Of course, the pandemic took most of the headlines for maritime developments in 2020. For some maritime sectors it was a horrible year, for others – especially the container shipping sector – it became a most unexpected profitable year.
But whereas commercial elements had been entirely unpredictable – and to a large degree also is for 2021 presently – the developments within the arena of maritime cyber security were not.
In January 2020 we published a blog post pointing out that this was an area in acute need of attention. As an example we explicitly wrote at the time:
“The 2017 attack should therefore have served as an acute wake-up call to rapidly intensify efforts throughout the maritime sector to improve cyber security. Now - 2½ years later – we do see some maritime organizations increase their efforts to bolster cyber defenses, but the broader view of the industry is still one of a low degree of cyber security. As an example, the CEO of a mid-sized international shipping company stated as late as October 2019 that cyber security for their vessels was in reality not an important issue. “
As we now stand a full year later, the assessment is to a large degree unchanged. Certainly 2020 has not been a year without some action by some maritime organizations, but the traction remains slow.
Also, as expected, 2020 was not without maritime and supply chain incidents. We have also covered these over the course of the year and some of the more notable examples of successful cyber attacks include:
· The world’s 2nd and 3rd largest container carriers MSC and CMA CGM who combined move some 45 million containers annually
· The worlds largest cruise line Carnival who (before the pandemic) serviced some 13 million passengers
· Toll Logistics who is Australia’s largest freight forwarder (they were even impacted twice)
· Iran’s port of Shaheed Rajaee handling around 70 million tons of cargo annually
· The International Maritime Organization itself was successfully impacted
These are the more well-known and public examples from 2020. The scale and scope of maritime impact in 2020 should not come as a surprise anymore. Presently there is no reason to believe that 2021 will be materially different.
We find, that this is a state of affairs which both can and should be changed.
2021 has seen the new IMO2021 regulation come into effect. It has become necessary to address cyber risks in the safety management systems on the vessels. This is incorporated into the ISM code and has to be addressed no later than the first annual verification of the company's Document of Compliance after 1 January 2021. This is a good starting point from a vessel perspective to effectively improve cyber security – provided the effort is directed at more than “mere” compliance.
In our experience, one of the most important aspects of lowering the cyber risk for shipping companies – both onshore and on the vessels – is to get a realistic assessment of the current state of affairs. The challenge for many maritime companies is that their IT and technical departments do not have the specific skills and training necessary to even detect their own security flaws. This is not meant to criticize the shipping lines’ IT departments – they tend to be very capable in terms of ensuring that IT delivers on the business requirements. However, the skill set – trick of the trade – that are employed by the offensive cyber attackers is not one that is often seen in such IT departments. This leads to a false sense of security.
The key conclusion is, that the cyber risks in shipping are as real and present as ever. The risk of having your full land-side operations brought to a standstill is genuine. The risk of having your ships rendered inoperative, or ineffective, is genuine.
Our experience at Improsec is, that if you have never had your systems properly tested against a cyber attack, you are unlikely to have good overview of your actual vulnerabilities.
However, our experience is also that many of the vulnerabilities can be improved if a proper plan is drawn up based on the actual vulnerabilities found, whereas a plan made only on the basis of assumptions is likely to miss the mark.
For further information about our Maritime security service, please visit: https://improsec.com/en/maritime-cyber-security-vessel-assessment