The Petya cyber attack on global shipping major Maersk should not have come as a surprise. It’s a scenario that international cyber security experts f lagged three years ago as a high probability. Speaking to FTW from his office in Denmark last week, Lars Jensen, CEO of Cyberkeel, said while it was not possible to predict that Maersk would have been the target, a cyber attack of this nature was one that CyberKeel, a consultancy aimed at protecting shipping companies from being hacked, had been warning about. “Consequently we have consistently recommended defence-in-depth, meaning that when – not if – a company got penetrated, then the virus would not spread through the global network,” said Jensen. “Secondly we have consistently advised that companies should make sure they have a contingency plan, allowing them to quickly restore their business from a point where literally all their systems are gone – again the exact
scenario we saw unfolding.” He said there had been growing awareness of cyber risk over the past 12 to 18 months, confirmed in a recent transport survey by law firm Norton Rose Fulbright that found at least 80% of its respondents saw cyber crimes increasing. “Nowadays the industry will readily say that this is an area that has their attention – but our experience is that this awareness mainly extends to words, and much less to effective deployment of actual resources,” said Jensen. Determining the extent of the problem at hand, however, is impossible as there are no credible statistics against which to measure increases of cyber attacks in the maritime sector. “These incidents have been a reality for several years, but often companies keep it secret if they are successfully hacked, and therefore the perception is
that the risk is lower than what it is in reality,” he told FTW. “Most companies see no upside to being open about it. Saying you got successfully attacked can lead to customers perceiving you as more risky than the other shipping lines, and hence moving cargo to your competitors. The argument is a fallacy, as the other ones are equally unsafe, but it is just not visible to you. Perception is everything. Other companies have indeed been hit with varying degrees of severity.” Jensen said despite an increase in awareness by shipping companies – and even the massive shock of the Maersk incident – the reality was that the industry at large was simply not equipped or prepared to deal with these types of attacks. “They need to significantly increase their efforts and ensure that equipment onshore and offshore is properly updated and maintained. They need to ensure that their large and complex global networks are properly configured to prevent the rampant spread once they get infected,” he said – and this will require significant resources to fight this particular scourge alone. “The industry is rapidly embracing digitisation and automation – and this literally means that when the computer systems go down there is not much you can do. A quick look at APM terminals also shows that the terminals that took the longest time to get up were also the ones that had the highest degree of automation.”
These incidents have been a reality for several years, but often companies keep it secret if they are successfully hacked. – Lars Jensen
