2017 to 56% this year, with those answering ‘no’ to the same question increasing from 9% to 31%.

Despite the increased attention being paid to cyber security in the maritime sector, the size and scope of the threats are still largely unknown, due in part to shipowners’ reluctance to share their experiences, according to Phil Tinsley, head of maritime security for BIMCO, who spoke on the issue during London International Shipping Week last year.

In addition, while many consider blockchain an effective protection against unauthorised data corruption and related cyber threats, a recent survey by law firm Reed Smith found that shipowners and operators are more preoccupied with tackling environmental compliance – such as the International Maritime Organization’s (IMO’s) 2020 sulphur cap and ballast-water treatment regulations – than pursuing investments in cyber defence.

The IMO is attempting to raise the bar on cyber security as well, while shipowner groups work to help their members elevate their game.

Follow developments on maritime cyber security by following our topic page

“We’re coming at this issue from the standpoint that trade associations most typically approach, which is making sure we have consistent and workable regulatory guidance to help solve the problem and one that helps companies to comply with the requirements,” John Butler, president and chief executive officer of container-shipping group World Shipping Council (WSC), told IHS Markit.

“In addition to the technical and operational problems that the lines face due to the threat from cyber attacks, we want to make sure operators are not also faced with inconsistent regulations,” he added.

Last year the IMO approved a resolution asserting that vessel safety management systems (SMS) should take cyber-risk management into account in accordance with the requirements of the International Safety Management Code.

The resolution encourages IMO member states to ensure cyber risks are addressed in SMS no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

Read more: Shipping warned not to overlook people’s role in cyber defence

WSC vice-president Lars Kjaer, who works with the European community on supply-chain security, noted that WSC and other industry associations are working on a third revision of the cyber-security guidelines currently in place to help shipowners address cyber risk in their SMS. The revision, which is scheduled to be published by the end of the year, will likely include specific case studies of actual events to help shipowners relate to the problem.

“For example, one cyber incident caused a vessel’s navigation system, as well as its backup system, to shut down while en route, which required the vessel to have to be towed back to its departure port,” Kjaer told IHS Markit.

“The replacement cost for those systems was several hundred thousand dollars. That’s not cheap, and those are the kinds of incidents that may happen if there’s not a strong cyber-risk management system in place.”

Join IHS Markit’s webcast discussing the full results of this year’s cyber-security survey on 11 October at 2.30pm BST. Join here