Shipping needs to be vigilant over cyber risks
The ransomware attack on CMA CGM is just one of a series of digital threats facing shipping
Cyber attacks on shipping have undergone a sharp surge since Maersk was a victim of the NotPetya attack in 2017. Operational technologies on board ships need protecting as much as customer data
THE cyber attack on CMA CGM has again reiterated the dangers faced by shipping from malicious actors taking advantage of an ever more digitally connected industry.
CMA CGM had already been a victim of cyber attack last year, but the French container line is not alone.
Other notable cases include the NotPetya attack that affected Maersk in 2017, the outage at the International Maritime Organization and Mediterranean Shipping Co last year and an attack on South African ports operator Transnet earlier this year.
“There is one incident on a ship every day, and attacks on shipping have increased 900% in the three years to 2020,” said HFW global head of shipping Paul Dean. “There is a ransomware attack once every 10 seconds.”
Speaking in a webinar before the latest attack, Mr Dean said container shipping had a greater vulnerability to attack than was seen in other sectors.
“What happened on Golden Ray could easily happen on a containership from a cyber attack,” he said. “Reefers and pressurised containers are also equally vulnerable. In terms of reefers, hackers may not be interested in food, but may be in relation to chemicals and dangerous goods.
“You could imagine a stowage plan being altered and containers being put in the wrong place.”
Cyber security should be seen as an act of seaworthiness and due diligence in the same way that the International Safety Management Code was.
The IMO’s Maritime Safety Committee adopted Resolution MSC.428(98) in 2017 to give guidance on good practice in cyber security.
“We do have IMO MSC 428, but again compliance is not enough, the same way that a vessel being in class does not mean it is seaworthy,” Mr Dean said.
The bigger issue, however, was the commercial one.
“You have tight turnaround times in ports, so there is less time to remediate,” said Mr Dean. “The costs of delay are enormous. We need to be looking at protection against the key financial exposures.”
The solutions included undertaking a maritime cyber security review.
“One of the legal elements is that parties need to be looking at their contracts,” he said. “Do not just look at charter parties and introduce cyber clauses. Everyone needs to be looking at their supply contracts.
“Can they pass on liabilities that they are incurring in regards to cyber risk to their suppliers?”
Operational technologies on board ships needed to be reviewed as well.
“There are many high-risk systems on containerships,” he said. “The risks are real and if they are not keeping you awake at night, they should be. But the good news is that there are solutions.”