Like many industries, the maritime sector is undergoing significant technological transformation aimed at boosting productivity and efficiency. This sadly offers more opportunities for cyber-threat actors to strike, which could have particularly devastating consequences given the critical role of shipping in global supply chains. Estimates show that maritime shipping represents a foundational pillar of international trade, with 90% of traded goods carried by sea at an annual value of US$14tn. Indeed, the Suez Canal obstruction last year provided a perfect illustration of the world’s dependency on maritime trade and its fragility.
Therefore, boosting cybersecurity in this industry is crucial. Infosecurity recently caught up with Professor Kevin Jones, lead of the University of Plymouth’s Maritime Cyber Threats Research Group, to find out more about the specific cyber-threats facing the maritime sector and how these can be mitigated.
What are the main cyber-risks facing the maritime industry, and how have these evolved over recent years?
For the Maritime sector, the risk profile splits into two segments: the technical and the socio-technical (people). When we do a risk analysis using sector-specific tools like MaCRA, we find that things vary significantly depending on where in the sector you sit. Modern vessels tend to be far more equipment dependant and are more likely to have modern equipment; older vessels have less technical dependencies, but they also tend to have equipment that was not designed with security in mind.
The risk also changes hugely depending on what you are carrying (changing the level of interest for more sophisticated actors) and where you are (changing the people involved). In recent years, the main evolution of the threats has been less technical and more economic; bad actors have worked out ways of monetizing the existing vulnerabilities in the sector and, so, developing more targeted attacks.
Is the maritime particularly vulnerable to cyber-attacks compared to other transport sectors like automotive and aerospace? If so, why?
It is vulnerable in specific ways. The sector is slower to respond than other sectors due to the variety of vessels in the commercial fleet and the design cycle of the industry. Large-scale commercial operators are running with hulls that are decades old and retrofitted with various kinds of technology when regulatory mandates have made that necessary. There is also a long-standing attitude in the sector of “my ship is an island,” leading to lower awareness of cyber vulnerabilities. Unlike the airline industry, there is also a lot of personnel who are lower paid and less skilled.
What are the potential implications of a cyber-incident in the maritime sector? What are key examples of this to date?
Well, it’s a trillion-dollar industry, and we’ve seen through a recent incident that it’s easy to see costs of $10bn a day when something disrupts the maritime supply chain. To date, the worst case, the Evergiven, was accidental, but it’s the kind of thing that could be caused by a cyber-attack. Each of the four major shipping lines has been the target of a specific cyber-attack in the last few years, with a large-scale ransomware model seeming to be the new weapon of choice.
You and your colleagues worked alongside the Bank of England to create the first maritime cyber incident exercise featured in the 2022 General Insurance Test. Could you give an overview of this exercise?
“One of the things we have been doing over the last couple of years is to develop sector realistic scenarios, illustrating potential outcomes of various cyber-attacks. They range from minor inconveniences (e.g., a blank chart display) to catastrophic (e.g., closing the Suez Canal) and making sure that all are realistic both from a technical and operational perspective. For the bank of England, we designed a scenario that involved a cyber-attack taking control of the throttle and rudder of a large container carrier and grounding the ship, with the knock-on consequences to both the individual cargo and the rest of the ecosystem. We developed an appropriate risk model for this attack and the subsequent consequences.
What kinds of cybersecurity practices and technologies are particularly vital for organizations in this industry to adopt in the coming years?
I’d emphasize two things: appropriate sector-specific cyber risk assessment – e.g., the kind of assessment we do with MaCRA taking into account the dynamic factors and IT and OT, preferably making this kind of approach standard to bridge the current IT-centric gaps the industry is exposed to; sector-specific cyber awareness training, ideally with appropriate and sector realistic scenarios so the industry, from the board to the officer of the watch, is aware of, can recognize, can respond to and can develop appropriate mitigations to the kind of attacks that they will experience. After these are embedded, attention should switch to next-generation equipment developed with security from the beginning, but we have to recognize in this industry that it will take decades, even with regulatory push to move it forward.