The maritime industry appears to be specifically vulnerable to cyber attacks due to several factors including the fact that IT systems onboard were designed with a ‘the system must work under all conditions’ instead of ‘the system must work securely’ mind set, argues Markus Schmitz, the managing director of Cyprus-based IT provider SOFTimpact in today’s Maritime CEO interview.
Schmitz’s comments are especially pertinent in the wake of the recent high profile cyber attack that crippled much of Maersk’s operations worldwide.
Other factors that make it tricky to secure shipping from hackers are the wide chain of people involved in day-to-day operations. Several parties – crew, managers, service personnel, pilots, auditors, inspectors, charterers – cooperate in operating the vessel. “This makes physical access security as a base of any cyber security partially hard to enforce,” Schmitz observes.
Other issues to be aware of include the common use of voyage contracts which potentially effects employee loyalty and training investments.
Moreover, the international character of shipping facilitates certain common cyber threats, like phishing attacks and CEO fraud, Schmitz maintains. Moreover, the lack of consideration in existing regulation, particularly ISM and STCW, does not help the situation.
“In order to overcome the challenges posed the industry needs to go through a change of mindset, where technology is used more consciously and technology purchasing decisions are taking cyber security into consideration,” Schmitz says, musing: “Is it really advisable to purchase an ECDIS system, which relies on USB sticks in order to distribute updates?”
SOFTimpact highly recommends to task the HSQE departments of shipping managers and owners to start building a cyber security culture similar to the safety culture already established, relying on the same proven mechanisms, like encouraging crew to raise non- conformities.
Commercial pressure is pushing companies this year into adopting new technologies like the internet of things and blockchain, something that worries Schmitz who is also an executive committee member at Intermanager.
“I would advise the industry to apply an adequate amount of caution. No matter how much potential these technologies might promise, maturity in cyber security is best achieved in incremental steps,” he concludes.
Since you do not want to have ECDIS connected to internet, the update is done by using an USB on which information has been downloaded from an email’s attachment.
How else will you update ECDIS? By snailmail?
Do not understand the title, i think it is a bit overstated to the sensationalist side.
If something is connected, it is vulnerable to cyber, period. So far, it never occurred to me that maritime is soooooooo vulnerable. Wanna see vulnerability? Look at TNT where they had a complete mess with their parcel business.
Other industries also possess the same characteristics as maritime, as also enumerated in the article and yet, i would say that maritime is less connected and thus, less exposed.