Robert Mueller, former Director of the FBI famously said in 2012 “There are only two types of companies: those that have been hacked, and those that will be.”
This is no less true of the shipping industry, which appears to have very little appetite to address the issue of cybersecurity whilst the market is weak.
In truth, very little is known about the threat as like any industry there is very little incentive to admit that you have been a victim of hacking for fear of upsetting investors, charterers, insurers and even staff.
In the absence of any historical data, there is a danger that the industry could underestimate the threat or even become complacent.
With 90 per cent of world trade going by sea, the publication of BIMCO’s cybersecurity guidelines for the shipping industry in January this year was a welcome step forward for an industry that holds such environmental and commercial responsibility.
The size of the industry naturally makes it an attractive target for would by attackers. Here are just a few of the threats that we know exist already:
- In 2013 a team of hackers broke into the navigation technology used by 400,000 shipping vessels worldwide, even ‘moving’ a real tugboat from the Mississippi to a lake near Dallas.
- Fake GPS signals have been used to override real GPS signals and send an $80 million yacht off course
- Tech-savvy pirates could hack a ships “black box” to track its movements and even listen directly to conversations on the bridge
- Hacking into data about a ship’s cargo means that tech-savvy pirates can seek out and locate their spoils using bar codes, sometimes planning a raid many months in advance
Not to mention threats from within the vessel or shipping company itself.
The below table from BIMCO’s guidelines lays out some of the motivations for cyberattack and the related objectives.
|Activists, including staff||Reputational damageDisruption of operation||Destroy dataPublish sensitive informationMedia attention|
|Criminals||Financial gainCommercial espionageIndustrial espionage||Sell stolen dataRamson stolen dataRansom system operationsArrange frauduldent transport of cargo|
|Opportunists||The challenge||Getting through defencesFinancial gain|
|StatesState sponsored organisationsTerrorists||Political gainEspionage||Gain knowledgeDisrupt economiesDisruprt vital infrastructure|
Part of the problem with presenting a coordinated response for the industry is that by their very nature cyber threats will be varied and aimed at achieving different things.
Furthermore, approaches to dealing with it will need to be company, even ship specific, but the first step might just be admitting that it is a threat and that we can’t afford to wait for something to happen before it’s taken seriously.
Individually, escalating the issue away from the IT desk to the board room would be a sober recognition that cybersecurity is not just a ‘technical’ issue but one that also effect finances, operations and reputations equally.
As an industry, it stands to threaten not just the reputation of individual companies but all of us.
Download the MTI Network Special Report on Maritime Cybersecurity (January 2016) here.