Ian Millen, security and intelligence advisor at Global Navigation Solutions, passes comment on this week’s ransomware attack.
Despite the recent focus on cyber-security issues, the maritime industry was still caught by surprise by the news that Maersk and other shipping lines suffered a major cyber-attack on June 27.
To judge from the speed of its response, Maersk should be congratulated for the contingency plans it had in place, that were clearly capable of handling a major incident of a scale which prompted the shutdown of its IT infrastructure and affected 17 terminals.
The speed of its action – both in terms of communicating the problem and acting on it – are an example to the industry. Some of the other lines affected may not have been so well prepared, but we may never hear in detail the impact they have felt.
The combination of a tough market and increasing regulatory pressure in all areas are making life hard for owners. But in terms of spending on cyber security, without mandated regulation driving the industry towards compliance or a tangible commercial advantage to be gained from adopting new technology, it is always likely to dawdle.
At present, shipping and ports are operating on the basis of IMO-endorsed best practice produced by BIMCO and other industry associations. They make for an excellent starting point, but as its maritime security manager pointed out earlier this year, the challenge is getting operators to do more than read and then file them.
At the same time there is a belief that, given the controversies of the Ballast Water Management Convention, air and carbon emission rules that cyber regulation is not the answer, because the threat moves too fast for minimum-standard rules to keep up.
That may be literally true but it should not stop ship owners, operators, ports and other transport providers taking the steps needed to protect themselves and their customers. In fact there may soon be little choice, since the US Coast Guard is pressing for more explicit regulation on which the IMO may feel obliged to act.
Until that happens, what ship owners can do is to consider the practical first steps that may not require huge time or effort but provide an on-ramp to cyber resilience.
GNS advocates a ‘layered defence’ approach with independent but complementary measures – promote awareness for everyone, control access, back up data regularly, always use a firewall, keep systems and software up to date and think before you click – which can be expanded on as engagement develops. As Maersk has shown, a well-prepared approach to incident management and disaster recovery can also be key to mitigating the impact when defences fail.
In some ways, it is ironic and fortunate that a blue-chip, bellwether company like Maersk with established strategies for how to respond was the victim this time. Imagine the impact of a similar attack on another less adequately prepared terminal or shipping line. It might have had a much wider impact on the supply chain, at greater cost to bottom line and reputations.
The rest of the industry cannot afford to breathe a sigh of relief that it wasn’t them and believe that it’s back to business as usual. Despite the repeated warnings from the loss prevention community, class, flags and NGOs, the industry has been hitting the snooze button on cyber risk for too long. This is wake-up call that it should find impossible to ignore.