The alarm bells have been ringing for years, from a cyberattack on the state-owned Islamic Republic of Iran Shipping Lines to organized crime hacking the port of Antwerp.
But it took a June 27 ransomware attack on Maersk Line that crippled its terminal arm and prevented new bookings to bring home the scope of the danger posed to the container shipping industry. The inclusion of Maersk Group in the attack that hit pharmaceutical giant Merck, the Ukrainian government, TNT Express, and other companies shows that the scale of risk to the maritime industry is global.
The hand-wringing over the coming weeks will come to much talk and little action if the industry does not come to grips with its limitations in preventing future attacks. Just as painful is the need for beneficial cargo owners (BCOs) and transportation providers to accept that despite their best efforts, there is no guarantee future cyberattacks can be prevented, putting the malicious digital disruption on a list that includes severe weather, piracy, and labor action.
First, the industry needs a strategy, as there is not one on how to prepare and respond to cyberattacks, according to the Brookings Institution and the European Union Agency for Network and Information Security. The International Ship and Port Facility Security gives guidance on how to secure computer systems, but how it defines the systems is inconsistent and lacks clarity, Canada has pointed out. The International Maritime Organization approved Interim Guidelines on Maritime Cyber Risk Management last year, but as its name suggests, it is voluntary, not mandatory, noted Norma Krayem, a senior policy adviser at legal firm Holland & Knight, in a January report.
It is a little more promising on the US port side. The US Coast Guard will soon release highly anticipated policy guidance that will begin moving the agency’s oversight of cyber risk from awareness and recommendations to actual regulations, Paul Thomas, the assistant commandant for prevention policy of the coastguard, said at a shipping conference in Stamford, Connecticut, in March, according to Fairplay, a sister product of JOC. “This new phase beyond awareness is focused on the basic components of governance that we can all use to get at the risks associated with the operations and maintenance of existing cyber systems, and can help mitigate the risks inherent in these systems because of how they were designed and integrated into your ships before you were focused on cyber,” Thomas said.
More money is needed to help US ports beef up their cybersecurity. Roughy $100 million annually is shelled out to ports nationwide, but that is not enough to expand the focus from the physical to the digital. The American Association of Port Authorities estimates ports need at least $400 million annually.
Container lines also need to step up. Although carriers became aware of the cyberattack threat over the last 12 to 18 months, there is still reluctance to dig into the state of their protections and then shore them up as needed, said Lars Jensen, co-founder of CyberKeel, a cybersecurity services provider to the maritime industry. “This is a situation which is incongruent with the strong drive toward automation and digitization in the industry,” he said.
But just as a lack of money has prevented carriers from adopting the digitalization BCOs clamor for, the industry’s deep losses, along with the resource drain from latest wave of consolidation and new alliances, have made it hard for them to upgrade their systems for protection against cyber threats.
This is not an excuse, but context that shows that until the container line industry gets on better financial footing, the level of service and ability to keep operating while fending off cyberattacks will be in question. In fact, carriers’ ability to fend off cyberattacks and ensure BCOs' delivery of their containers could become a competitive edge. It is more the pity that Maersk Line’s effort to lead the industry into digitalization has been besmirched by the dark side of data revolution.