At a time when armed gangs are attacking ships navigating in the Red Sea and the Black Sea is effectively a war zone, it may seem an exaggeration to assert that hacking is arguably the biggest current threat to business continuity in maritime.
However, the maritime industry’s transformation from a niche business, isolated by low bandwidth and bespoke applications, to a high-value target with political and economic significance has brought it unwelcome attention.
Counter-measures exist, and a combination of regulatory guidance and industry standards has helped balance the odds, but this game is still weighted in favour of the attackers.
There is a broad spread between the leaders, the followers and the laggards and it is among this last group where the concern should be highest.
Until recently, the latter have relied on anti-virus software and a lot of crossed fingers, but with the odds moving in favour of the hackers, a combination of proactive protection and regulation is coming into play.
Compliance with cybersecurity regulations is still a new experience for most shipping companies. This began with the IMO 2021 additions to the ISM Code, which were a guide to best practice rather than a regulatory baseline. The TMSA and SIRE standards call for higher burdens of proof, but these are market sector-specific.
The US Coast Guard is set to introduce regional measures and IMO has cyber on its agenda for future regulation, but in the meantime, the newest rules on the block are the IACS Unified Requirements E26 and E27.
UR E26, which provides mandatory cybersecurity baselines for new builds, with a companion regulation E27 for shipboard systems, is arguably the first example of tangible standards for cybersecurity, but only represents a relatively low bar in terms of compliance requirements.
Their application to newbuildings alone poses an important question: why would owners apply cyber protection regulations only to these vessels if they have one or two year-old assets of similar value on the water, presumably with similar risk profiles?
Of course, bodies including Class Societies offer notations and guidance for existing ships, but the concern will always be that items which are not mandatory do not get prioritised.
Why are they not protect their existing assets to the same extent or higher? Asset values will be similar, cargo risk the same or higher, balance sheet and business continuity impact from a successful attack would be the same or greater.
As the old Andorran goat herder’s saying has it: “A man with two houses doesn’t leave one unlocked to protect the other.”
By only applying the IACS minimum standards to newbuilding and not to their existing ships, owners are taking on additional risk rather than reducing their risk profile overall.
The ability of Houthi rebels to target ships they believe are directly linked to their enemies illustrates the ease of accessing data on fleet ownership and deployment. There are fewer and fewer places to hide.
The pressure for adoption of similar measures to existing ships is likely to grow, with charterers and insurers best placed to exert pressure on vessel owners to ensure that compliance is consistent across the fleet.
In reality, they will have to go further. The provisions with the IACS URs are not without their critics who fear that box-ticking rather than positive action is driving compliance. This overlooks the reality that obtaining consensus within IACS, like many similar organisations, is about compromise.
The growing pressure for cybersecurity, enables shipping companies to meet the baseline standards and frees them to go further, adopting more rigorous approaches in terms of technology, training, procedures and awareness.
The evidence from tried and tested industry standards is that they can embed cyber risk awareness within the supply chain and make it a condition of doing business.
Owners will have to face the uncomfortable truth that to retain their status as reputable, investable operators, they will need to implement an in-depth cyber audit across their fleets, using UR E26 as a starting point, but not an end point.