Cyber security focused solely on cargo shipping is becoming a field of its own.
"The more complex system you have, the bigger risk you have of malware or attack of some sort," says Olav Haugehatveit, senior engineer for control systems at classification society DNV GL.
"I see this as an industry because it opens up a new risk window and you have to deal with that risk window somehow."
He says hackers might focus more on creating ransomware than malware to extort money, but many may continue to invent threats for the thrill and the notoriety. "If they are able to disrupt a huge shipping company, they may get credit in their environment."
Only a few major cyber security firms cover maritime, but class societies are addressing the issue because of the eventual need for regulation, says Markus Schmitz, managing director of Cypriot IT services provider SOFTImpact.
"But, due to their nature, classification societies approach the topic currently either with a certification process, which is not mandatory yet, or a 'safe-building' process, which falls short of the dynamics and ever-progressing challenge, which cyber security presents," he says.
"As a consequence, you see smaller players active in the market, like ourselves, CyberKeel, Navarino, etc."
Navarino, a Greek maritime communications firm that distributes Inmarsat's cyber security services, launched its own maritime digital security platform, Angel, in October 2017.
"In today’s world of high throughput satellites [HTS] networks, such as Inmarsat’s Fleet Xpress, the bandwidths available to shipping have increased dramatically in recent years," Navarino spokesman Christian Vakarelis says. "Navarino launched Angel to help ensure our customers can take advantage of the huge benefits of HTS securely."
Other boutique cyber security firms focused on maritime include Phaistos CybSec Maritime, Maritime Cyber Solutions, Seawall Maritime Cyber Security and Fathom5.
Major firms wade in
Larger companies are also in the game. In addition to Inmarsat, the British telecommunications firm, US aerospace and technology powerhouse Northrop Grumman is offering maritime cyber-security solutions.
Inmarsat, established in 1979 by the IMO, offers Fleet Secure to give shipping operators and managers the tools to protect their fleet from cyber-attack, to detect vulnerabilities and respond to threats.
"When the level of awareness was raised at the IMO, we decided to align our work in maritime security with our safety services as we see a lot of synergy in keeping the seafarer and the vessel safe," says Peter Broadhurst, senior vice president of safety and security at Inmarsat's maritime division.
"We are on a journey towards a more mature position in cyber security, and it needs to happen at multiple levels."
The company expects to receive ISO 27001 accreditation for cyber security this year.
Last month,Wartsila announced the opening of an International Maritime Cyber Centre of Excellence in Singapore.
It consists of an emergency response team and academy, founded with British firm Templar Executives.
“In the face of growing cyber-threats and increasing regulatory pressures, it is up to us in the maritime sector to act now," Templar Executives chief executive Andrew Fitzmaurice says.
In March 2016, Epsco, a provider of maritime services, partnered boutique US firm Ra Security to form maritime cyber security company Epsco-Ra.
Gideon Lenkey, director of technology at Epsco-Ra, says big cyber security firms' focus on maritime will really sharpen when more hackers attack ships to extort money.
"When they stop a vessel until they get paid, that will be an eye-opener," says Lenkey, who is also co-founder and president of Ra Security. "It will be unexpected, but hospitals never thought they would be a target."
The non-profit Maritime & Port Security Information Sharing & Analysis Organization (MPS-ISAO), based at Florida's Kennedy Space Center, launched a cyber-threat intelligence service last year.
It allows ports and other maritime-related organisations to share information about online attacks so that MPS-ISAO can then alert the entire maritime industry, says MPS-ISAO vice president of member services Christy Coffey.
"It's about collaboration to understand where adversaries are trying to attack ports and maritime organisations," she says.
Special focus may evolve on autonomous ships
Lenkey says autonomous ships of the future will be at an even higher risk of cyber-attack because they will be highly complex vessels reliant on software to make decisions.
"Obviously, there are no people onboard and I assume remote access ... from an onshore operational centre," he says. "By introducing all of those factors, you have higher risk for these vessels than you do for traditional shipping today."
Some autonomous ships may have small crews of two or three people on them but they will still be quite vulnerable.
"It will be an area of interest for those willing to do harm because these vessels rely heavily on software," Lenkey says. "And [if] these threat actors are kept in the media, then they could be stars in their communities."
Autonomous ships will always have a degree of vulnerability through human failure to encrypt networked systems, says Mark Sutcliffe, director of CSO Alliance, an online community of shipping company security officers.
"It must be said that, for the near future, autonomous ships on longer oceanic routes will still require some crew for maintenance and ... to prevent unauthorised boarding," he says.
Insuring against cyber-attacks
Providing insurance for digital attacks targeted at maritime is in its infancy but will probably become a defined segment within the insurance industry, according to experts.
Sutcliffe says CSO Alliance and European aerospace corporation Airbus have formed Maritime Cyber Alliance, a global reporting platform to help maritime insurers analyse risks. "The aviation industry is leading the way on this," he adds.
North P&I Club is aware of this alliance and is trying to put numbers to the costs of covering digital attacks, Adrian Durkin, a solicitor at the mutual says.
"It's something that has got us thinking," he tells TradeWinds. "The starting point for us [is] cyber risk is a new way of current risks evolving that we already cover."
North P&I itself was attacked last month when a supposed "club employee" sent an email asking for payment of outstanding funds. The giveaway was the email address read "neepia.com" instead of "nepia.com".
Durkin says North P&I is also trying to educate shipowners on cyber-threats and how to protect against them. "We're not running away from this, because we are here to cover shipowners' liabilities."
