Shipping displays ‘immaturity’ in its response to cyber security threats

IN this candid podcast, Bureau Veritas Marine and Offshore’s cyber security technical leader Panagiotis Anastasiou outlines his concerns about what he views as shipping’s limited approach to cyber security and a need for increased awareness of its importance.

His career-long knowledge and experience of cyber security arrangements in the aerospace sector — particularly with satellite technology — gives him an authoritative overview of cyber security and, for an industry that has autonomous vessels in development, he had expected to find shipping to be very advanced in its cyber security implementation and attitudes. Instead, he found that was not the case.

His remarks include an example of a recent incident in which a service provider’s systems were compromised, affecting at least 120 ships. The breach was subsequently repaired but the full story prompts Anastasiou to observe that “we fall in the same hole again and again”.

He says this is because of limited efforts to prepare for cyber security difficulties. In contrast to shipping’s approach, cyber security is the starting point when satellite systems are designed, he says. Controls, procedures and governance are built on that foundation, with ground infrastructure and component design following on. This approach should be common to all industries, including marine, he says.

He acknowledges that maritime regulations now apply to cyber security which make it mandatory to take precautions, but he believes that shipowners and their system suppliers should go further.

Attitudes must change

So, he explains in the podcast that attitudes must change and he outlines some ideas about how cyber security awareness could be strengthened by better – and repeated – education and cyber drills that are backed up by companies’ tested policies on how to respond to cyber security incidents.

He goes on to describe how a cyber attack on a vessel might be triggered by an attack on shoreside systems, given the growing connectivity between ship and shore and vice versa. Not only that, but the implications of a maritime cyber attack can extend far beyond the company itself, since any resulting operational delay could have an impact on an entire supply chain.

Class societies have addressed cyber security concerns by developing two Unified Requirements — UR 26 and UR 27 — and Anastasiou was a member of the International Association of Classification Societies (IACS) Cyber Systems Panel that developed them.

But he suggests in the podcast that these should be viewed as starting points for class societies to evolve requirements to match the pace of change in technology. As a response to his remarks, he encourages listeners to conduct internal assessments of their own cyber security and to reach out to their class societies for guidance to improve their resilience.