As a shipping leader confronted with escalating cyber risk, sticking your head in the sand is no longer acceptable. Nor is it commercially viable. Cyber-attacks are not an anomaly any more.
CMA CGM is just the latest victim. It took nearly two weeks for it to restore its online customer systems after last month’s attack. It will take a while before the company fully understands whether losses are as severe as the $300m attack on Maersk in 2017.
There is no way to be 100% secure. So the realistic approach is to make intelligent choices based on risk and prioritising investment in defences based on the criticality of the systems that could be affected.
The key is to set up a continuous dialogue with the IT team structured around having a business-oriented understanding of the risks, rather than a technical analysis. It must be informed by a realistic view of the likelihood and potential impact of cyber-attacks on critical business processes.
Given the present danger, where do you start? These are the questions you should be asking your team.
Are we vulnerable to a similar attack?
Cyber-attackers often repeat their attacks, with minor variations. It is more cost-effective for them. They know that, through a combination of inertia, indifference or stubbornness, organisations can be slow to act. So the hackers have a window of opportunity.
Most shipping organisations are likely to fall victim to a similar raid, given the sector’s low level of cyber maturity. So it is useful to focus discussions on the likelihood and the impact. This enables a meaningful discussion about how much risk you are willing to live with or to what extent you should invest in risk mitigation.
If a similar attack happened to us, how bad would it be?
The temptation is to focus on systems and applications. It is far more useful for management to focus discussions on potential operational disruptions and the responsibilities for response and recovery.
Consider where manual overrides exist to mitigate the risks by providing back-up processes. Bringing together technical, commercial and operations teams for a discussion on potential impact will be important, as the IT team may have limited knowledge of how key applications are being used.
Are the systems on board our vessels also vulnerable to a similar attack?
Vessel IT systems and applications are definitely vulnerable to the same techniques used on CMA CGM. The focus should be on how reliant your onboard operations are on these applications, how prepared the crew are to revert to manual back-up processes, the level of shoreside support required and the financial impact of such disruptions.
What are flags and port states saying?
International shipping policy developments provide an indication of inspection requirements. Recent developments in the US are worth noting. The US Department of the Treasury has threatened steep fines for companies involved in negotiations with ransomware extortionists.
In addition, the US Department of Energy is extending a cyber maturity assessment framework, currently used in the energy sector, for gauging maritime organisations transporting energy products.
Given the volume of cyber-attacks on maritime organisations this year, there is likely to be increasing focus from authorities worldwide in the coming months.
Can our suppliers’ systems be affected?
Supply-chain cyber risk is frequently forgotten. This is where an attack on your suppliers’ systems affects your operations.
Many shipping businesses will grind to a halt if they can no longer operate their e-commerce web portal, shipmanagement software, and cargo-tracking, crew-management, procurement and vessel-reporting systems. It is important to explore how quickly you can replace these with manual contingency plans.
What do we need to do to reduce the risk?
The immediate focus is to shut down the vulnerabilities exploited by the attackers in the CMA CGM case. Repeat attacks are common and good for business for the criminals. More permanently, there is an opportunity to use this as a catalyst to improve the cyber risk management of your organisation across land and sea.
Cyber security does not need to be expensive. Making intelligent, risk-based choices underpinned by a positive culture will go a long way. That begins with having the right internal dialogue.
Richard Wagner is regional director
at maritime cybersecurity firm CyberOwl
Do you have an opinion to share? Email: news@tradewindsnews.com
