This article was originally published in BIV Magazine's Gateway issue.
Five years ago, the largest maritime container shipping company in the world was hit with a cyberattack that crippled its booking system, stalled tracking of its containers and disrupted operations at container terminals all over the world operated by its APM Terminals subsidiary.
The financial cost to A.P. Møller-Mærsk was later estimated at US$300 million.
The cost to its reputation is harder to distill into dollars and cents. Suffice it to say that it was significant.
It was also a four-alarm cybersecurity wakeup call for Maersk.
But, five years later, that alarm has yet to prompt widespread co-ordinated cybersecurity initiatives in the global shipping sector.
As Lloyd’s List editor Richard Meade noted in introductory remarks for the U.K.-based shipping journal’s 2022 webinar on shipping sector cyber threats, industry surveys show now that cyberattacks and data theft “are routinely in the top three risks perceived by maritime businesses, but those same surveys routinely report that the industry is not fully prepared to tackle that risk.”
It’s a risk that is escalating up and down the global supply chain.
BlueVoyant’s second annual survey of cyber risk management in sectors ranging from financial services and health care to utilities and energy found “a fractured landscape, with different industries and regions responding differently to the challenges posed by another year of damaging, costly cyber events.”
Those 2021 events included the SolarWinds cyberattack, which cost an estimated US$100 billion, according to the global cybersecurity company.
BlueVoyant’s survey of 1,200 senior executives in Canada, the U.S., Germany, the Netherlands, the U.K. and Singapore found that 93% had suffered a cybersecurity breach and that the number of those breaches had increased 37% in the past 12 months.
Meanwhile, PwC’s Canada Cyber Threat Intelligence report estimates that the average cost of a data breach in Canada is now $6.35 million, and that supply-chain-related cyberattacks are becoming more frequent and more complex.
Globally, the annual cost of cyber crime to the world economy ranges anywhere from US$1 trillion to US$3 trillion.
“The prospect of a major cyberattack has loomed large over the [shipping] industry for many years,” Meade said, “but right now, the risk rates are flashing red.”
Cyberattacks on major shipping lines and within the maritime goods movement supply chain have cost the sector hundreds of millions of dollars thus far. But that bill pales in comparison to the costs of a catastrophic physical loss of ships or environmental disasters from oil or chemical spills or supply chain chokepoints snarled as the result of a cybersecurity breach on a major shipping line.
Shipping lines are especially vulnerable to cyberattacks because of the wide range of entry points to their navigation technologies and cargo handling, communications and management systems.
This is in part because of the complexity of global goods movement and the number of different connections needed to co-ordinate that movement, and the regular crew changes and human resources ebb and flow it requires.
But also, because, as Meade pointed out, the industry continues to be unwilling to “go public and share data, and partly because this remains steadfastly a reactive industry where safety improvements are only ever borne out of casualties.”
Russia’s invasion of Ukraine accelerated the danger of cyberattacks for major shipping companies and infrastructure.
And not necessarily as prime targets, but as collateral damage, says Bill Egerton, chief cyber officer with cyber insurance and risk management company Astaara.
Egerton says the war in Ukraine is providing cover for other groups to ramp up spam and hacking attacks “to make hay while the sun shines under cover of something else.” He estimates that those attacks have increased by 25% since the Russian invasion began.
Egerton adds that the danger to shipping is more on the office side of the equation than on the vessel side, and points out that the attack on Maersk five years ago resulted from a 2017 Russian cyberattack on Ukraine.
So, the problem for shipping is growing, Egerton says, “because [the] sheer volume of attacks is growing as well.”
“We’re not just talking about the occasional ransomware attack.… What I’m saying is that the attacks that have happened and have come into the public domain have either been through nation states or their proxies or groups that have worked for these people in the past.”
He adds that sharing data and experiences about cyberattacks and ransomware threats is a vital first line of defence for the shipping industry.
Without that mutual cooperation in an industry that is extremely competitive and therefore notoriously averse to sharing data, it will lose “the ability to be able to learn from those areas and strengthen collectively.”
Developing a mutual understanding of terms and language when it comes to managing cybersecurity risks and threats is fundamental to reducing those risks for major ports and shipping lines. As the International Association of Ports and Harbors (IAPH) notes in its Port Community Cyber Security report, “we take what is by nature a hard problem – that of understanding and managing organizational cyber risk – and make it more difficult and problematic when people neither perceive of, nor speak about, cyber risk management in the same way.”
But sharing data and a common communication language is only one initiative needed to fill the many holes in shipping lines’ cybersecurity.
Julian Clark, global senior partner at Ince, an international law and professional services company, told the Lloyd’s List webinar that educating and training ship crews, shipping company staff and management is critical.
And that means providing much more than instruction in basic cybersecurity hygiene.
He says there needs to be a game plan and training for what happens when a ship or a shipping line is hit with a cybersecurity breach or ransomware demand.
Ships’ crews and shipping lines know immediately what to do if there is a collision or other shipping disaster. But when it comes to a cyberattack, Clark said, all bets are off.
“Another thing that came out of the Lloyd’s List survey [of its shipping industry readers] was you’ve still got this issue of … what would happen if the company got hit by a major cyberattack this afternoon?”
The answer, Clark added, would be confusion and uncertainty.
Investing in cybersecurity safety training in the shipping sector is a fundamental first line of defence, and, to be effective, that investment cannot be a piecemeal nickel-and-dime approach.
“The important thing is you need to recognize that this is an ongoing cost of doing business,” Egerton says. “It’s not about a one-off hit and everything will be fine.”
He adds that much of the training material being used by shipping lines today is ineffective because it is dated and generic.
“It talks about stuff in the abstract rather than relevant to the vessel somebody is on or a company somebody’s working for. I think that sheep-dipping people for half an hour doing ‘mandatory training’ doesn’t help them do their jobs better. And you need much more role-specific training to make sure people understand how an attack can hurt their bit of the business.”
Shipping also shares a fundamental human resources challenge faced by other industries: recruiting and retaining cybersecurity talent. The World Economic Forum’s 2021 Cyber Outlook Survey of 120 top executives from private and public companies in 20 countries found that 59% of respondents “would find it challenging to respond to a cybersecurity incident due to the shortage of skills within their team.”
Again, data for different ships and different shipping operations is vital for any cybersecurity defence investment to be effective.
“Understand what you need,” Egerton says, “and do this proportionately. Because … if you go and spend a lot of money, you may end up with a product that you can’t use, because it’s producing too much data in the form you can’t cognitively understand. So, I think it’s proportionality. It has got to be people and leadership focused. If the board don’t take this seriously it is not going to work.”
He adds that there needs to be a clear line of sight and communication “from the board to the shop floor, so that everybody understands their role and their place in this, should [a cybersecurity breach] happen.
“Cybersecurity is a risk that won’t go away. You cannot just do it once and then forget it.”
Many major Vancouver-based shipping companies agree that there is a rising concern about the seriousness of cybersecurity threats in their industry, but declined comment for this article, citing an “abundance of caution” over concerns about raising their profiles and the potential for their businesses to become targets for international cybercriminals.
This article was originally published in BIV Magazine's Gateway issue under the headline 'Cybersecurity threat looms large.' Check out BIV's full digital magazine archive here.