Report Sounds Cybersecurity Alarm
“The U.S. maritime industry is not prepared for future cyber-attacks,” maritime law firm Jones Walker LLP has warned in a new survey and report released October 23.
The report comes a year after the most severe cyberattack publicly reported on a maritime or shipping company. Last year, global shipper Maersk was hit by the so-called “NotPetya” attack, ultimately traced to Russian hackers targeting the Ukraine. At the time, Maersk reported that the attack, which may have been collateral damage (meaning Maersk was not the primary intended target), nevertheless cost it about $300 million. In January, Jim Hagemann Snabe, chair of parent company Møller-Maersk, speaking at a maritime conference, revealed that the attack required reinstalling 4,000 new servers, 45,000 new PCs, and 2,500 applications—a completely new IT infrastructure—within a 10-day period.
The results of the Jones Walker survey, called the Maritime Cybersecurity Survey, were announced at the Marine Technology Society and IEEE Oceanic Engineering Society’s OCEANS conference held October 22–25 in Charleston, S.C.
The Jones Walker survey’s key findings include:
• The U.S. maritime industry is being targeted. Nearly 80 percent of large U.S. maritime industry companies (more than 400 employees), and 38 percent of all industry respondents reported that cyber attackers targeted their companies within the past year. 10 percent of survey respondents reported that the data breach was successful, while 28 percent reported a thwarted attempt.
• There is a false sense of preparedness in the U.S. maritime industry. 69 percent of respondents expressed confidence in the maritime industry’s overall cybersecurity readiness, yet 64 percent indicated that their own companies are unprepared to handle the far-reaching business, financial, regulatory and public relations consequences of a data breach.
• Small and mid-size companies are far less prepared than larger companies to respond to a cybersecurity breach. 100 percent of respondents from large organizations indicated they are prepared to prevent a data breach, while only 6 percent of small company (1 to 49 employees) respondents and 19 percent of mid-size company (50 to 400 employees) respondents indicated preparedness.
Andy Lee, a partner with the Corporate Compliance and White Collar Defense Team at Jones Walker who helped develop the report, said the results were sobering. Lee spoke on cybersecurity at the Greater New Orleans Barge Fleeting Association (GNOBFA) conference in New Orleans earlier this year.
“We now want [our clients] to be ready to address what we believe is among the most important 21st century challenges they face—cybersecurity readiness. We view cyber compliance as the natural next chapter of our historic partnership with the industry,” said Lee in a press release accompanying the report.
The survey found that small and mid-size companies lack even the most fundamental protections, exposing them to huge potential losses. 92 percent of small company respondents and 69 percent of mid-size company respondents confirmed they have no cyber insurance. In contrast, 97 percent of large company respondents have cyber insurance coverage.
“There is a real disconnect between how [maritime] stakeholders view the maritime industry’s overall preparedness level versus how they see their own shops,” said Lee. “By and large, they view the industry as prepared, but their own companies as unprepared. That is like saying my neighborhood is safe, but my house is a hotbed of crime.”
In a follow-up with The Waterways Journal, Lee said that while security issues are addressed when companies upgrade their IT infrastructure, few companies have a separate budget line specifically for cybersecurity.
Many maritime companies have systems that include outdated “legacy” software that can no longer be patched, said Lee. Hacker tools are now publicly available to anyone who can scan the entire internet to find vulnerable spots, such as outdated software or unprotected systems.
In response to the question of what companies can do, Lee said, “Thematically, a change in approach to the problem needs to occur; stakeholders need to recognize that cyber isn’t an IT issue, it’s an operations issue. A cyber threat is a business risk; if the attitude doesn’t align to acknowledge this, cybersecurity won’t get the organization attention that is needed. Practically, an important first step is to inventory electronic systems. Companies need to know what is in use, and how their operations are visible to the internet and vulnerable points of entry. Only one [attack on a vulnerable point] is needed for a devastating breach to have a crippling effect.”
The survey can be downloaded at www.joneswalker.com.