Most shipping and offshore vessel companies are acting too tactically on cyber security when they should be thinking strategically, according to Lloyd’s Register.
This includes the best and brightest in the shipping industry. Even powerhouses such as AP Moller-Maersk have woken up to find their defences to be sorely lacking in the face of today’s global horde of hackers.
“At the moment, what I see in certain sectors, particularly in marine and offshore, is a needs-driven approach," said JP Cavanna, Lloyd's Register's new head of business development for cyber security.
"There’s a need to have a tanker management self-assessment certification, for example, or a need to have some sort of security put in place to cover a specific area. That’s fine but it’s tactical and reactive; it’s not holistic.”
At this year's World Economic Forum, Maersk chairman Jim Hagemann Snabe discussed last June’s now infamous “notPetya” cyber-attack, which ended up costing the Danish transport and logistics outfit $250m to $300m in what he called an “important wake-up call” for the industry.
“Imagine a company where a ship with 10,000 to 20,000 containers is entering a port somewhere every 15 minutes, and for 10 days you have no IT. It is almost impossible to even imagine,” Snabe said.
He added that employees pulled together and were able to cover 80% of subsidiary Maersk Line's normal container business the old-fashioned way — by hand.
“What did we learn?" he asked. "Number one, we were basically average when it comes to cyber security, like many companies.”
The emergency response included installing 4,000 new servers, 45,000 new personal computers and 2,500 applications for Maersk’s 50,000 employees at 600 global locations. Such a re-installation should have taken six months but Snabe said Maersk pulled it off in an “heroic effort” over just 10 days.
About half of those locations lacked the bandwidth to download crucial replacement software from Maersk’s IT headquarters in the UK. That team discovered the stores in their area carried only about 50 USB sticks at a time, so they had to purchase all the sticks in a 25-mile radius of the IT centre near London, and then mailed out 2,000 USB sticks in 300 DHL packages.
Cavanna dealt with a host of cyber-security issues during a digitalisation seminar at Lloyd's Register's office in Oslo, describing how shipping companies come to misunderstand the level of their own protection.
Cavanna has been with Lloyd's Register for only four months but brings some rather unusual experience to his new role, including carrying out police raids on suspected terrorists in the UK.
Before working as a digital security specialist with the likes of Capita and Hewlett Packard, Cavanna worked for 19 years with London’s Metropolitan Police and as a digital forensics expert in the Special Branch unit, which deals with matters of national security and terrorism.
Cavanna pointed out that one of the main pitfalls is when companies try to encapsulate their whole data system in an effort to make themselves invulnerable. This ends up protecting the lunch menu in the company canteen at the same level as its sensitive commercial operations. Not only is that approach expensive but it also fails, he said.
“There has been a fair amount of compliance and regulation that drives the need and desire to do something on cyber security,” he said. “The reason that regulation came about is partly because of attempts to build an impregnable fortress, and so protecting everything inside a company to the same level of security. With the benefit of hindsight, we know that’s nonsense.
"More importantly, creating an impregnable state is absolutely rubbish. You can create a more secure state but not a completely secure state. Everything is hackable. Nobody is impregnable. You will get breached.”
The alternative approach is to identify a company’s critical business drivers and understand which systems enabling those functions must keep going.
“Everything you do in terms of security should be to protect those business drivers," Cavanna said. "When you identify what those critical business drivers are and you identify what those assets are, then you start to think about the threat factors that might affect those.
“And then you start to address all of the other areas in terms of a holistic cyber-security approach. This will give you a scalable posture because you don’t want to be playing catch-up all the time. Companies need to stop being tactical and reactive and start being more proactive.”
Cavanna also pointed out that people remain as the overall weakest link in the cyber-security chain because a majority of attack methods, such as “phishing”, require human interaction to work — as in clicking on an email attachment.
“At the end of the day, it doesn’t matter what you’ve got in place or how many millions you’ve spent on technology," he said. "Every single one of us, and every single one of the people that works for you, is the biggest single weakest link in your security environment."
This makes security training paramount for personnel — and many others agree.
Jorgen Palmbak, director of maritime security at the Liberian International Ship & Corporate Registry, suggested last October that more than 40% of the industry’s seafarers have sailed on ships that have suffered cyber attacks of some form, either viruses or malware, yet only one in eight crew has received any cyber-security training at all.
Outside Maersk, other big shipping names have been flagging up problems. Speaking at a London conference at the end of last year, BP Shipping chief financial officer Guy Mason said his company had intercepted about 614 million “phishing” emails in 2016, working out to about 1,200 per minute for the whole year.
