26 Nov 2021

Cyber-attacks – the new ‘pandemic’?

Cyber-attacks are increasing in frequency and severity. How can the industry get better prepared – and build the skills needed?

Cyber-attacks are spreading in the shadows and proving highly disruptive and expensive.

Cyber is one of the fastest growing areas of crime across all industries, and shipping is not immune. Indeed, as a signal of how endemic the problem is, just days after French classification society Bureau Veritas announced a partnership with insurance consultancy BESSÉ to provide tailored solutions to help shipowners improve their cyber security, admitted it, too, had come under attack.

In what is a case study for shippers to follow, as soon as its cybersecurity systems noticed the attack on 20 November, BV immediately activated its cybersecurity procedures, taking its servers and data offline as a preventive measure while investigations and corrective measures were implemented, while also alerting stakeholders to the issue in order to ensure transparency and maintain trust.

2021: The year things got serious

For the shipping industry, the incident was another warning shot over the bow that cyber needs to be taken seriously. Key infrastructure is regularly the target of these sophisticated criminal attacks. In May 2021, the cybercriminal gang DarkSide reportedly extorted nearly US$5 million from a pipeline operator after a cyber-attack on the Colonial Pipeline, which normally carries 2.5 million barrels per day on the US East Coast, forcing some states to declare an emergency as supplies of diesel, petrol and jet fuel tightened.

In July 2021, South African port operator Transnet declared force majeure after a ransomware attack crippled its IT systems and disrupted container operations at a number of its ports, including Durban, Cape Town, and Port Elizabeth.

The now infamous Evergreen incident in 2021, while not the result of a cyber-attack, highlighted just how much disruption can be caused when the world’s global maritime trade can’t function as normal. Classification societies and insurers are concerned: not only is the potential for loss enormous, but the mix of IT and Operational Technology (OT) networks in an industry yet to fully appreciate, never mind address, its vulnerability to attack, leaves it susceptible to hostile actors.

It’s what Ian Bramson, Global Head of Cybersecurity at ABS Consulting, calls “a new area with low maturity and high risk.”

Discussing the Colonial Pipeline ransomware attack earlier this year, Bramsom said it was just the tip of the iceberg. “These types of attacks are escalating and as seen with this incident, can have significant supply chain impacts,” he said, adding that traditional IT solutions do not work in the maritime OT environment and requires specialised skills and experience.

Professor Kevin Jones, Executive Dean at the University of Plymouth and a specialist in maritime cybersecurity issues, agrees. “People are spending significant amounts of money in the wrong places,” he said. “A lot of the money and training goes into things that are from an IT perspective rather than an OT and maritime perspective.”

He pointed out that the industry faces unique challenges, from the life cycle of the ships, which means many OT systems pre-date the cyber-era, to the fact ships may face various levels of risk depending on where they are in the world.

Industry 'not prepared'

The good news is that the issue is now on the industry’s agenda, helped along by new IMO regulations. The bad news is that the regulations are little more than an awareness-raiser and the industry’s readiness lags the increasing sophistication and scale of today’s cyber-threat.

“The IMO regulations provide a base level of awareness, which is important in itself, but they are otherwise completely inadequate is every respect,” said Professor Jones. “They’re a placeholder, a marker in the ground.”

This just isn’t enough, said Professor Jones, because cyberattacks are increasing in frequency and severity.

“Previously attacks targeting the sector were quite rare but now it’s much more frequent and they are targeting the sector directly rather than shipping companies being collateral damage in a wider attack,” said Professor Jones. “The industry is not prepared for this and there isn’t the capacity to provide the specialist help needed.”

“You can probably count on the fingers of two hands the number of organisations that have the specialist skills to do this – and there are 180,000 ships out there,” he added. “As an industry, we need to share intelligence so we can really understand the risks. We’re just not there yet.”

Much of the push to address the vulnerabilities of the industry is being driven by the classification societies and insurance companies. The societies are drawing up their own guidance and interventions to help ship owners navigate this new class of risk. In November 2021, for example, ClassNK granted cyber resilience-guideline (CybR-G) notation to NYK Line’s oil tanker Tateshina. Others are taking their own measures to shore up their defences, but is it too little, too late?

AMY