When the shipping industry caught wind of the Maersk cyber-attack on 27 June, we all responded with shock and fear. How could the largest transport and logistics company in the world be affected? What does that mean for operators, crews, and shipowners? Are we all under cyber threat?
“If it can happen to them, it can happen to anyone”, Commissioner William P. Doyle of the US Federal Maritime Commission summarised the industry’s fears correctly.
The on-going debate on whether shipping needs to evolve technologically often meets obstacles like issues with financing, a lack of understanding, and now a general fear of hacking.
Recently, reports of several nations developing a back-up navigation system, eLoran, has hit the headlines – a response to the increasing likelihood of cyber-attacks, surely . But even though eLoran (enhanced Long Range Navigation), which uses radio signals, is believed to be more secure than GPS against hackers’ disruptions, this move does not guarantee essential cyber defence for ships or businesses.
Cyber awareness – expecting cyber attacks
Arguably, the world of shipping is now more informed about cyber security, something that experts in maritime security have been trying to publicise widely. Therefore, it was no surprise to them that a serious cyber-attack happened.
“It was only a matter of time”, Commissioner Doyle said.
Phil Tinsley, Manager of Maritime Security at BIMCO, echoed Commissioner Doyle’s statement and added: “Although the Maersk attack did not directly affect any ships’ systems, it was a timely warning that attention should be paid to cyber safety.”
Norma Krayem, Senior Policy Advisor & Co-Chair of the Cybersecurity and Privacy Team of Holland & Knight, was glad that the incident did not involve injuries or fatalities.
"While the maritime sector has certainly been aware of the cyber risk, in many entities, there are still too many stovepipes between IT and security. The sector is well versed in awareness of physical risk, and even modern-day pirates. However, some have been slower to embrace the systemic nature of cyber risk from an actual operational perspective", she said.
“All major global companies should be anticipating and preparing to deal with such events”, Andre Simha, Global Chief Information Officer of MSC Mediterranean Shipping Company, suggested. “Unfortunately, a variety of different cyber-attackers are working hard to disrupt businesses and governments and we all have to be smart in the way we manage this risk.”
“Attacks have been happening in other industries for many years, why should shipping be any different?”, asked Jordan Wylie, Campaign Director of Be Cyber Aware at Sea.
“As the number of internet connected devices grows, the attack surface and number of devices that can be leveraged to launch attacks continues to expand too. When you combine this with easy access to offensive cyber capabilities, such as ransomware or DDoS, it has allowed cyber criminals to have an impact disproportionate to their technical know-how and skill level. There is a big silver lining from the recent incident that affected Maersk though: if you didn't think that the cyber risk was real then you certainly should do now! Fortune will always favour the aware and prepared where cyber risk management is concerned.”
Echoing Wylie’s views on the increasing opportunities hackers have to launch cyber-attacks, Gareth Williams, a Partner at Holman Fenwick Willan (HFW) stated:
“Vulnerabilities arise from a number of fairly obvious things. Firstly, systems are inter-connected, not just within one organisation but also to the networks of external vendors and service providers. Organisations have no control over the cyber security of those third parties. Secondly, the criminals are always one step ahead. It is almost impossible to have watertight protections. The most you can do is live up to the state of the art, but even that is often insufficient.”
Technology and the cyber risks involved
To add fuel to the fire of fear, CEO of Maersk Group Soren Skou told the Financial Times : “Until you have experienced something like this – people call them ‘black swan’ events – you don’t realise just what can happen, just how serious it can be.”
Describing the events as “warning and a wake-up call for everyone in the maritime transportation and logistics chain”, Commissioner Doyle urged further technological developments in the industry.
Simha agreed that “shipping lines have to keep evolving technologically in order to deliver a strong service to customers”.
“Constant growth requires constant striving for better and more efficient ways to do things” Williams said. “Connectivity provides that and reliance on networks is not going to slam into reverse. This kind of event usually acts as a spur to do better on the security front.”
Williams expects the inter-connectivity of multiple systems to magnify and increase the demand for cover by business interruptions resulting from a cyber-attack, too.
Krayem agreed that "the industry should always seek to evolve technologically" and that "companies should focus on the use of and reliance on technology to the point where it actually almost runs the business by itself, then make sure they have plans to address what an attack can do to a system".
She added: "We talk about physical emergency plans and mutual aid, but we need to be talking about cybersecurity emergency plans, too, combined with physical plans and mutual aid."
“Technology will continue to advance due to the cost and time saving measures it will offer”, Tinsley predicted.
“The industry is evolving at a rapid rate”, Wylie observes. “Technology is advancing quicker than most of us can keep up with and that will only continue as time evolves. Technology and automation are allowing organisations to deliver goods quicker, whilst making significant cost savings and faster commercial transactions, as well as many other benefits that are welcomed by all stakeholders in the global marine sector.”
Suggested cyber safety procedures and management
Innovations and developments in technology are here to stay. Sharing Williams’ views, Simha didn’t think that a single event could override the developments, if anything, it encouraged those who underinvested to try to expand more. However, Tinsley noted that “it is important that safety procedures are developed concurrently”.
“Technology has a crucial role to play in managing the cyber risk, that is without a doubt”, Wylie said. “But it must be part of a wider approach to the risks posed by this emerging threat. Focusing on technology alone to address these issues is not enough and will be costly.”
Wylie saw effective cyber risk management lying with good governance, supporting processes, and training along with the right technology. But first, shipowners need to assess the risks to their organisation and understand the threats before deciding to invest in technologies.
