How the coronavirus is forcing the shipping industry to make cybersecurity a priority

As global society locked itself down, the view took hold in recent months that simultaneous supply and demand shocks meant the idling of global aviation and most shipping vessels. The dominant story of oil prices briefly turning negative added to the impression that transport and global trade were largely standing still.

However, the ships plying the world’s oceans play a crucial role in overcoming supply chain bottlenecks in food and medical equipment that have left billions of people in limbo. As we rebuild the architecture of global logistics, securing these essential carriers of humanity’s means of survival should be a top priority.

The paradox of Covid-19 was most apparent in the global shipping industry, with the possible exception of commercial aviation.

A quarantined labour force created human resource shortages in one of the most essential activities – moving necessary commodities and goods around the world. As such, the discrepancy between concerns about security for Zoom calls and inattention to maritime security standards is ironic.

Global shipping has also been a focal point in efforts to combat rising protectionist measures such as tariffs and export restrictions on medical equipment and food. During this period, 20 major ports signed an agreement to keep maritime trade open, especially for these critical goods, helping alleviate shortages.

The maritime domain, therefore, is critical infrastructure. As the world shifts toward securing a decentralised work environment, it is worth noting a rise in cyberattacks against “soft targets” such as ships and oil rigs.

For example, a hack on Maersk’s infrastructure in 2017, although Maersk was not the original target, cost the company more than US$300 million. Another attack that targeted Cosco in 2018 and an attack on MSC this April similarly led to widespread consequences for company operations.

As cybersecurity services provider to the sector, we are aware of several additional, undisclosed attacks. It is evident that maritime infrastructure must be strengthened in a manner fitting its already decentralised structure.

When comparing cybersecurity concerns with physical security offshore, there is also a clear disconnect. If a commercial ship encounters circumstances that endanger the vessel, cargo or crew in ways that involve piracy, terrorism or warfare, support can be expected from military vessels or international security bodies in the region.

The same cannot be said for cyber threats, which blur the lines between national security interests and the private sector in ways physical threats do not.

This implies that the insurance industry could be an important market maker for maritime security reforms by putting the onus on the security of digital fleet management in its requirements around pricing and policymaking.

Paradoxically, insurance coverage for cyber issues remains lacking in the maritime space, with even the most well-established underwriters and brokers seemingly reluctant to offer comprehensive products. Gradually, however, this is changing and progressive players in the industry are likely to capitalise on the hesitation of the followers.

Digitising fleet operations and management began before Covid-19, but a wide range of functions that require in-person visits may need remote solutions in the new normal. These include safety audits and inspections, maintenance protocols, hardware and software upgrades and others.

Technology is often most unprotected during digitising and automation, a reminder that cybersecurity should be implemented from the outset and viewed as integral to digital infrastructure.

Furthermore, the more complex maritime and port operations become and the more sensitive the cargo, the more we need cutting-edge solutions to safeguard digital integrity. In essence, ships must be made unhackable.

Industrial security, including critical operational technology, can no longer be the neglected stepchild of IT policy. Although maritime industries at large, including merchant marine and offshore oil and gas, are process-driven with significant documentation requirements and attuned to system audits, these have traditionally been done in offices or on-board vessels.

With the pandemic, however, the efficacy of these processes is challenged by the inability to conduct in-person meetings and attend audits on board. Progressive operators, cargo owners and classification societies have had to develop novel ways of conducting audits, which has resulted in several remote audits and inspections via video calls and conference systems.

The shipping industry must adapt to a world of low oil demand in which it takes on new purposes as well as to forward-looking demands for digital integrity. Consolidation may provide an opportunity to commit the resources necessary to improve cybersecurity across fleets and assets.

In non-maritime businesses, online firmware updates are an obvious part of IT policy. Onshore businesses like power plants and the automotive sector have already learned hard cybersecurity lessons.

In maritime operations, though, vessel hardware is rarely updated. Owners are only beginning to address the issue and should learn from other industries’ experiences. Intensive digitisation, better satellite coverage, lower data costs, new on-board equipment and Covid-19 responses are pushing innovations.

One major priority is business continuity planning, which requires a stronger and more efficient marriage of operational and IT policies. An inherent challenge for business continuity plans facilitating a remote working environment in the shipping industry is that IT has largely never been considered a strategic function within most shipping and maritime organisations. That must change.

The demands imposed by the coronavirus, cyberattacks and oil price crash require nothing less than this fundamental overhaul in how the maritime industry functions.

Parag Khanna is managing partner of FutureMap and author of The Future is Asian. Mikhail Zeldovich is chairman of Cocoon Capital and an investor in the cybersecurity solutions company Oceanshield. Brian Worning also contributed to this article