Shipping needs to raise its cyber game

The shipping industry is lagging behind other industrial sectors in the all-important field of cyber security. Ben Densham, Chief Technology Officer of Nettitude, the cyber security services provider of Lloyd’s Register, warns of a rising incidence in attacks, with ransomware and targeted cyber assaults both becoming more common.

“As the pace of shipping’s digital transformation accelerates, the threat surface is expanding all the time,” he warned. “and the onset of the pandemic has coincided with a marked increase in malicious attacks. The combination of circumstances provides more opportunities for hackers and, as a result, all parties in maritime must exercise utmost vigilance.”

As well as being directly impacted and disrupted by events such as ransomware, Densham noted that hackers who find their way into digital systems are targeting increasingly complex supply chains through sophisticated methods. He drew attention to the recent high-profile cyber-attack on SolarWinds, a US federal software contractor, widely thought to have been state-sponsored.

Hackers were able to plant malicious code in software which then lay dormant for a number of weeks before being triggered to attack government departments, federal agencies, many Fortune 500 companies and even the mighty Microsoft itself.

On taking over as US President on January 20, Joe Biden ordered an immediate investigation into the SolarWinds incident, the full extent of which is still not clear.

So far, shipping is not thought to have been affected by the SolarWinds attack but Densham pointed out that growing sophistication across the hacking community needs to be met with the utmost security diligence.

He and his colleagues, who also provide cyber security services in other key sectors including financial services, defence, government and healthcare, are concerned that attention to cyber safety in shipping and ports is simply not keeping pace.

Densham highlighted similar sectors including logistics and offshore. Both of these industries are on the leading edge of digital development, he said, and there are a lot of lessons around cyber security that can be learnt from these sectors.

In contrast, many shipping companies view digital defence as merely a compliance issue, rather than a constant and dynamic threat that needs to be managed.

Whilst the IMO’s cyber initiatives are helpful, Densham explained why, on their own, they are not sufficient to meet the rapidly developing threat environment.

“The IMO guidelines set the overall future direction for the industry. But cyber security needs to be dealt with at pace and with agility. We’re talking here about highly motivated and mentally agile hackers set on causing cyber disruption,” he said. “It is a fast-moving scene which can change by the minute. We see this every day – just ask one of our financial services clients – and the backdrop is very different now, compared with 12 months ago.”.

When it comes to autonomous vessels, “marine and offshore autonomous development is advancing,” Densham stated. “But there are both lessons to be learnt from other sectors such as autonomous vehicles and cyber security needs to be seen intrinsically and not as an afterthought or bolt on to a development programme.”

Densham revealed that one of Nettitude’s most sought-after services from clients are requests from companies seeking to test whether or not their cyber defence systems are sufficiently robust. This usually involves Nettitude specialists taking on the role of the threat actor, seeking to identify gaps in security systems or other weaknesses.

Some shipping companies, he said, already have teams of in-house Offensive Penetration Testers, sometimes known as “hackers”, employed specifically for this purpose – thereby demonstrating the type of proactive approach that is necessary. However, for many, it is merely a compliance issue and another box to tick, he said.

Densham singled out cruise lines and navies as leaders in the maritime cyber security field.

“Cruise liners are effectively floating cities,” he commented. “They need to be secure across many digital arenas, including personal data, health, finance, retail, inventory management, always-on internet services, ship operation, and so on.”

Cruise lines’ dynamic approach sets a good example, Densham said. “Being ready for an attack is key, not merely protected by yesterday’s systems.”
Source: Lloyd’s Register