He continued: “Cyber security has created a new gold rush for private companies looking to sell their technical products and services in the maritime sector when they do not necessarily understand the complexities of the marine operating environment or the systems it relies upon daily.”
But the correct technology is not enough to maintain a cyber secure environment.
"Cybersecurity needs to be fully embedded, embraced and addressed up-front in all operations”, Krayem suggested. "Training needs to focus on the integration of, and nexus with, cybersecurity and physical risk. Internal stovepipes need to be broken down and a broader enterprise system embraced to address cybersecurity. Companies also need to understand the impact of cybersecurity on data integrity, IT and OT. Training needs to cover how cyber risk impacts each areas of an operation."
“You should be constantly reviewing and testing the capabilities of your cyber security technology, because the threat changes constantly, and so too must the response”, Williams said.” The GDPR expects state of the art technical measures and all companies should aspire to adhering to best practice. But it is not just a matter of adopting the latest technologies. The attack in Maersk is believed to have owed its devastating effect to the fact that a vulnerability for which a patch was available had not been put in place. So sometimes it is as much a matter as doing the simple things as the bigger higher-level ones.”
Tinsley hoped that the Maersk incident did not discourage the industry from developing and encouraged “members to consider cyber security as they broaden their operations”.
“Today it is still humans that build, crew, manage and maintain vessels”, Wylie reminds us. “It is for this reason we must ensure they continue to advance alongside the introduced technology otherwise we will experience big problems when things start to go wrong in the future. Investing in your people now when it comes to technological skills and indeed cyber security risk management will provide long term benefits for your organisation, in what is becoming a very competitive (and risky) market space.”
The human element in cyber risks – crew training
In shipping, there is always a human element to consider, even with something so technical as cyber security. Crew training, therefore, is essential in implementing good cyber hygiene.
“We continually work to do our best stay ahead of cyber threats, for example, through training courses”, Simha said. “But we are not complacent. The threats are changing all the time and cyber-attacks can happen anytime, anywhere. They can be targeted and purposeful, or completely random. Of course, we deploy technology to help protect our systems, but ultimately our people are our crucial line of defence.”
“We can have the best technical solutions, policies and procedures in the world but if people aren't trained properly and don't understand what the threat is, then all the above are not wise investments at all”, Wylie warned.
“Embrace security as part of the company culture”, Commissioner Doyle stated. “The first step in getting employees on board with cyber security is having a formal company internet policy tailored for the specific business.”
“Training needs to cover prevention, detection and cure”, Williams suggests. “Cyber risk awareness needs to be raised at all levels in the organisation:
- drilling into people the risks of opening suspicious email attachments,
- teaching how to determine what is suspicious, and
- how to recognise when there might have been a security breach.
“Then there needs to be discipline in backing up data in case of an attack which locks you out of your system, and a cyber drill to practice the regime which will kick in in the event of a lock out – what to do by way of back-up so you can keep going, and continue to service customer needs in as seamless a way as possible; and that means the steps you envisage to restore the system and the inter arrangements you put in place to function in the meantime. The trick is to assume that this can and may happen at any time and to be prepared when it does.”
“Training and awareness are key to recognising a security breach has occurred”, Tinsley stated. “Every employee or crew member should be able to recognise a breach has occurred, know who to report an incident to and how to reduce the impact by adopting known procedures. This training can be simple messaging such as posters, listening to webinars or watching videos, attending eLearning sessions or more formal instruction delivered by management or even third-party training providers.”
“Training and education has proven to be one of the most effective solutions to reducing risk where cyber threats are concerned”, Wylie told us. “The training needs to be relevant for the role, as we are not trying to teach all seafarers to be IT security experts, but we do want them to understand what good cyber hygiene looks like and the risks associated with getting it wrong.”
Handling the cyber attack
"These global cybersecurity attacks should be an immediate wake-up call to the sector to realize that cyber risks can impact operations, the financial bottom line, and even have potential impacts that could include injuries", Krayem listed the potential impacts of an incident.
“While MSC’s systems and business operations continued to work normally, we had to move fast to find alternative ways to continue to work safely with affected partners, and to keep our customers’ cargo moving. We also activated plans to divert certain vessels away from certain terminals”, Simha shared.
The Petya malware has left Maersk in deep waters, but their response to the attack gave the shipping world one of the highest standards in customer service.
Within days of the attack, Maersk launched a petition to the Federal Maritime Commission for a temporary exemption of service contract filings. The Petya virus severely disrupted Maersk’s information systems, including the system that stores their service contract data, preventing Maersk from contacting shippers and hindering everyday operational tasks.
Commissioner Doyle explained that by granting the petition, Maersk will not require customers to pay higher tariff rates to shipments tendered during the 20-day period, but rather, this action permits Maersk to apply service contract rates to such shipments that were agreed upon and filed after the date of cargo receipt without violating the Shipping Act.
“I commend Maersk for making the decision to waive demurrage and detention fees arguably accrued by customers during the period when a system outage caused by the Petya cyberattack impacted its ability to release cargo”, Commissioner Doyle stated. “It’s the right thing to do.”
Maersk’s priority was clearly the customer, even though their internal operations were badly disrupted, and their revenues were negatively impacted. However, it is also clear, that Maersk’s risk management was exemplary, something the industry can learn from.
The experts above agree on this: cyber-attacks are something the industry can prepare for with risk assessments, basic training in cyber hygiene, and implemented technology. But cyber awareness starts with you learning about the potential hazards of getting it wrong and the benefits of getting it right.