Plain sailing for maritime cybersecurity?

Cybersecurity has become a top priority in all industries, and the maritime sector is no exception. Unfortunately, it’s still seen as an “easy target” for cyberattacks. But there’s good news on the horizon – a new way to measure cybersecurity risks has been developed, which could change the game.

The American Bureau of Shipping (ABS), a maritime classification society founded back in 1862, has introduced a new methodology to assess cybersecurity risks related to operational technology. This approach provides marine and offshore clients with a calculated risk index for vessels, fleets, and facilities that offers a clear, actionable strategy to reduce cyber risks on board.

Up until now, most cyber risk assessments were predominantly qualitative: focusing on threats, vulnerabilities, and potential consequences. While these elements were useful, they weren’t exactly easy to measure or quantify. “With assets becoming increasingly complex and comprising several interconnected control systems, it was critical to develop a simple, quantifiable method to measure cyber risk,” says ABS chairman, president, and CEO Christopher Wiernicki. “The ABS functions, connections, and identities (FCI) Cyber Risk model gives owners and operators a straightforward way to understand their existing cyber risks and a concrete strategy to reduce them.”

Using its FCI model, ABS can now calculate a cyber risk index for a client’s individual assets or entire fleets. The resulting report offers actionable steps to reduce cyber risk, allowing clients to effectively target their cybersecurity investments across their assets. This new method evaluates not only the operational systems and connections of a vessel, but also the human and machine identities involved, clearly outlining the level of cyber risk exposure. “This is data-driven decision-making in action,” emphasises Wiernicki. “With the results of the FCI Cyber Risk process, clients can apply a cost-effective risk mitigation strategy across their assets and fleets.”

This development follows ABS’ two-year research contract with the Maritime Security Center – a US Department of Homeland Security Center of Excellence – led by Stevens Institute of Technology and the US Department of Defense. The research objectives included:

• Better defining risk-based performance standards.
• Developing a maritime-specific framework for cyber policy.
• Identifying critical points of cybersecurity failure.
• Creating design requirements for a maritime cyber testbed.
• Investigating quantitative analysis tools to determine the effectiveness of cyber detection and deterrent strategies.

“Safety has always been at the heart of ABS’ mission, and our revolutionary cybersecurity approach is another way we’ll continue to deliver on our objective in the future,” says Wiernicki. “For ship owners and operators, this method not only helps them understand their current risk exposure, but also provides an actionable roadmap for improving it. The FCI Cyber Risk model is a significant step forward in safety for the entire maritime industry.”

This is crucial, as the latest research from global sector-focused law firm, HFW, and maritime cybersecurity company, CyberOwl, shows that the maritime industry is still an “easy target” for cybercriminals. The report, “Shifting Tides, Rising Ransoms and Critical Decisions: Progress on Maritime Cyber Risk Management Maturity”, reveals that the average cyberattack in the maritime industry now costs the target organisation US$550,000 – up from US$182,000 in 2022. It also shows that ransom demands have increased by over 350%, with the average ransom payment having risen from US$3.1 million in 2022 to US$3.2 million.

“While maritime cybersecurity has improved over the past decade, the industry remains an easy target. Shipping organisations are facing more cyberattacks than ever before, and the costs of attacks and ransom demands have skyrocketed. As technology continues to expand across all aspects of shipping – from ship networks to offshore installations and shoreside control centres – so does the potential for cybersecurity breaches,” says Tom Walters, a partner at HFW.

“Maritime operational technology and fleet operations management are now almost entirely digital, meaning that a cyberattack could compromise anything from vessel communication systems and navigation suites to the systems managing ballast water, cargo, and engine monitoring,” Walters continues. “A failure in any of these systems could leave a vessel stranded, and we all saw the impact of such an event on global supply chains with the Ever Given (at the Suez Canal). This is a critical issue for everyone involved in shipping and it’s clear that the industry has to do more to protect itself against cyberattacks.”

“The good news is that the conversation on vessel cyber risk management has clearly shifted from ‘why’ to ‘how’. There’s less scepticism about the need to manage the risk and more thoughtfulness about how best to invest in strengthening defences,” notes CyberOwl CEO, Daniel Ng.

“The challenge for change agents in shipping is that they’re dealing with new risks in a new domain, under sector-specific constraints. All this is happening in an environment where shipping companies are still too secretive to share benchmarks and best practices widely. The sector needs to make the most of the specialist expertise available, and those with maritime cybersecurity knowledge need to do more to share insights and best practices,” he adds. “What works in other sectors may not work in shipping. Applying a generic approach could lead to expensive mistakes.”

The report – conducted by the maritime technology research agency, Thetius – is based on a survey of over 150 industry professionals, including C-suite leaders, cybersecurity experts, seafarers, shoreside managers, and suppliers. “Our research shows that the industry has improved dramatically in a short time, but it also shows that cybercriminals are evolving even faster. The costs of cyberattacks are growing. The impact of exploiting a single easy target in the global supply chain means the entire maritime industry needs to raise the bar,” warns Nick Chubb, MD of Thetius. 

So, in a sea of rising cyber threats, the maritime industry must anchor itself with robust defences to ensure smooth sailing and steer clear of hackers’ storms.