Four of the major container shipping lines, and even the International Maritime Organization, have been subject to serious cyberattacks. It may be tempting to dismiss this as a shore-based problem and not something for the waterborne aspect of shipping to be concerned about, but the reality is quite the opposite, writes Socrates Theodossiou, Tototheo Maritime co-Chief Executive who argues that cyber security is more than a certificate, but an ongoing technological and human process across all of society.
Ships are increasingly connected, more and more, to shore-based services, through satellite or more terrestrial based which makes them just as vulnerable to attack as any shore-based business service. While this connectivity is a benefit which outweighs the risks, it is only when the risks are seen with clear insight and understanding.
Big and small
The International Maritime Organization, the United Nations agency that both regulates shipping but at the same time is increasingly involved in collaboration to evolve sustainability, is the latest high-profile target.
Container Lines have been hit by malware attacks, with one also admitting it may have had a data breach. This could of course have huge implications for its customers. The threats are serious, and they are costly especially if it results in a loss of customer confidence .
All companies need to understand their risks, not only to themselves, but to other organisations as well and these attacks are wakeup call after wakeup call. There are other examples, free to find on the web, where ethical hackers have demonstrated weaknesses in ship systems, connectivity and processes.
This is why companies need to do more than acquire certification and notations, they need to make sure their cyber security remains high on their agenda, and of their partners and suppliers. Even small businesses could be easily targeted, as well as individuals. Passwords stored in computers can also become problematic and reports this year have shown just how much personal data can be found on the Dark Web once data has been stolen and sold on to others for illegal use. While land-based security concerns are focused on malware attacks and data thefts there are also issues relating to software glitches and when it comes to ships, system control.
Secure shipping
In today’s sophisticated trade connectivity we see vessels, and vessel data, becoming increasingly accessible not only by the ship manager, but by cargo owners and charterers wishing to have greater transparency of goods and services and of course crew and office seeking greater connectivity and communication – we have heard a lot in the last few years about the ship being an extension of the shipowner, ship manager and even charterer’s office.
Whether it is because shipping needs to increase efficiency, improve crew welfare or meet customer expectations, it has seen extremely fast-paced digital transformation. Unmanned drones are in service on our seas and oceans, while ships crews, and even visitors with business onboard want to be able to use their own devices on a ship (bring your own onboard), adding to the challenges when expedience and comfort meets safety.
All of this needs the right kind of security and resilience tools, something that gives the nimble working conditions expected but with the strength of solid security needed – not always something picked off shelf but something bespoke.
Beyond certification
Today shipowners are being offered cyber security, and autonomous service notations by class societies and other bodies. Of course, from a class and even insurance perspective this is a step in the right direction. It is a way to ensure that a vessel is, from the onset, equipped with the right tools. But cyber vigilance goes much further than a certificate. In its recent attack the IMO said it was attacked despite having certification for its information security management system. Certification did not stop the attack from being successful.
Cyber security is a digital arms race, not a technology one-stop, and that is what we have to bear in mind when we look at how all of our services and operations evolve. It needs to stay up to date and requires compliance.
We should not underestimate the need to have procedural compliance beyond certification. This is achieved when staff buy into the reasons why cyber security is important.
Partnerships
There is no one shipping industry. It is rather where a range of industries meet based around the ocean transportation services. Shipping involves legal firms, insurance firms, transport companies, technology companies and human resources that span other sectors than shipping. This creates additional security complexity and risks when it comes to the safety and security of ships, which are the biggest regularly constructed complex mobile assets.
The digital technology industry around shipping has now evolved to meet those challenges, and it is highlighted with the increased levels of collaboration and partnerships one can find. Ship managers, ship owners and technology companies are all working closely with businesses such as Tototheo Maritime to achieve the goal of having iterative, proactive and responsive systems.
As a leading digital technology company in shipping, Tototheo Maritime has been working with partners and customers as they take these journeys. It has meant a huge transformation for our company as well, as the range of tools, services and partnerships have evolved, as has the levels of competence in the business. The company’s latest move towards cyber security solutions and consultancy is a case in point.
Digitalisation is a process, and so is cyber security awareness – companies need to be aware of their digital presence and where any digital doors are, that need to be overseen.
There are some key, straightforward steps we all need to keep on taking. We all need to take periodical risk assessments, make sure we have done the GAP analysis and assess what may need to change and what needs to be made more secure. We need to look at the market and see what the experts are reporting about the hackers. Cyber security experts are like our scouts behind enemy lines, able to report to us what the latest tactics are.
The people question
It may be that a ship manager has signed a new contract with a sub-supplier which includes automated data exchanges. How will this impact other ship to shore arrangements? Who has access to the data as it goes from one point to another? How is that data accessed by the supplier and even other companies? And how will this relationship evolve?
Increased digitalisation of a company’s business increases the points of contact with external organisations. To ensure this expansion and increased technology use is secure, companies are realising that it is not enough to buy a cyber security software to check for virus and malware.
Each company is different – each has different technologies, different connectivity and points of access and different relationships with clients and partners. Training has to be granular and bespoke. It cannot be a one-off training either.
Technology v technology
While crew and personnel awareness are critical, good software tools are also a vital part of the cyber security arsenal. As ship managers and other businesses increase their use of IoT tools and remote data access it is incumbent on the industry to make sure the security tools can detect breaches and other problems remotely and automatically. IoT systems need IoT compatible security as hackers are using the latest digital tools to try and penetrate businesses. Therefore, shipping companies have to be proactive, forward thinking and trying to be one step ahead.
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
Socrates Theodossiou is Co-CEO at Tototheo Maritime. Tototheo Maritime specializes in maritime technologies and services with the goal of optimizing vessel and fleet performance. Its services include innovative, efficient and functional solutions in the fields of satellite communication, navigation systems and digitalization services starting from pre-sales consultancy all through onboard installation and maintenance and after sales support. Headquarters are in Cyprus with branch offices in Greece, Dubai and Singapore.
