Like many industries, the maritime sector is undergoing significant technological transformation aimed at increasing productivity and efficiency. This unfortunately provides more opportunities for cyber threat actors to strike, which could have particularly devastating consequences given the critical role of shipping in global supply chains. Estimates show that maritime transport represents a fundamental pillar of international trade, with 90% of traded goods transported by sea with an annual value of USD 14,000,000,000. Indeed, the obstruction of the Suez Canal last year perfectly illustrated the world’s dependence on maritime trade and its fragility.
Therefore, strengthening cybersecurity in this industry is crucial. Infosecurity recently sat down with Professor Kevin Jones, Head of the Maritime Cyber Threats Research Group at the University of Plymouth, to learn more about the specific cyber threats facing the maritime sector and how to mitigate them.
What are the main cyber risks facing the maritime industry and how have they evolved in recent years?
For the Maritime sector, the risk profile is broken down into two segments: technical and socio-technical (people). When we do risk analysis using industry-specific tools like MaCRA, we find that things vary significantly depending on where you are in the industry. Modern ships tend to be much more gear dependent and are more likely to have modern equipment; older ships have fewer technical dependencies, but they also tend to have equipment that was not designed with safety in mind.
The risk also changes wildly depending on what you’re wearing (changing the level of interest for more sophisticated players) and where you are (changing the people involved). In recent years, the main evolution of threats has been less technical and more economic; malicious actors have found ways to monetize existing vulnerabilities in the industry and thus develop more targeted attacks.
Is maritime particularly vulnerable to cyberattacks compared to other transportation sectors like automotive and aerospace? If yes, why?
He is vulnerable in a specific way. The sector is slower to react than other sectors due to the variety of vessels in the commercial fleet and the design cycle of the industry. Large-scale commercial operators use hulls that are decades old and retrofitted with various types of technology when regulatory mandates have made it necessary. There is also a long-standing attitude in the industry of “my ship is an island”, leading to less awareness of cyber vulnerabilities. Unlike the airline industry, there are also a lot of staff who are less well paid and less qualified.
What are the potential implications of a cyber incident in the maritime sector? What are the main examples to date?
Well, it’s a trillion dollar industry, and we saw through a recent incident that it’s easy to see costs of $10 billion a day when something disrupts the maritime supply chain . To date, the worst-case Evergiven was accidental, but that’s the kind of thing that could be caused by a cyberattack. Each of the four major shipping companies has been the target of a specific cyberattack in recent years, with a large-scale ransomware model appearing to be the new weapon of choice.
You and your colleagues worked alongside the Bank of England to create the first maritime cyber incident exercise featured in the 2022 General Assurance Test. Could you provide an overview of this exercise?
“One of the things we have been doing over the past two years is developing realistic scenarios for the industry, illustrating the potential outcomes of various cyberattacks. They range from minor inconveniences (e.g. empty map display) to catastrophic (e.g. the closure of the Suez Canal) and ensure that all are realistic from both a technical and operational point of view.For the Bank of England, we designed a scenario that involved a cyber- attack taking control of the throttle and rudder of a large container ship and bringing the ship to a standstill, with repercussions both for the individual cargo and for the rest of the ecosystem. . We have developed a model of appropriate risk for this attack and the resulting consequences.
What types of cybersecurity practices and technologies are particularly vital for organizations in this sector to adopt in the coming years?
I would emphasize two things: proper assessment of industry-specific cyber risks – for example, the kind of assessment we do with MaCRA considering dynamic factors and IT and OT, preferably doing this kind of standard approach to fill the current IT-centric gaps that the industry is exposed to; sector-specific cybersecurity awareness training, ideally with appropriate and realistic scenarios for the sector so that the industry, from the board of directors to the watch officer, are aware, can recognize, respond and develop measures appropriate mitigations for the type of attacks it will experience. Once these are incorporated, the focus should shift to next-generation equipment developed with safety from the ground up, but we must recognize in this industry that it will take decades, even with regulatory pressure, to advance the things.