News / Shipping's 'culture of secrecy' makes it more vulnerable to cyber-attacks

© Ilexx Dreamstime.com

Rather than being particularly attractive as a target for cyber-criminals, it is the shipping industry’s internal behaviour that poses the biggest risks, a cyber security expert has told The Loadstar.

A survey into cyber-attacks on the maritime industry by CyberOwl and law firm HFW, collating findings from 200 C-suite respondents, found that only 3% reported that their company had paid a ransom – yielding a scary, but statistically insignificant, ‘average’ payout of $3.1m.

Though the 3% figure was low compared with other industries, CyberOwl CEO Dan Ng told The Loadstar this did not actually demonstrate what it appeared to. Instead, it exhibits a pervasive and damaging culture of secrecy within the shipping industry – which, in fact, is being attacked at a level on a par with many other industries.

He added: “I think it is highly likely [that it is more than 3%]. It is fair to assume that 3% is significantly lower than the reality.”

But an unwillingness to share information, Mr Ng said, was almost certainly preventing employees, even within the same company, from ever learning of an attack.

“Shipping has a problem,” he said. According to Mr Ng, the 3% tells a story about how secretive the maritime sector is being about such incidents, mainly, it seems, because of reputation concerns.

“Shipping… is a critical component of national infrastructure. In energy, banking, insurance… there is already a lot of good [information-sharing] infrastructure in place. In some cases, it’s not even voluntary; for anything that is considered critical national infrastructure, it is a requirement in the UK and US to report cyber incidents. But shipping is very far behind that.”

The report details the ease with which a vessel could be compromised and even sunk in the event of a targeted cyber-attack. But despite this, Mr Ng was emphatic that the “spray-like” format of most ransomware and malware attacks means shipping is almost certainly not at any greater risk, externally, than any other industry.

Asked if there was something unique to shipping’s international structure and character that prevented collaboration to warn one another of cyber risks, Mr Ng pointed out that it is not as though shipping has not done so before, in other contexts.

“We don’t have to look too far to see where these collaborative initiatives are working well,” he said. “On physical piracy, there has been enough impetus to make it happen. Shipping does not compete on piracy, and the ‘mean time to sharing [information]’, a metric we use, is relatively short when it comes to physical incidents. There is no reason this could not happen with cyber security as well.”

Other findings of the survey were that an unintentional insider was suspected of permitting access in 95% of cases, that generally, the more senior someone’s role, the less likely they are to be made aware that a cyber-attack has occurred and that a disproportionate number of respondents (83%) believe their company ran regular cyber security drills. Many of these responses were similarly erroneous, Mr Ng explained.

“We ask this question every time, and we get a similar response. So, we asked shipping companies in North America and EMEA ‘what does your cyber security drill look like?’. Only a very small number of them had ever run one,” he said.

Not a notably attractive target, or particular focus for cyber criminals, then, and not uniquely exposed in terms of assets or liabilities, Mr Ng concludes that, through a counter-productive attitude to collaboration, shipping is suffering from a cyber-vulnerability of its own making.

“The reality is that you can put quite a lot of effort and investment into cyber security, but you need to make thousands of moves to prevent access; while the attacker only needs to make one move to exploit a vulnerability.

“So, the only way to get out of this is to by working on it as a collective and sharing intelligence,” Mr Ng said.