Maritime companies face significant cyber threats as they adapt their navigational, operational and other equipment to the digital world.
While automation could lead to significant savings, adapting equipment never intended to be connected to the Internet could leave vessels vulnerable to terrorism, piracy and destruction, experts say.
The maritime industry, they say, lags more heavily regulated industry sectors, including energy and utilities, in addressing its cyber exposures.
Meanwhile, the insurance industry is slowly developing specifically targeted cyber policies for the maritime industry.
“Cyber-related vulnerabilities are a growing portion of the total risk exposure facing the marine transportation system,” the U.S. Coast Guard said in a March memorandum. Cyber threats “continue to grow and represent one of the most serious national security challenges we must confront.”
In October, for example, Tokyo-based cloud security firm Trend Micro Inc. said it discovered flaws in ships' mandated automated identification systems, installed in an estimated 400,000 vessels, that can let attackers hijack communications of vessels and even create fake vessels.
In another well-publicized incident, researchers at Texas A&M University last year “fooled” an $80 million yacht off the coast of Italy as to its location by manipulating its GPS.
These incidents, experts say, are part of the expanding trend of advanced connectivity of devices and computer systems that can transmit data on their own via the Internet dubbed the “Internet of Things.” This trend comes with consequences such as increased risk of cyber crime.
While the maritime industry faces some of the same cyber risks as other industries, “when you're dealing with a ship that weighs hundreds of tons, if that goes sideways on you, it's not quite the same as a point-of-sale terminal not working,” said Robert Parisi, a senior vice president and network security and privacy practice leader at Marsh L.L.C. in New York.
The cyber threats extend to ports, too.
“Basic cyber security hygiene measures are not being practiced” at these facilities, the Washington-based Brookings Institution said in a July 2013 report.
In the report, U.S. Coast Guard Commander Joseph Kramek wrote that of all the ports reviewed, only one had conducted a cybersecurity vulnerability assessment, and not a single one had developed a cyber incident response plan.
“Cyber risks are a real threat, especially in the marine and offshore energy markets,” and these risks are growing, said Markus Wähler, Munich-based marine consultant at Munich Reinsurance Co.
However, marine cyber risks are “just kind of coming into the forefront now,'' said Cmdr. Emil A. Muccin, an assistant professor at the U.S. Merchant Marine Academy in Kings Point, New York.
The issue is “slowly building a head of steam and certainly will be given very serious attention as we progress, I suspect,” said Steven Jones, maritime director at the London-based Security Association for the Maritime Industry,
Mark Schloesser, an Amsterdam-based security researcher at data security firm Rapid7 L.L.C., said automatic identification system protocols and other marine technology was developed pre-Internet, without “any sort of malicious or security perspective in mind.”
“Once you start looking at it, you immediately find vulnerabilities,” Mr. Schloesser said.
“The issue is, to what extent is security built into these systems when they were developed, or was it bolted on as time went along?” The question is, “How secure are they?” said Alan Brill, senior managing director at Kroll Inc. in Secaucus, New Jersey.
The maritime industry's “risk implications ... are only now beginning to be understood,” said Ben Beeson, Washington-based vice president of cyber security and privacy at Lockton Cos. L.L.C.
Cyber risks no longer are just about privacy and personal information, Mr. Beeson said. “We're now moving into an area which is more about physical damage and bodily injury arising from cyber triggers.”