Every year, new catchphrases that initially bring clarity to maritime industry panel discussions, conferences and exhibitions can quickly become loosely-used jargon. At first glance, ‘cyber-risk’ would appear to fit the buzzword bill, but the virtual threat is more than a passing fad; it is here to stay and will require intelligent long-term solutions.
The fall-out from cyber-attacks is felt by real world victims; the irony is that cyber threats are now so much part of everyday life, that the fear they once caused has quickly turned to resignation, bordering on apathy.
This shouldn’t come as a shock. More and more aspects of modern life are handled electronically, either at point of service or in the background, so the distinction between online and offline is becoming increasingly blurred. In many cases, the distinction has become a matter for indifference.
Cyber-crime is attractive because it lowers the risk to perpetrators. They do not have to confront their victims face-to-face and can take advantage of unprecedented scalability. Traditional bank robbers holding up a single bricks and mortar branch have a much lower ROI than their cyber counterparts, who can prey on every account holder. The ability to operate out of a different country makes evading the authorities easier too.
Yet for many years security has been treated as an afterthought in the design of IT systems, especially if developers are working to a tight budget and strict deadlines. Battening down the hatches added cost, complexity and extend project timelines. Moreover it was seldom a selling point.
Fortunately this is beginning to change. Governments, regulators, and businesses are slowly waking up, not only to the scale of the threat but to its vast potential for growth. There is a parallel realisation that, if the distinction between virtual and real has disappeared, perhaps there should be no distinction in the way virtual and real risks are managed.
In this case, cyber risk should be treated no differently to fire risk where, over the years, rules on vessel design have been developed to maximise structural integrity, to contain flames and minimise spread. For vulnerable or mission-critical areas, hardware mitigations such as sprinkler systems can be installed. Vessels can be equipped with smoke detectors and alarm systems.
By the same token, preventative measures are put in place, individual personnel are taught how to tackle small fires with extinguishers, and to decide when it is safest to escape. In a major incident, there are chains of command and procedures to be followed. External assistance can be called in to facilitate a rescue. And a thorough and detailed investigation will take place after the event.
All these principles can be translated into a cyber risk context. So far, cyber-attacks have not caused any catastrophic incidents at sea, but we’ve had some near misses. The damage to Maersk from the NotPetya ransomware attack earlier this year was mostly limited to back-office functions and disruption to services rather than directly impacting vessel operations.
However, anecdotal evidence indicates that in separate, unrelated cyber intrusions vessel engines have been rendered inoperative - fortunately in circumstances where crew had time and space to react.
It is impossible to turn back the clock on the more connected, automated world in which the industry operates. It is therefore imperative to face up to the risks.