During the summer of 2017, global shipping company A.P. Moller-Maersk became the victim of a cyberattack caused by the NotPetya malware, which also affected many other organisations around the world. The fallout was significant, with the company reporting a profit loss of US$1.5 billion for the third quarter of 2017, which it partly attributed to the cost of the major cyberattack. Other business costs followed, with Maersk having to reinstall and replace thousands of hardware that were impacted by the ransomware. At that time, the company projected that the cyberattack would cause losses of up to US$300 million due to “serious business interruption.”
Then in November 2019, marine services provider James Fisher and Sons (JFS) told investors that hackers had managed to breach its computer systems. The incident caused shares in the company to fall by 5.7%.
These two events have been far from the only cyber events that have hurt maritime operators. In 2013, the Belgian port of Antwerp was attacked after malicious software was emailed to staff, allowing the organised crime group to access data remotely, and in 2018, a cyber breach affected shipping giant Cosco’s operations in the US Port of Long Beach.
While the maritime space might not have been traditionally thought of as a prime target for cyber criminals, times are changing and companies have to evolve or risk becoming victims themselves. Nonetheless, this might be easier said than done.
“I have done assessments on oil tankers and different ships, and seen the technology they use. It’s old and not kept up to date because it hasn’t had to be, but also when they do have connection to the internet, they have a lack of controls,” said Stacy Scott (pictured), a managing director in Kroll’s cyber risk practice. “That means they could download anything, which could then be transferred to their charting system, which is not only the map on how to get from point A to point B, but are there storms, are there things you want to avoid that could have a catastrophic effect?”
The data that a ship or port holds in its systems might not be credit cards and social security numbers, but that doesn’t make the breach of the data any less significant. The data could be operational, or reveal intellectual property plans for a new ship. Though a lot of companies in the sector are thinking about cybersecurity now more than ever, they don’t necessarily know how to build it into what they already have in place.
“I have been on 30-year-old ships because they’re still working and you build them to last a long time, and they don’t have the capability to take on modern security or technology, so how do you protect those things?” explained Scott, adding that the fallout from a cyberattack could include not getting goods to intended destinations or even loss of life because a hacked charting system could direct ships into a storm or into the way of pirates.
Read more: James Fisher and Sons rocked by cyberattack
At the same time, hackers are getting increasingly sophisticated in their methods of attack.
“The risk is growing from medium to high,” said Scott. “I think the level of concern is growing, rightfully so because of what happened to Maersk down to the most recent events.”
For insurance professionals advising marine companies about risk mitigation for cyberattacks, they can pass along a few tips that the Kroll team has used with its clients.
“What we found works for our clients is implementing checklists. It’s a checklist culture and they’re on-ship staff particularly will be able to run through those,” recommended Scott. “They are able to check systems to make sure they’re up to date, make sure configuration is still the same, make sure people are logging off, and make sure that they don’t have open sessions with a Gmail account, for example.”
As the industry evolves and new ships and marine systems are introduced, cybersecurity should be a top priority. Scott also added that satellite internet providers should take a bigger role in securing those networks.
As with most industries however, the maritime sector faces pressure from hackers that seem to be moving faster than they can keep up with. That shouldn’t discourage companies from implementing controls – if anything, it should spur them to join the cybersecurity race and prioritise key actions.
“It starts with what’s the most critical and I think if you have ships, it’s operations that are most vulnerable, so understanding what those operations are and how to put some security processes or technology controls in place [is important],” explained Scott. “Most often, the easiest thing to do is [introduce] a new process to double-check and detect if things are potentially going wrong or [if there’s anomalous activity.”
This way, companies can catch suspicious activity sooner and respond more quickly, potentially reducing the impact of an attack. These types of risk management practices can prepare maritime operators for the worst.
“The question that I usually get is how do we get ahead of the bad guys? And I think that’s very hard to do,” continued Scott. “There are large companies that spend billions on security and they’re not ahead of it, and they probably don’t have a huge enough budget for these things. But, the idea is to focus on detection. We’re not going to be able to protect everything and maybe [hackers] get into the first layer of defence, but we can stop them there.”