The Petya cyber attack
on global shipping major
Maersk should not have
come as a surprise. It’s a
scenario that international
cyber security experts
f lagged three years ago as a
high probability.
Speaking to FTW from
his office in Denmark last
week, Lars Jensen, CEO of
Cyberkeel, said while it was
not possible to predict that
Maersk would have been
the target, a cyber attack
of this nature was one that
CyberKeel, a consultancy
aimed at protecting
shipping companies from
being hacked, had been
warning about.
“Consequently we have
consistently recommended
defence-in-depth, meaning
that when – not if – a
company got penetrated,
then the virus would
not spread through the
global network,” said
Jensen. “Secondly we have
consistently advised that
companies should make
sure they have a contingency
plan, allowing them to
quickly restore their
business from a point where
literally all their systems
are gone – again the exact
scenario we saw unfolding.”
He said there had been
growing awareness of cyber
risk over the past 12 to 18
months, confirmed in a
recent transport survey
by law firm Norton Rose
Fulbright that found at least
80% of its respondents saw
cyber crimes increasing.
“Nowadays the industry
will readily say that
this is an area that has
their attention – but our
experience is that this
awareness mainly extends
to words, and much less
to effective deployment
of actual resources,” said
Jensen.
Determining the extent
of the problem at hand,
however, is impossible
as there are no credible
statistics against which to
measure increases of cyber
attacks in the maritime
sector.
“These incidents have
been a reality for several
years, but often companies
keep it secret if they are
successfully hacked, and
therefore the perception is
that the risk is lower than
what it is in reality,” he told
FTW. “Most companies see
no upside to being open
about it. Saying you got
successfully attacked can
lead to customers perceiving
you as more
risky than
the other
shipping
lines, and
hence moving
cargo to your
competitors.
The
argument is a
fallacy, as the
other ones
are equally
unsafe, but
it is just not
visible to you.
Perception
is everything. Other
companies have indeed been
hit with varying degrees of
severity.”
Jensen said despite an
increase in awareness by
shipping companies – and
even the massive shock of
the Maersk incident – the
reality was that the industry
at large was simply not
equipped or prepared to deal
with these types of attacks.
“They need to
significantly increase
their efforts and ensure
that equipment onshore
and offshore is properly
updated and maintained.
They need to ensure that
their large and complex
global networks are
properly
configured
to prevent
the rampant
spread once
they get
infected,” he
said – and
this will
require
significant
resources
to fight this
particular
scourge alone.
“The
industry is rapidly
embracing digitisation
and automation – and this
literally means that when
the computer systems go
down there is not much
you can do. A quick look at
APM terminals also shows
that the terminals that
took the longest time to get
up were also the ones that
had the highest degree of
automation.”
These incidents have
been a reality for
several years, but
often companies keep
it secret if they are
successfully hacked.
– Lars Jensen
