A year ago, my law firm released its Maritime Cybersecurity Survey report and white paper surveying 126 marine industry stakeholders representing the vessel, port, and cargo shipper subsectors spread across small, mid-sized, and large companies. The key question we asked of the respondents was, “Are you prepared to prevent a data breach?”
Ninety-four percent of small companies (up to 49 employees) and 81 percent of mid-sized companies (50 to 500 employees) answered that they were either somewhat or completely unprepared. Among three industry sub-sectors, 70 percent of vessel owner-operators, 68 percent of port operators, and 43 percent of cargo shippers also expressed serious or complete misgivings about whether they were cyber ready. At the same time, the survey left little doubt that the maritime industry is a prime target for hackers. It revealed that cyberattacks are pervasive, with 80 percent of large companies and 38 percent of all respondents reporting that they’d been targeted in the year preceding the survey.
The results also showed that larger U.S. maritime companies and those that had previously sustained a cyber attack are better prepared than smaller companies and those that hadn’t yet been victimized. Three out of four of bona fide breach victims claimed they were prepared for the next attack, the survey responses indicated, while only 14 percent of untouched companies indicated such a comfort level. When comparing companies by size, in contrast to the large company respondents small and mid-sized companies confessed that they were not prepared for a cybersecurity breach.
A phrase that is commonly applied to cyber breaches – “not if, but when” – led us to ask questions about the aftermath of a cyber attack. And the answers revealed widespread angst: Even among the “prepared” respondents, our probe uncovered that the maritime industry was not prepared to respond to regulators or victims, or to deal with the loss of confidential information or intellectual property. Sixty percent admitted they were not prepared to handle negative public opinion in the wake of a breach; 70 percent had no plan to deal with lost confidential business information, intellectual property, and other sensitive and confidential information; and nearly half had given little thought to addressing their customers’ post-breach loss of confidence.
Although our survey did not do a deep dive into what “readiness” looks like, we did learn that the bulk of our respondents, including many that broadly reported they were in shipshape, perhaps weren’t. For instance, only 20 percent of surveyed companies claimed to have conducted a data systems security audit in the prior 12 months, and less than half conducted cyber risk assessments at least annually.
Meanwhile, budget allocation varied widely, with the large companies four times more likely than mid-size companies to dedicate a percentage of their budgets to cybersecurity. Fully a third of small companies devoted no resources to cyber protection.
In the year since our survey was released, cyber threats to the maritime industry have increased along with advances in technology, and the need for attention to cybersecurity has garnered the attention of the industry and those charged with safeguarding the ports, waterways, environment, and nearby population.
A stunning example of the seriousness of a cyber threat occurred last spring, when the Coast Guard reported that it had, for the first time, boarded an inbound foreign-flag ship to have its “cyber inspectors” address a computer malware that had taken over the ship’s systems. One Coast Guard official said afterward that he believed these events will become increasingly more common.
In the aftermath of this event, the Coast Guard issued a public warning of “recent email phishing and malware intrusion attempts” directed at commercial vessels. Subsequent reports indicated that the incident involved an attack on a cargo vessel which, while approaching the Port of New York and New Jersey, radioed a distress signal because of malware that had infected its shipboard system.
A few months later, the Coast Guard published a second marine safety bulletin about the cyberattack, in which it gave this ominous warning: “cyber adversaries are attempting to gain sensitive information” including vessel arrival details. The Coast Guard continued that it had learned of malware “designed to disrupt shipboard computer systems.” The Coast Guard followed that warning with a July bulletin targeted to maritime stakeholders and directing them to take aggressive steps to protect vessels and other vulnerable assets. The second bulletin also included a call to action to “all vessel and facility owners and operators to conduct cybersecurity assessments to better understand the extent of their cyber vulnerabilities.”
What is most concerning about the reported malware event is that it directly affected the vessel’s shipboard system. By many estimates, shipboard electronic systems are 20 years behind office-based systems and those of competing industries. Addressing this deficiency will be difficult and it must be made a priority.
This is especially true in light of the fact that ship owners are increasingly adopting Internet of Things (IoT)-based solutions to achieve transportation and logistics efficiency. One recent report suggested that the per-ship investment in IoT over the next three years will exceed $2 million. The rapid adoption of IoT devices and digital connectivity is seen as a boon to the maritime sector, but every IoT device that is installed means another surface exposed to a potential breach, and cyber pirates are salivating at the prospect.
Attention to marine industry cyber readiness is also a focus of the International Maritime Organization, which adopted a resolution that encourages shipping companies to ensure that cyber risks are appropriately addressed in existing safety management systems no later than 2021.
With this kind of attention, industry stakeholders such as the respondents to the 2018 Jones Walker Maritime Cybersecurity Survey simply cannot ignore the importance of cyber readiness in the future. Industry leaders will soon have no choice other than to adopt a thematic change and recognize that cyber isn’t an IT issue – it’s an operations issue. A cyber threat is also a serious business risk and potentially a risk to life and the environment. Embracing these truths is critical if the marine industry is to give cyber the attention and resources that are sorely needed.