Tackling a growing cybersecurity threat in an increasingly connected industry

Tackling a growing cybersecurity threat in an increasingly connected industry
14/12/2024 https://www.hellenicshippingnews.com/tackling-a-growing-cybersecurity-th...

As shipping continues to embrace digitalization, the threat of cyber-attacks has never been higher. Stakeholders across the maritime industry are making moves to protect their assets, but DNV experts warn that many are underestimating the scale of the threat and should take extra steps to protect their assets.

The digitalization of the maritime industry is in full flow. Shipowners, ports, cargo owners and many other stakeholders throughout the value chain are increasingly utilizing connected digital technologies to make shipping greener, safer and more efficient. However, DNV’s new Maritime Cyber Priority report highlights that this also introduces new cybersecurity risks, which need to be managed to enable decarbonization, improve efficiency of operation and protect human life and the environment.

A survey of almost 500 maritime professionals

Building on insights from the first edition of this report in 2023, DNV’s new global report, Maritime Cyber Priority 2024/25: Managing cyber risk to enable innovation, explores changing attitudes and approaches to cyber security in the maritime sector. The research is largely based on a survey of almost 500 maritime professionals, with even deeper insights harvested through in-depth interviews with experts from Wärtsilä, Seatrium and DNV.

The survey included a wide range of cybersecurity expertise, from cybersecurity professionals to shipbuilders, offshore operators and transport specialists. Survey respondents are based in Europe, Asia, the Middle East, Africa and the Americas.

Scale and frequency of cyber-attacks increasing

The survey highlighted several key issues in maritime cybersecurity. Notably, cyber-attacks are rising rapidly. About 31% of maritime professionals reported at least one cyber-attack in the 12 months leading up to October 2024, up from 17% over the previous five years.

Cyber awareness in growth

This increasing cyber threat is causing concern at the highest levels of the maritime industry. Seven in ten (71%) of those surveyed believe their organizations’ industrial assets are more vulnerable to cyber-attacks than ever before, while the same proportion (71%) say the leaders of their organizations consider cybersecurity to be the greatest risk their business faces.

This heightened awareness has led to increased levels of preparedness and investment in cybersecurity has grown significantly over the past year. Almost three quarters of maritime professionals (73%) report that their organization is increasing cybersecurity spending compared to last year.

Shipping companies will continue to innovate, despite the cyber threat

The increasing digitalization of the maritime industry is unlocking a range of new opportunities, helping to drive decarbonization efforts. Survey respondents point to advanced data analytics, the internet of things, AI and machine learning, high-bandwidth satellite communications and autonomous operations as presenting the greatest opportunities for their businesses in the coming years. However, this is also creating more opportunities for cyber criminals.

While increased digitalization and connectivity makes shipping companies more vulnerable to cyber-attacks, this is unlikely to be a reason for them to slow down. In fact, the majority (61%) of maritime professionals believe the industry should accept increased cyber risk from digitalization if it enables innovation and new technologies, a figure that is notably higher than other critical infrastructure industries like energy and healthcare. This figure was even higher (64%) for maritime executives.

Rapid innovation heightens cybersecurity needs

As digital innovation continues, the need for strong cybersecurity grows. Experts recommend involving cybersecurity professionals early in newbuild projects to safely integrate new technology. However, this practice is not yet widespread, causing issues at a later stage.

“The failure to incorporate cybersecurity into the early stage of new projects and initiatives leaves the industry scrambling to address the problem later on,” warns Svante Einarsson, Head of Maritime Cybersecurity at DNV Cyber. “Retrofitting security measures is also more time-consuming and costly than embracing security by design.”

One of the key recommendations of the report is for maritime companies to see cybersecurity as an enabler of innovation, instead of an obstruction, providing a framework of security when stepping into the digital future.

The overconfidence and under-preparedness trap

There are clear signs that awareness around cybersecurity is on the rise, and this is largely being matched by increased investment. However, success is not guaranteed. The widespread failure to integrate cybersecurity into processes shows that the industry’s confidence in managing risk might be overestimated.

While many organizations might feel like an increased allocation of resources makes them more prepared, the complexity of the risk, and the sophistication of adversaries, complicates the picture significantly.

Many maritime organizations not ready to handle cyber risks and incidents

Many organizations may not even be at the initial, “detection” stage of readiness when it comes to recovering from a cyber incident. “Our experience is that maritime organizations are not as ready to detect or handle a cyber incident within the OT domain as they might think,” says Einarsson.

This is backed up by some worrying findings from the survey. While more than eight in 10 (85%) say their organization has a good cybersecurity posture, 76% say that the cybersecurity training that their organization provides is not advanced enough to protect against sophisticated threats.

Creating a cybersecurity culture

As highlighted in the report, all maritime companies can attain a greater cybersecurity posture by building cybersecurity resilience into their company culture.

Many in the industry see cyber incidents as a problem for their cybersecurity team to resolve, but this underestimates the seriousness of the threat, particularly considering the safety implications of infrastructure that is disabled or malfunctioning. This also excludes professionals who could make a significant contribution to overall resilience. Critical professionals such as ships’ masters and chief engineers, as well as the broader crew, are invaluable to cyber defence. However, they need training and support to fully utilize their skills and experience.

Staying ahead of the curve

Creating a more vigilant cybersecurity posture requires training which is sophisticated and in line with the latest threat levels. Even if this is achieved, this is not a challenge that remains “fixed”.

“Cybersecurity is turning into an arms race as adversaries improve their capabilities when they encounter an obstruction,” says Einarsson. “This means that the sophistication of their methods might outstrip their targets’ ability to respond.”

High expectations for AI to support cybersecurity, but implementation cu

Aside from ensuring that training stays ahead of the curve, this also means that companies need to ensure that their cyber technology stays ahead of adversaries. Bad actors are already using tools like AI to their benefit, so maritime companies should also be investigating how they can utilize this to create stronger cybersecurity defences.

Recommendations for greater cybersecurity in shipping

In addition to advocating enhanced training and culture, an acceleration of technological capability, and the importance of reimagining cybersecurity as an enabler of innovation, DNV’s Cyber Priority report list some other key recommendations to the shipping industry for a stronger cybersecurity posture.

Top of the list is boosting collaboration and transparency across the supply chain. Only 53% of those surveyed are confident their organization can demonstrate full visibility of their supply chain.

“We strongly recommend all stakeholders to demand more insights and visibility from suppliers,” says Einarsson. “This will be supported by IACS UR E27 for safety critical systems onboard newbuilds. However, for other systems, and for ships in operation this needs to come as a demand from shipowners and ship managers as part of their cyber risk management.”
Sharing best cyber practices throughout the maritime industry

The report also highlights the need to exchange information and best practices throughout the industry, including sharing details of critical incidents, attacks, and near misses. “Sharing knowledge and skills will help to address the knowledge gaps that so many organizations say obstruct compliance and their overall readiness,” says Einarsson.

Finally, while maritime companies are encouraged to keep up with regulations, they should not equate this with protection from cyber-attacks.

“Stakeholders should be seeking to go even further than compliance. In doing so, they will strengthen the resilience of their business and build trust among their partners,” says Einarsson.

Safeguarding the future of the maritime industry

The cyber threat is unlikely to ease off any time soon. According to the report, 37% of maritime professionals expect to face more cyber-attacks in the next 12 months compared to the last 12 months.

Understanding this risk, and embracing the means of containing it, will help shipping companies to maintain their course of digital innovation, providing the framework for the future success of the maritime industry.

Source: DNV, https://www.dnv.com/expert-story/maritime-impact/tackling-a-growing-cybe...