In 2017 the world’s largest container shipping line, Maersk, was brought to a complete commercial standstill due to a cyber attack. Not that such an event should have surprised anyone – multiple destructive cyber attacks in the maritime sector had been reported for many years prior to the event, even one involving the complete shut-down of all computer systems in another container shipping line.
What went wrong?
The problem was rather that companies in the maritime industry did not assign much likelihood to such an attack actually hitting their specific companies. Consequently, the level of cyber security in the maritime industry was very low at the time when the attack hit Maersk.
This development became even more disconcerting when two additional aspects are taken into consideration. Firstly, this was not a targeted attack on Maersk. Instead, it was, very likely, a broader Russian cyber attack on Ukraine. Thousands of companies were impacted including a wide range of foreign companies that had offices in Ukraine. Maersk had an office in Ukraine and can be seen as collateral damage. In other words, the 2017 attack showed very clearly how destructive a cyber attack can be to a maritime company even in the case where the attack is not specific to the individual company.
Secondly, at the time of the attack Maersk was probably one of the maritime companies which had spent the most amount of resources on cyber security – yet this turned out to be inadequate.
The 2017 attack should, therefore, has served as an acute wake-up call to rapidly intensify efforts throughout the maritime sector to improve cyber security.
The current situation with cyber security in the maritime sector
Now - 2½ years later – we do see some maritime organizations increase their efforts to bolster cyber defenses, but the broader view of the industry is still one of a low degree of cyber security. As an example, the CEO of a mid-sized international shipping company stated as late as October 2019 that cyber security for their vessels was in reality not an important issue.
But the reality is that new maritime safety rules come into effect in January 2021. At that time, it becomes mandatory to address cyber risks in the safety management systems on the vessels. This is incorporated into the ISM code and has to be addressed no later than the first annual verification of the company's Document of Compliance after 1 January 2021.
The global fleet contains some 60.000 vessels that are subject to the ISM code, and whilst clearly some companies operate multiple vessels it is a task which should not be taken lightly by the maritime industry.
The safety management certificate
The safety management certificate for the vessel is valid for 5 years and subject to verification of Compliance with ISM Code between second and third years. Hence, simply put, all vessels need to have cyber risks addressed by the end of 2023 at the latest. On average this means that 1700 vessels will need to have this completed each month from January 2021 onwards.
The time for the maritime industry to get this completed is therefore now.
Improsec Maritime Cyber Security Service
Improsec delivers independent security analysis and assessment of the cyber security posture of IT and OT infrastructure on-board vessels. The security assessment is, among other recognized resources, based on guidelines from BIMCO, etc. on cyber security onboard ships, combined with our own experience performing vessel assessments.
The assessment is based on your specific setup and will be planned accordingly. Read more about our service here.