Is the industry responding fast enough to cyber risk ?

Cynthia Hudson
CEO, Hudson Analytix/ Hudson Marine Management Services
John M. Jorgensen
CISSP-ISSAP, Chief Scientist, ABS CyberSafety®
No. While industry waits, cyber threat builds. Owners/managers 1) await regulations, 2) seek a single ‘global’ solution, 3) have no cybersecurity budget allocated, and 4) remain unconvinced about their exposure to cyber risk.  Many focus on vessel cyber risk before assessing enterprise-wide cyber security posture; begin instead with understanding, assessment, and then implementation of the cyber security program for the organization and vessels. Cyber ‘maturity’ must be measured to be managed therefore key elements must include benchmarking and continuous improvement.  Cargo owners/charterers will require the cybersecurity stance of chartered vessels. The Owner’s BOD, insurers, and financial interests need assurance that company assets are protected.  The good news; initiating an effective enterprise-wise cyber security program for a reasonable price, is possible—now. No. In light of daily press accounts of cyberattacks by all sorts of players, it is prudent to secure cyber-enabled and safety-related systems and the functions (or assets) they serve.   When we automate processes, owners and integrators must understand (and document) the systems they install and use, ensuring they know how these systems can or do affect human, system and ship safety.  They need to know the connections these systems have, and who, in crew or not crew, can ‘touch’ the systems, their data and their functions.  Cybersecurity is not magic, but it is good operations and engineering practices that can enable good business.

Colin Gillespie
Deputy Director of Loss Prevention, The North of England P&I Club

Tero Hottinen
Director, Emerging Digital Business, Cargotec Corporation
Yes. Change is often said to happen in 3 stages sometimes called the 3 A’s - Awareness, Acceptance and Action. During 2015, 2016 and early 2017 Awareness of cyber risks was growing in shipping which had previously had low Awareness of the problem. The notpetya malware attack which affected Maersk along with the growing number of lesser incidents affecting shipping businesses - we’ll all have experienced or know of some incident - led to an almost universal Awareness and Acceptance that Action is required. The industry has quite quickly gone from Awareness through Acceptance to the Action phase.  Of course things are not perfect but we cannot reasonably expect that a complex change process such as this can happen in such a large, diverse and globalised industry overnight. What is reasonable is to expect owners and their supporting services to be working towards having appropriate cyber risk management practices in place. In my experience the majority of companies are either already acting or are considering their options before acting. I am confident that the industry can meet this latest challenge over the next couple of years. No. In the recent years, industries have encountered cases where the focus of cyberattacks has been more towards generating damage to assets or operations instead of focusing on financially or personally sensitive data. Maritime makes no difference here like we have seen especially during the last year. Publicly reported incidents have created serious discussion and efforts to plug the cybersecurity holes, but are we fast enough in responding to the risk? Legacy operations and virtually non-existing digital expertise in some places will open up significant threat in case someone really wants to make a massive blast. Yes, we are heading towards more autonomous solutions, but the development is not necessarily going with the first things first – #1 being the safety.

Panos G. Moraitis
CEO, Aspida
Jostein Jensen
VP Cyber Security and Data Management, Kongsberg Digital
Yes. At Aspida, we notice a vast difference of the market’s understanding of cyber risk today compared to 3 years ago. We consider our industry mature to tackle new risks, cyber included, and overall its reaction time is faster outweighing the increased risk due to its digitalization. The catalyst was Maersk. Stakeholders realized that cyber risk is tangible with a real effect on operations and their bottom line. The incident brought increased awareness. Frameworks, guidelines and maritime cybersecurity expertise to help owners and operators manage risk are available while new regulations are incoming. However whilst the industry is responding fast, there are skeptics believing that cyber risk is fictitious, while others believe that cybersecurity is a paperwork exercise. Reality will prove them both wrong. No. The maritime industry is becoming more connected, but it is not prepared for the consequences of this interconnectedness. As more and more vessels are connecting to the internet through modern communication equipment, many reap enormous benefits from accessing and cross-analyzing data from onboard sensors and automation systems (industrial IT solutions) through centralized and cloud-borne applications. This is of great value to the industry, but it comes at a price: vulnerability to most modern cyber threats. Imagine the consequences if adversaries manipulated the propulsion system on a vessel remotely. Although we have seen a shift in awareness and mindsets when it comes to cybersecurity, maritime technology and processes still need to be adapted to the new connected situation.

Themistoklis Sardis
IT Manager, Costamare Shipping Company S.A.
Tore Morten Olsen
President Maritime, Marlink
No. In my view, with the exception of few major players the industry, the answer is plainly no. To be fair, shipping was until recently not considered a high risk target for cyber and thus the security measures and policies were analogously loose. The wakeup call the NotPetya incident on Maersk, which proved that we as an industry are not outside the radar and that we need to put more efforts in preparing more effective policies and measures for our office and fleet protection. Thankfully, there is plenty of material and resources to turn for assistance, including the BIMCO Guidelines, the AMMITEC Awareness Guidelines, etc. There is now no excuse to kick the can down the road. Let’s get Cyber Secure. No. The cyber incident currently most feared by shipping operators is ransomware infection. While we agree that the financial loss and disruption caused can be substantial, we point out that this threat is, nonetheless, easy to detect. Ransomware is sent out indiscriminately, designed to encrypt all files on a computer and display an obvious message to the user. A targeted cyber-attack however is designed to infiltrate one specific company’s IT systems and stay undetected while performing its mission (extract or modify information, control systems …). Such infiltration can only be detected through Deep Packet Inspection and 24/7 cyber expert monitoring. We believe the maritime industry has not yet understood this risk and has been slow in rolling out advanced cyber solutions.
Stratos Margaritis
Solutions Architect, Navarino
Yes. I would say that judging by the amount of interest in Navarino’s cyber security solutions, the maritime industry is certainly taking cyber risk seriously. With the higher bandwidths available today, vessels are able to implement ever more complex IT infrastructures and from what I see, the level of cyber security being built into that IT environment usually grows in line with that infrastructure. I do also see growing demand for fully managed cyber security solutions, where shipping companies can feel reassured that their vessels are monitored 24/7 by real people who can quickly react to any cyber attack.