Two contrasting initiatives place into sharp contrast the maritime industry’s cyber security preparedness.
October in the United States was designated ‘National Cybersecurity Awareness month’. In a well-written blog posted on the US Coast Guard’s website, Lt Amy Midgett details the “important contributions the 43 Area Maritime Security Committees make at local levels to address cyber threats and vulnerabilities.”
In her piece, Lt Midgett lauds various activities undertaken in northern New England, the Sault region, Hawaii, American Samoa and Charleston. Among the highlights were Charlston Area Maritime Security Committee’s collaboration with members from the White House National Security Council, Army Cyber Command, National Cyber Center of Excellence and the US Coast Guard Cyber Command to assist in efforts related to cyber prevention, protection, response, recovery and resilience within the maritime domain.
Additionally, the cyber subcommittee led efforts in leveraging Port Security Grant Program funds to establish a maritime-based cyber information-sharing portal through a newly formed AMSC member-sponsored Maritime Transportation System-Information Sharing and Analysis Organization (MTS-ISAO). The MTS-ISAO delivers cyber solutions through routine multi-agency and multi-industry collaborations on emergent cyber security and response topics, and implements cutting-edge, cost-conscious and user-friendly technical solutions. This project will greatly improve the region’s maritime logistics supply chain cyber risk management posture both in policy and in practice.
Contrast this optimistic and joined up outlook with the findings of the inaugural Maritime Cybersecurity Survey conducted by New-Orleans based law firm Jones Walker.
Of the 126 senior maritime executives polled in a survey by Jones Walker, only 36% said their business is prepared in the event they face an attack.
92% of small companies and 69% of mid-size company respondents confirmed they have no cyber insurance,” the report said. Larger companies reported having insurance but the survey also revealed that larger companies were the primary target for attacks.
“The [survey] provides evidence of a worrying level of complacency among maritime industry operators about cyber attacks,” said Tulane University Maritime Law Center director Martin J Davies.
“Although the financial consequences of data breaches can be crippling, the survey shows that few in the maritime industry are adequately prepared to guard against them, or to respond effectively if an attack occurs. The survey shows unequivocally that action in relation to cyber security is urgently needed, by both industry and political leaders.”
Co-author of the report Andrew Lee goes further. There are 50,000 ships worldwide and hundreds of major ports. By many estimates, shipboard electronic systems are 20 years behind office-based systems and those of competing industries. Meanwhile, the maritime industry is suffering from a strong bias in favour of protection and physical security rather than information and cyber security. This will be difficult to overcome.
So, what’s the bottom line? Well perhaps Mr Lee puts it best. Thematically, a change in approach to the problem needs to occur: stakeholders need to recognise that cyber is not an IT issue; it is an operations issue. A cyber threat is a business risk; if the attitude does not align to acknowledge this, cyber security will not get the organisational attention needed.
Practically, an important first step is to inventory electronic systems. Companies need to know what is in use, and how their operations are visible to the internet and vulnerable points of entry. Only one of those is needed for a devastating breach to have a crippling effect.