DNV has released the 2023 edition of Marine Cyber Priority report which examines the maritime industry’s cyber risk challenges as well as measures for resilience.
According to the report, less than half (40%) of maritime professionals think their organization is investing enough in cyber security at a time when vessels and other critical infrastructure are becoming increasingly networked and connected to IT systems.
Three quarters of maritime professionals believe a cyber incident is likely to force the closure of a strategic waterway (76%). More than half expect cyber-attacks to cause ship collisions (60%), groundings (68%), and even result in physical injury or death (56%) as an overwhelming majority (79%) of professionals say the industry considers cyber security risks to be as important as health and safety risks.
With ship systems being increasingly interconnected with the outside world, cyber-attacks on OT are likely to have a bigger impact in the future.
… said Svante Einarsson, Head of Maritime Cyber Security Advisory at DNV
Five key challenges facing the sector as stated in the report:
#1 Insufficient funding
Despite the threat of cyber-attack in today’s maritime sector, and the many factors potentially driving investment, industry professionals say their biggest cyber-related challenge is insufficient funding.
#2 Effectiveness of regulation
If businesses are to regard cyber regulation as the baseline for cyber security, it is concerning that many in today’s sector appear to be struggling to comply with the existing rules. One way that regulation can help maritime businesses strengthen their security postures is by reframing cyber security risks as safety risks, in recognition that cyber-attacks on OT systems can cause harm to life, property and the environment.
Regulation only sets a baseline for cyber security. It doesn’t guarantee security. Rather than taking it as our goal, the maritime industry should use it as a foundation, on which to further improve and adapt to the changing threat landscape
… said Svante Einarsson, Head of Maritime Cyber Security Advisory, DNV
#3 Supply chain vulnerabilities
Achieving a more cyber-secure supply chain is far from easy. For this to happen, operators need to thoroughly audit their vendors’ cybersecurity requirements during procurement, installation and operation of equipment, systems, and software.
At the same time, suppliers must ensure they have the right measures in place to defend products and systems and should conform to industry standards and practices.
We need a more in-depth risk assessment at each stage of that shift, to ensure we consider the impact on cyber security.
… warns UK Chamber of Shipping’s Peter Aylott
#4 Lack of information sharing
According to the survey, barely 3 in 10 (31%) maritime professionals believe that organizations within their sector are effective at sharing information and lessons learned about cyber security risks, threats and incidents.
Such reluctance to share information may be counter-productive at a time when businesses will benefit significantly from hearing first-hand about the challenges faced by their peers and the methods they are adopting as a result.
#5 Workforce vulnerabilities
Workforce challenges are not limited to finding the right experts. Another people-related issue relates to employees inadvertently enabling cyber-attacks through carelessness, which points to an underlying problem with the training being made available to staff. Better and more consistent training will play an important role in establishing a more risk-aware workforce and cyber-secure culture.
New technologies such as AI may help organizations improve their security posture by reducing the workload of an already stretched workforce and giving teams greater visibility of vulnerabilities, threats, and attacks. Companies are, for example, using ChatGPT to help coders identify and fix loopholes before they use software or release it into the supply chain.
Key recommendations according to DNV:
- Consider cyber security as an enabler
- Treat cyber risks like safety risks in an operational setting
- Champion insight-sharing across the industry
- Reframe regulation as the baseline to improve cyber security posture
- Rethink how to manage supply chain vulnerabilities
- Resource a strategy for more effective training
- Maintain an ‘analogue fallback option’ amid the shift to connected systems.
As we pursue greener, safer, and more efficient global shipping, the digital transformation of the industry is deeply dependent on securing these inter-connected assets.
… said Knut Ørbeck-Nilssen, CEO Maritime at DNV