DNV Country Manager for Namibia, R. Bertrand Albert- says despite all the controls that shipping businesses can put in place to protect their organizations, it remains extremely difficult to contain a breach within a connected enterprise.
Albert spoke during the Erongo Offshore Safety Conference at Swakopmund, organised by the Namibian Association for Offshore Gas and Oil Service Providers.
His presentation was on Protecting critical infrastructure from cyber threats, including ransomware and data breaches in automated systems.
DNV offers advisory services through DNVCyber and second-party support through CyberOwl.
It has over 500 cybersecurity experts, of which 70 are dedicated to maritime cybersecurity.
The company also has a dedicated team of accredited hackers to test the effectiveness of industrial cyber protection systems.
Albert said in 2017, shipping majors like Cosco, MSC and CMA CGM experienced high-profile attacks, with a flurry of incidents in the early 2020s taking e-commerce platforms and vital data centres offline.
He recounted the 2017 NotPetya attack on the Maersk fleet, which cost US$300 million.
According to Albert, DNV experienced a ransomware cyber-attack on the servers of its ShipManager software in January 2023, and other organizations serving the maritime industry, such as the International Maritime Organization (IMO), have also been targeted.
He said the Port of Los Angeles recently announced that it records twice as many attacks as it did just a few years ago and must now contend with 40 million ransomware, malware and spear-phishing incidents each month.
In April 2023, he said an attack on the industrial control systems of Fincantieri Marine Group – a shipbuilder with ties to the US government – left critical manufacturing equipment unusable.
Albert said cyber security risks in the maritime industry are as important as the health, safety and environmental risks.
He also said cyber security regulation is considered a lower priority than other regulations governing a maritime organisation.
However, Albert said that a fast-developing regulatory environment is one of the most important drivers behind the rapid evolution of cyber-security standards in the maritime industry.
This relates to cyber security regulations specific to the maritime industry and broader regulations, which many maritime stakeholders must comply with.
The EU’s General Data Protection Regulation (GDPR), implemented in 2018, mandates strict controls over collecting, storing, processing, and sharing personal data.
This has increased cyber security requirements in the maritime industry by requiring organizations to implement appropriate measures to ensure safe and secure data processing.
International Safety Management defined cyber risk as a potential safety risk and implemented Resolution MSC.428(98) in 2021, which requires owners, operators, and managers to consider overall cyber risks and to implement cyber security across all levels of their management system in line with International Safety Management (ISM) Code.
In combination with this resolution, the International Maritime Organisation also released Guidelines on Maritime Cyber Risk Management (MSC FAL.1/Circ.3).
This provides high-level recommendations for maritime cyber risk management that can be incorporated into existing risk management processes.
International Association of Classification Societies obliges owners, yards and suppliers to build cyber security barriers into their systems and vessels, requiring compliance across the full spectrum of critical onboard control and navigation systems from July 1, 2024.
The International Association of Classification Societies Unified Requirements for cyber security consist of two rules: E26 governs system integration, while Unified Requirements E27 applies to essential onboard systems. Vendors and yards must meet both requirements, which will be mandatory for all new builds with contracts signed after July 1, 2024.
The Unified Requirements (maritime cyber security regulations) will apply to everything computer-based on board, such as main-engine control systems, steering, cooling systems, fire detection, communications systems, public address systems, and navigation.
Norwegian International Ship Register made it mandatory for shipping companies to cover critical maritime infrastructure such as ports, floating storage, and regasification units and fleets.
