The amount of concern articulated about new technology in the recent survey conducted by Reed Smith is both welcome and revealing. It is a healthy sign that respondents are concerned about cyber security and the impact of new technology on their business, whether for emissions control or other areas of improved performance. But the rise of automation and the prospect of greater autonomous capability raise the issue of asset protection too: how can owners and charterers be sure that a vessel laden with precious cargo will travel without incident from port A to port B? Will the (reduced) number of people left on board be able to regain control if the autonomous capability somehow gets subverted? I would, however, challenge shipowners and charterers to match their rhetoric and concern with the resources necessary to do what is required to secure their business.
The threat of a cyber attack against shipping interests is neither new nor particularly contentious these days. We witnessed, in 2017, the potential for real damage in the NotPetya attacks, when many companies headquartered outside Ukraine (the original target) were hit too and suffered huge collateral damage. We have also seen the more insidious form of attack – emails being siphoned off for many months to third parties, or services (e.g., email and telephony) being interrupted. Cyber attacks are becoming an occupational hazard, particularly with valuable cargo on board, and there is no guarantee that larger systemic land-based attacks will not find a way to hop over satellite links to vessels as IP-based systems become more prevalent.
It is not possible to both remain connected to the internet and mitigate every threat. A judicious balance needs to be struck between the needs of the business and security requirements. Security requirements are effectively the cost of doing business over the internet, and all sectors of economic activity need to realise that there is a certain minimum spend each year which they should not fall below.
The problem arises when investment is delayed because it does not seem necessary. The older technology becomes, the more vulnerable it is, and once it is out of support, operators need to understand that the vulnerabilities worsen each day that there is no patching.
Furthermore, a risk management approach is needed for each vessel and each operator. This needs to consider the strength of the cyber controls on board each vessel and those of head office, the threats and vulnerabilities of each organisation, and the steps necessary to close the gaps to an acceptable level. We have to be clear – the cyber security risk can never be fully mitigated away, but a lot can be achieved through appropriate and enforced governance at the people level, and regular investment at the electronic and manufacturing levels can make the difference between a properly governed system and enterprise and one that is wide open and prone to catching every passing piece of malware. Insurance plays a key role here, but there are no panaceas.
The UK government has issued clear guidance around the basic behaviours it hopes companies can adopt to avoid the more basic attacks. This includes training your people, changing default passwords, and using encryption and strong passwords. None of this is rocket science, nor should it be expensive, but it is important. To use the medical analogy, prevention is better than cure. Just because it hasn’t happened to you yet does not mean you are immune – it means you have been lucky. The question boards need to ask themselves is “How much am I prepared to spend to reduce the costs of business interruption to as low as possible?” and not “How little can I spend on my IT to maximise my profits?”.