In June 2017 Maersk, the maritime transportation conglomerate with offices in 130 countries and 88,000 employees, was attacked, not by pirates, but by a malicious piece of computer code that infected computers rapidly and fatally.
Some showed a ransom note demanding $300 million in bitcoin to recover files. But this was not a ransom attack. It was a destructive worm that destroyed all the data in the infected computer, for good. Immediately, employees around the world were ordered to shut down computers, some 800 ships were idled. It took three weeks and $300 million to get back to full productivity. Forty-five thousand PCs, four thousand servers had to be replaced. Maersk was not the only victim. The NotPetya cyberattack, which was instigated by Russian military hackers, is estimated to have cost $10 billion worldwide, according to a U.S. government estimate.
In an effort to evaluate the state of cybersecurity in the maritime industry, the New Orleans-based law firm Jones Walker LLP polled 126 representatives from various sectors. The results were published in the 2018 Maritime Cybersecurity Survey. Andrew Lee and Ford Wogan, architects of the survey, sat down with WorkBoat to discuss the state of preparedness of the workboat industry to cyberthreats. The pair will discuss the survey at the International WorkBoat Show on Wednesday, Dec. 4, at 11:15 a.m., part of that day’s Tugs and Coastal Towing conference program.
WorkBoat: What prompted you to create this survey?
Andrew Lee and Ford Wogan: Our clients rely on us to assist them in more than just legal matters. We have observed in the maritime industry a trend toward risk assessment in many areas, but not so much in the cyber arena. This prompted us to create a survey to gauge both the readiness of the industry and its perception of its readiness. We were really trying to raise a red flag on an issue that many of our clients may have been slow to address.
WB: What did you find in terms of cybersecurity readiness within the workboat fleet?
Lee and Wogan: It was sobering. Nine out of ten of the small to mid-size maritime companies surveyed are unprepared for a cyberattack. This segment covers most workboat operations. Drilling down into the sectors across all company sizes, of owner/operators 70% were unprepared and cargo shipping companies were at 43%. We found that most companies that believe they have never been hacked are the most vulnerable in terms of making budget contributions to preparedness. Those who have experienced an attack, 28%, are more likely to have made cybersecurity a priority.
WB: Why do you think so many workboat companies are unprepared?
Lee and Wogan: The maritime industry historically is a reactive rather than a proactive industry. There is a paradigm shift required to get the focus on cybersecurity and it may be starting. The Coast Guard has recently issued recommendations for addressing this issue. We hope to help with the survey findings.
WB: Can you give us an idea of what sorts of cyberthreats are out there?
Lee and Wogan: Sure, the workboat industry is becoming more and more connected. There are many companies utilizing third-party software to help them manage their compliance with governmental regulations such as Subchapter M. Laptops are ubiquitous in the wheelhouse, as captain and crew send reports and receive updates from shore. Meanwhile, crewmembers are bringing their own devices aboard, and shoreside personnel are using their own devices. Any of these can be a portal to transport malware from one to another computer. Here, again, the maritime industry is not a new one. Many of the companies have been in operation for decades and therefore have been using technology for years. Without an emphasis on technology, there are many machines running unpatched operating systems out there. Add that false sense of security, and you’ve created a recipe for a costly disaster. Others have estimated that cybersecurity breaches can cost upwards of several million dollars.
WB: What can these companies do to mitigate the threat?
Lee and Wogan: First and foremost, the industry needs to make that paradigm shift. Cybersecurity must become an operational issue and requires an emphasis from the top. It needs to be addressed in the same way that crew safety is addressed. Simple measures, like routine changing of passwords and two-factor identification protocols are shockingly ignored. Companies also need to allocate budget to upgrade systems and to keep them secure.
WB: What are the incentives to make cybersecurity a budget line item?
Lee and Wogan: Incentive is not really the word. Stakeholders must realize that it is necessary to address cybersecurity in order to do business. We see our offshore service providers’ contracts and master contracts stipulating cybersecurity as a risk management requirement. We hear from the large company clients that they are “only as strong as our weakest supplier,” in the context of addressing cybersecurity. The time has come for everyone to wake up to this existential threat.