Hill Dickinson law firm’s head of global shipping Julian Clark explains that, even though awareness of cyber security has increased ‘significantly’ due to the Maersk cyber attack, far more needs to be done
It is without doubt that cyber risk is increasing in every sector of industry. The maritime sector is particularly vulnerable both due to the high number of access points for a cyber attack and the huge potential damage that could result. The attack on Danish shipping giant Maersk last year has resulted in an estimated cost to the company in excess of US$300 - 400M, but even that significant amount of money pales into insignificance when compared to the potential danger and damage to life and the environment as a result of a cyber attack to a trading vessel.
Ironically the NotPetya attack on Maersk has done a tremendous favour to the maritime industry. If a company as well organised and sophisticated as Maersk can face such a significant attack, then no-one is safe.
It is in fact a considerable credit to the organisation of that company that its managers were able to deal with the attack so efficiently and ensure that it did not compromise their fleet. Having said that, the financial loss and disruption caused was still significant. I believe that the Maersk attack has significantly raised awareness within the sector: for some time there has been a great deal of underreporting which has lulled people into a false sense of security.
But while awareness has increased dramatically over the past 18 months, far more still needs to be done. Leading insurance providers have commented that the current levels of cover need to be increased tenfold. While the world’s leading maritime organisations and insurance providers are all now providing cyber guidance, there must not be a reduction in the steps taken to make all involved in the marine arena aware of the considerable risk.
“If a company as well organised and sophisticated as Maersk can face such a significant attack then no-one is safe” Julian Clark (Hill Dickinson)
Shipping companies and all those involved in the sector must remain vigilant to ensure they have as much information as possible about the risks they face. This is particularly the case for cyber risk since the game changes not only every day but often every hour as new systems are developed by hackers and others (including criminals and those who simply see cyber crime as a live video game) to disrupt systems.
One of the greatest dangers faced by the shipping industry is the huge range of potential access points for a cyber attack. This could be by crew members, passengers or other third parties who are allowed access to vessels, who could infect systems either intentionally or innocently via their own flash drives, laptops and even mobile phones.
Externally, systems are exposed to infiltration not only by sophisticated hackers but by relatively low-skilled individuals who can infiltrate systems often with equipment that is easily obtained for very low sums of money.
Smart containers, ballast water management systems, engine monitoring systems, AIS and ECDIS and any system that links back to shore are potentially vulnerable to attack.
There are a number of security protocols that can be introduced to ensure that ship communication to shore is through a secure and independent system that can be isolated immediately should it become apparent that a company is under attack.
Companies are certainly doing far more to protect against infiltration but there is still some hesitance to move this risk from the IT department to boardroom level. It is only those companies that do address cyber risk at the highest level of management that will be able to put in place the forms of security that will adequately protect their businesses.