Growing cyber risk means owners should get ready for more
Navigating Cybersecurity Challenges in Shipping
The maritime industry is facing an escalating threat from cyber incidents. As shipping becomes more interconnected through digital technologies, the risks associated with cybersecurity have grown significantly. Shipowners must navigate a complex landscape of regulations and emerging threats to protect their assets and operations. Angeliki Zisimatou, Director of Cybersecurity at ABS, emphasizes the importance of informed decision-making in this evolving environment.
The Growing Threat of Cyber Incidents
Cyber incidents in the maritime sector are on the rise, both in frequency and complexity. Historically, the shipping industry felt insulated from cyber threats. However, the introduction of new digital technologies and connectivity has changed that perception. Shipowners now face a reality where cyber attacks can disrupt operations and compromise sensitive data.
To combat these threats, various regulations have emerged. Industry-led initiatives have prompted the implementation of new guidelines, but a unified global standard is still lacking. Shipowners must stay abreast of recent regulations while anticipating future developments in cybersecurity frameworks.
New requirements from the International Association of Classification Societies (IACS) are being introduced, along with rules from the US Coast Guard for US-flagged vessels. Additionally, guidelines from the European Maritime Safety Agency (EMSA) and the Baltic and International Maritime Council (BIMCO) are either in place or forthcoming. The International Maritime Organization (IMO) has also recognized the importance of cybersecurity, planning to revisit the topic in upcoming discussions.
The response to these challenges varies significantly among operators. Larger companies often invest heavily in cybersecurity measures, establishing dedicated Security Operations Centres and cyber teams. In contrast, smaller operators may lag in their preparedness and assessment processes. This disparity extends to vendors and shipyards, where larger entities often adhere to established standards while smaller ones struggle to keep pace.
Understanding and Managing Cybersecurity Risks
One of the primary challenges for maritime operators is the need for a risk-based approach to cybersecurity. Most maritime regulations tend to be prescriptive, which can lead to compliance without necessarily ensuring security. Many vessel operators mistakenly believe that being “air-gapped” from the internet or using minimal connectivity sufficiently mitigates their risk. This assumption overlooks the reality that a significant percentage of cyber incidents are attributed to insider threats, often stemming from employees.
To effectively manage cybersecurity risks, all operators should start from a common baseline. However, there are no restrictions on going beyond that baseline. At a minimum, every operator should develop a risk management plan that identifies their assets, vulnerabilities, and necessary mitigating actions.
A critical component of this plan is addressing the human factor. Crew training is essential, as many crew members lack awareness of cybersecurity risks and have not received adequate training. The confusion surrounding cybersecurity products and solutions further complicates the decision-making process for operators. By providing more resources and information, classification societies can help shipowners better understand the cyber risks they face and make informed choices.
The Path Forward: Enhancing Cybersecurity Measures
Moving forward, vessel operators must not rely solely on regulatory controls to feel secure. While these regulations provide a foundation, operators must recognize the need for additional measures. This commitment to enhanced cybersecurity will require ongoing investment and resource allocation.
The maritime industry would benefit from a system for anonymized reporting of cyber incidents. Such a system would allow operators to share experiences and risks, similar to the ship safety database developed by ABS and Lamar University. The US Coast Guard already mandates some level of information sharing regarding cyber incidents, indicating a trend that is likely to continue.
As new technologies emerge in shipping, operators must also consider the cybersecurity implications. Innovations like machine learning, the Industrial Internet of Things (IIoT), and blockchain present exciting opportunities but also introduce risks that require careful evaluation. The potential for artificial intelligence in shipping is promising, but users must understand how it can be exploited for malicious purposes.
In this era of heightened cyber threats, the role of classification societies as impartial advisors is more crucial than ever. ABS, for instance, is updating its cybernotations for both new and existing vessels. This initiative aims to help operators comply with multiple standards based on their specific needs.
Cyber incidents are increasingly viewed as inevitable, and the maritime industry must prepare accordingly. The collective responsibility of classification societies is to help defend the shipping industry against these threats, a commitment that is taken seriously by organizations like ABS.