Maritime and supply chain operations increasingly rely on digitization to gain efficiencies and competitive advantage. Fourth Industrial Revolution (4IR) technologies – the ongoing automation of traditional manufacturing and industrial practices – are already bringing tremendous economic and societal benefits to much of the global population.

Digitization increases cyber risks. According to the World Economic Forum Global Risks Report 2020, cyberattacks will be the second greatest risk to business over the next ten years. Maritime and logistics business leaders, too, recognize the need to manage cyber risk, yet many fall under the sway of four common myths about cyber-risk and its management.

In the 21st century, physical and cyber are interconnected. Early romantic narrative depicted the World Wide Web as a virtual space, but the internet is not just for a Netflix binge. Many complex and business-critical functions are already online and the Internet-of-Things (IoT) technologies will further erase cyber-physical distinctions.

Cyberattacks or malfunctions in Operational Technologies (OT) can have kinetic impacts. The world’s first cyberattack that stealthily destroyed industrial machinery was exposed in 2010. In the maritime business, OT coupled with Informational Technologies transformed into cyber-physical systems. Consider the Truck Positioning System (TPS), Load Collision Prevention System (LCPS) and other subsystems that underpin automated container handling in port terminals.

Cyber malfunctions, intentional or accidental, can cause physical damage, bodily harm, and environmental pollution.

Furthermoe, the ransomware epidemic demonstrates the most common type of damage. Criminal organizations use unsophisticated cyber breaches to infect standard corporate systems such as Windows PCs and servers with malware. Then they lock the data and demand a ransom for the decryption key. This threat is already widespread and continues to grow.

No business whether large or SMB can ignore downtime, physical malfunctions, and their direct and secondary costs anymore.

Management often deludes itself with the comforting misconception that their business is unlikely to be cyberattacked. The media feed this myth with reporting on high-end and high profile cyber attacks: malware stealthily destroying nuclear centrifuges in Iran, massive cyber theft of U.S. Office of Personnel Management data, or leaking celebrities’ private photos. The common reasoning goes: “I’m an isoteric, obscure business. I don’t hold sensitive data or intellectual property. Why would the bad guys waste their time on hacking me?”

Two clear trends – ransomware and supply-chain attacks – show that every business is a worthy target.

Ransomware campaigns typically aim to infect as many networks as possible. The bad guys automate the exploiting of known IT vulnerabilities at internet scale. In this ransomware model, the cost of paralyzing your operations for the attackers nears zero.

Supply-chain attacks have always distinguished effective hackers. Going directly after a secured port facility is too hard. Hitching a ride on a much more lightly defended 3rd party provider allows them to bypass several layers of defense. Thus, your business may be a lucrative target because of whom you work with.

Technology creates cyber risks. Fully relegating cybersecurity to the IT realm has long been the default cybersecurity approach in most companies. In the maritime sector, safety-related technical standards such as ISA/IEC 62443 strengthen this tendency.

But cybersecurity is an enterprise-wide risk management issue. Managers and directors must work with and guide cybersecurity professionals, just as they do with their operations, finance, and HR teams. Strategies for resilience – to sustain business operations during a cyberattack, recover quickly in its aftermath, and evolve to a higher state to thwart the same threat vectors in the future – are the duties of senior leadership. Company leaders need a clear understanding of the fundamental components of cybersecurity and resilience. Business leaders need not become cyber experts, but they must be able to ask the right questions.

(See our elaborated “Cyber is not (just) an IT problem” post/whitepaper for a deeper dive)

Pricey technology offerings are widespread in the commercial cybersecurity market. Moreover, sixty-nine percent of corporate leaders say that cybersecurity cost increases are unsustainable. Many businesses, in particular smaller ones, conclude that better cybersecurity is a lost cause.

A decade of empirical data demonstrates that the vast majority of successful cyberattacks are technically simple. In 2020, Sixty-seven percent of all breaches came from three attack types: credential theft, errors, and social attacks.

Thus most threats can be mitigated using less advanced but effective methods. The Essential Eight Maturity Model presents prioritized mitigation strategies, predominantly utilizing tools already built into your software. Organizations that develop and sustain basic cyber hygiene have outperformed the competition. While your business cannot afford many of the cybersecurity products, it also does not necessarily need them.

A better way towards maritime cyber-risk management
All is certainly not lost, and debunking these four myths is a good start. The maritime business enjoys a latecomer’s advantage: other commercial sectors such as banking and financial services have long since experienced digital transformation and hard lessons learned elsewhere have proven value. It is said that experience is the best teacher. We at Cyberstar slightly amend this in our advice to maritime business leaders: in cyber-risk, let the experience of others be the best teacher. Use it to leapfrog over many of your firm’s cyber risk management gaps. Stay tuned for constructive, timely, and topical advice on maritime cyber-risk management in upcoming posts.