As digitalization advances and data becomes integral to smooth operations, the maritime industry is increasingly adopting initiatives that support this transition. However, this progress comes with its own costs, as cyber security can often be compromised, leading to a range of problems.
The cost of cyber attacks
In its latest Risk Watch publication, Britannia P&I Club explains that the cost of cyber attacks worldwide is startling, with global costs from cyber crime predicted to exceed USD 10 trillion by 2025. Although shipping remains a small part of this total, cyber attacks in the maritime industry are becoming increasingly costly. Recent data shows that a cyber attack now costs the targeted organisation an average of USD 550,000.
This is not a new threat. The International Maritime Organization (IMO) recognised this and in January 2021 mandated the integration of cyber risk management into a company’s Safety Management System (SMS). This need for cyber risk management was further clarified by the ‘Guidelines on Maritime Cyber Risk Management’, with the latest version published by the IMO in June 2022.
According to DNV’s Maritime Cyber Priority 2023, achieving a more cyber-secure supply chain is far from easy. For this to happen, operators need to thoroughly audit their vendors’ cybersecurity requirements during procurement, installation and operation of equipment, systems, and software. Despite the threat of cyber-attack in today’s maritime sector, and the many factors potentially driving investment, industry professionals say their biggest cyber-related challenge is insufficient funding.
Furthermore, while significant strides have been made since the industry’s digitalization journey began in 2016, challenges like disparate systems, lack of data standards, and ensuring data quality and integrity persist, said Sanjeev Namath, Chief Business Officer, Alpha Ori Technologies Pte Ltd, during the 2023 SAFETY4SEA Singapore Forum.
Information technology and operational technology
The use of computerized systems on board ships can be divided into two main functions: Information Technology (IT) and Operational Technology (OT), as explained by Britannia. IT encompasses typical office functions, such as email communication and data reporting/sharing used by companies. Due to its longer history of connectivity with external sources, IT has more established cyber security safeguards, and personnel are generally more aware of the associated risks.
In contrast, OT controls many critical ship systems, including main engine control and dynamic positioning. This equipment was traditionally considered safer due to its lack of external connectivity. However, this is rapidly changing, making it a potential entry point for malicious activity. As the understanding of the threat and the potential for safety, environmental, and economic damage has improved, the need for clear defensive actions has grown, according to Britannia.
Given the frequent innovation and adaptation of cyber threats, there are no definitive procedures that can ensure complete security. Therefore, Britannia emphasizes the necessity for those in the shipping industry to develop cyber resilience.
International association of classification societies unified requirements (IACS)
The IACS has produced two Unified Requirements (UR) that will be implemented on all ships contracted for construction on or after 1 July 2024. While mandatory for new ships, the content of these URs provides useful information and guidance for protecting ships currently in service. UR E26 Rev1 provides requirements for a ship to be considered cyber resilient. Along with more information, it details the functional aspects that must be addressed for adequate cyber security. The five functional elements, and some considerations, as explained by Britannia, include:
-
Identify
This involves identifying the vulnerabilities in the ship’s systems. It means having detailed inventories of all computer equipment, operating systems, software, etc. Clear plans should show the location of all equipment, including any interconnections between systems. A robust management of change procedure should be established to keep systems up to date, whilst preventing any disruption.
-
Protect
Establish fixed boundaries between critical networks to allow zero or minimal permitted traffic between these individual ‘zones’. Access to networks must be limited to authorised personnel only. User accounts should be established using the ‘least privilege’ principle and should be deactivated once they are no longer required. Where possible, protective software should be installed to monitor and prevent unwanted interaction. Remote access must be capable of being controlled from the ship, with any failed attempts to remotely access the ship’s networks automatically logged.
-
Detect
Continuous monitoring should take place for suspicious activity, such as excessive data traffic or attempted connections to networks. An alarm should be generated upon detecting suspicious activity, noting that the alarm should not result in any disruption to essential functions.
-
Respond
A response plan should be prepared, detailing the actions required to minimise the impact of any incident and limit the damage caused. The plan should be available in hard copy and should specify the information required by onboard staff, such as reporting, response options, and the major consequences from loss of system functions. Systems should automatically revert to a safe condition if a cyber incident is detected.
-
Recover
A recovery plan should be available, with clear instructions on how to return the affected systems to their full operational state, whilst minimising disruption. The plan should list the personnel responsible for certain actions, including how to request specialised external support. Systems should have a facility to revert to an earlier, uncorrupted state, following a controlled shutdown. For all the above, any inventories, procedures, drawings, and plans should be kept up to date for the entire life of the ship.
Fraud
Another risk that arises due to the advancement of digitalization is fraud. For instance, ICC Commercial Crime Services (CCS) informs that in January this year, news reports emerged that a multinational company in Hong Kong had lost US$25.6 million after employees were tricked by a deepfake video business meeting in which the company’s chief financial officer instructed employees to transfer the money to five different bank accounts.
In a recent report, Deloitte’s Center for Financial Services, warned that generative AI is expected to magnify the risk of deepfakes and other fraud in banking. It predicted that generative AI could enable fraud losses to reach US$40 billion in the United States by 2027, from US$12.3 billion in 2023, a compound annual growth rate of 32%, ICC informs.
Fake content has never been easier to create – or harder to catch. Generative AI offers seemingly endless potential to magnify both the nature and the scope of fraud against financial institutions and their customers; it’s limited only by a criminal’s imagination
… the report said.
It has now become more difficult to spot potential frauds and tell the difference between what is real and what isn’t, as fraudsters use generative AI to create convincing phishing and spear phishing emails. For instance, the US Coast Guard, in conjunction with the maritime community and the UK Department for Transportation, has been made aware of several phishing attempts by nefarious actors impersonating Coast Guard port state control (PSC) authorities.
Thus the Coast Guard strongly encouraged vessel operators to provide regular phishing and cybersecurity awareness training to all employees to identify and report suspicious correspondences. Additionally, the Coast Guard encouraged all international partners to pass on information relating to suspicious behavior observed in the Marine Transportation System to their respective regulatory organizations.