A spate of recent cyberattacks on maritime-related companies has highlighted the ongoing risks inherent to an increasingly digitally connected industry. Incoming class requirements and greater emphasis on cybersecurity across the supply chain may not be sufficient to protect maritime assets, experts have warned.
Shipping leaders ranked cyberattacks as one of the highest risks impacting their operations in the ICS Maritime Risk Barometer 2022-2023. Meanwhile, attacks on class societies, container liners, port authorities and technology suppliers have contributed to a perception of cybersecurity as a major concern for shipping leaders in the ICS Maritime Risk Barometer 2022-2023. This is also reflected in Allianz Global Corporate & Specialty’s (AGCS) 2023 Risk Barometer, with 34% of respondents citing it as the most important risk factor of 2023. AGCS Chief Underwriting Officer Shanil Williams told Leadership Insights that the impact of cyber-crime has reached US$1 trillion, representing nearly one percent of global GDP.
“As companies rely on technology and digital transformation we have seen cyber become a main driver of business interruption,” he said. “It is the cause of interruption that businesses fear the most.”
To date, maritime cyberattacks have temporarily halted port operations, in the case of A.P. Moller-Maersk’s terminal business, and interrupted remote connections and service support from ABB, which provides remote monitoring for the ship technology it sells. But a recent survey from DNV – itself the subject of a recent cyberattack – suggests that the impact on maritime trade could become even more direct. DNV’s Maritime Cyber Priority 2023 report found 60% of industry professionals expect attacks to cause ship collisions within the next few years, with more than three-quarters anticipating the forced closure of a strategic waterway.
In a signal of how seriously DNV is taking cyber threats, it took ownership of more than 93% shares in cyber security services leader Nixu in June 2023 following a public tender. Remi Eriksen, Group President and CEO, DNV, said that its purpose of “safeguarding life, property, and the environment is no longer restricted to managing risk for physical systems – it must now cover many distributed and interlinked cyber-physical systems”.
Respondents to the DNV survey cite low effectiveness of the regulatory framework as a key concern, and class is rallying to action. At the end of the year two new unified requirements from the International Association of Classification Societies, IACS URs E26 and E27, will come into force, requiring all shipboard systems and system integration on newbuild vessels to meet strict cybersecurity standards.
Meeting those standards could be a challenge without greater industry investment and collaboration. Williams explains that the growing shortage of cybersecurity professionals is complicating the defence efforts of all businesses. In the specialised realm of maritime operating technology, that is likely to be a particularly pressing issue.
One solution is for ship operators to seek greater support from suppliers. According to Sameer Bhalotra, CEO of cybersecurity specialist ActZero, companies should consider both making their own security platforms available to vendors and incorporating cybersecurity requirements in vendor contracts. That level of cooperation is seemingly demanded by new class rules, and – even in the face of a potential skills shortage – will help minimise maritime business interruption in the face of growing cyber risk.