Many shipping executives refuse to acknowledge they are at risk from the growing tide of cyberattacks on the maritime sector by hostile actors, according to one leading lawyer.
As reported in FreightWaves, digitalization is now making it possible to operate entire fleets as a single business. This hugely increases the number of potential security weak links in supply chains as nation states and criminal gangs look for easy targets.
“The shipping industry is being increasingly targeted by a wide range of cyber criminals and terrorist groups as well as international governments, hacktivists and cyber have-a-goes,” said Julian Clark, global head of shipping at London-based law firm Hill Dickinson.
Yet, while some shipowners and managers are proactive on cyber defense and management of risk, “there are still far too many ‘cyber deniers’ in fairly senior positions within shipping organizations.”
Clark said these “cyber deniers” see issues such as the NotPetya attack on Maersk in 2017 “as a misplaced bullet or simply collateral damage.”
He added, “All my research, including that carried out with senior figures in both British and U.S. intelligence services, makes it quite clear that this is not the case.”
According to Clark, shipping will continue to digitize and boost connectivity to increase business efficiency and to help comply with environmental protection regulations and the demands of crew to have full internet access for family interaction and recreational use.
However, this is “multiplying the doorways through which a cyberattack can be launched,” he said.
“Further, as we move toward automation of vessels — and this does not have to be full automation with no crew members at all on board — there will be increased cyber risk and exposure for the maritime community.”
Speaking to FreightWaves on the sidelines of a seminar hosted by Hill Dickinson at London International Shipping week Sept. 10, he said ship operators had no excuse not to act.
“Three years ago, I described the situation as technology moving at the speed of a bullet with the regulatory and legal protection regimes riding a bicycle,” he said. “Thankfully through the efforts of the maritime community, growing awareness and guidance provided by institutions such as the IMO, BIMCO, Intertanko and the International Group of P&I Clubs, we do at least now have a clear road map detailing how to arrive at a cyber-safe destination.”
This is already paying dividends with legal firms and security companies reporting an uptake in requests to review the Safety Management Systems of international operators to ensure their cyber policies are up to date.
Just as critical as preventing an attack, added Clark, is ensuring recovery after an infection.
“As equally important as having a cyber-prevention regime in place is that a company faced by an almost inevitable cyberattack has the procedures in place in order to recover as quickly and efficiently as possible,” he said.“As with all things, often less is more, and an excellent guide is that provided by the U.S. National Security agency in their ‘Top 10 Cyber Security Mitigation Strategies’ document, which simply lists the 10 top strategies which must be adopted all operating under an overall guidance mantra of Identify, Protect, Detect, Respond, Recover.”