New Delhi, October 22, 2020: As the latest shipping giant to fall victim to hackers resumes activities, cyber security experts warn that the situation is only going to get worse.
This year marks a milestone, with the last of the four largest container operators having suffered cyber malware attacks. That means that close to 60% of the world’s containership tonnage, or their management has been subject to a cyber hacker attack. The most recent incident has seen CMA – the world’s fourth-largest container shipping group – take two weeks to restore its online business services. Malware targeted France-based CMA CGM’s peripheral servers forcing it to shut down access to some of its online services.
Robert Dorey, CEO of Astaara – specialists in cyber risk management and insurance for the maritime sector – said many marine executives failed to be compelled by the investment case for managing cyber risk.
‘It’s only now, as the deadline looms for shipping companies to meet IMO guidelines requiring shipping companies to develop comprehensive cyber risk management programs, and the realisation that the most advanced in the industry are being hit, that the industry is sitting up and taking note,’ he said.
‘With a rash of newly advised incidents on CMA, Carnival, IMO, Splash 24/7 shows cyber is a clear and present danger which requires concerted and industry-wide action. The implementation of the IMO cyber audit is a solid first step. These cyber events could have been avoided, and business impact substantially mitigated.’
Bill Egerton, Astaara’s chief cyber officer, added: ‘For a while we have seen many marine operators relying on self-assessment to provide assurance and certification of mature treatment of cyber risks. This approach is not sustainable. Firstly, the IMO requires independent verification of cyber risk management which will shine a light into boardroom behaviour; secondly – and unfortunately – self assessment has been shown to be significantly over-optimistic in its recording of performance, leading to a false level of confidence in the organisation’s security posture.
‘The endemic over-marking of cyber maturity in self-assessment certification will not help shippers stand up to employee, shareholder, client scrutiny of their leadership in the event of cyber losses that could have been relatively cheaply avoided,’ he said
Reports indicate that cyber-attacks on the maritime industry’s operational technology systems have increased by 900% over the last three years. But Astaara believes that there are many more cases going unreported. Mr Egerton predicts the numbers will only increase if the sector continues to regard cyber expenditure as less important than other areas of risk mitigation.
‘Cyber-attacks will continue for as long as the attackers believe they can achieve a profitable outcome. This dynamic environment presents our shipping colleagues with hard truths – cyber security is an ongoing requirement, needing continual investment and board attention. Ultimately, it is about shipping companies reducing the attractiveness of their systems to a would-be attacker who, denied an easy target, will likely go elsewhere,’ said Mr Egerton.
‘Losses will be reduced to a level acceptable to shareholders and other stakeholders as a legitimate cost of doing business, balanced against the costs of reducing the downside, which, as we have seen in most high profile attacks, is significant. And if we start to see collisions, loss of life, and possible terrorist exploitation of hijacked assets, could be enormous according to the reports published in hellenicshippingnews.com.
‘In any event, to be hacked without having invested in security is confidence-ending. To show that reasonable and proportionate steps have been taken, which kept the organisation afloat even in the face of a sustained and well-crafted attack, is confidence boosting.’
Companies like Astaara can help maritime companies reduce the risk of these attacks by conducting cyber risk analysis that assess threats and vulnerabilities. The company also looks at the impact of hackers on all digital systems crucial for the safe and secure operation of ships.
‘The IMO guidelines, which are long overdue, are based around five major areas of concern: identifying risk, detecting risk, protecting assets, responding to risk and recovering from attacks,’ said Mr Dorey.
‘The Astaara Cyber SMS Review is an important first step for owners to evidence that they are managing the risk and can be delivered remotely. Astaara has a clear model that can be provided remotely, and which will deliver the quality and insight that owners are seeking.’
