Four tips for defending against cyberpirates

Maritime digitisation is opening a world of opportunities for shipping companies. Unfortunately, it is also opening the door to cyberpirates: In 2020, more than 2 in 3 CEO-level respondents in a study carried out by Danish Shipping confirmed that their company’s IT systems had been attacked. And such attacks can have major consequences: The NotPetya attack in June 2017 resulted in massive financial losses for Maersk.

Not if, but when

Things have not become much better in recent years: A 2023 report from HFW and CyberOwl  concludes that the global shipping industry will likely continue to be a high-profile target. The tough reality is that it’s not a matter of if but when cybercriminals will target your ship, and when that happens, you need to be prepared.

For many shipowners, this requirement is codified in standards like IACS UR E27 . But whether or not you are obliged to follow this standard, you need a cybersecurity strategy that makes your vessels less vulnerable and prescribes what to do in an attack.

We asked Cyber Security Architect Per Christensen from IT company Prevas how shipping companies can get started on such a strategy. Here are his four tips.

#1: Educate your crew

Your personnel poses the most significant risk to your cybersecurity, and educating your staff on the potential risks and on how to behave is of utmost importance to improve your cybersecurity.

Needless to say, password security is of high importance. Nevertheless, it is often neglected, and it is not a rare sight to see passwords written down in notes. It is crucial never to write down passwords and to create strong passwords that are impossible to crack.

Alternatively, get rid of passwords altogether by using technologies such as ID cards, two-factor authentication (2FA), or Single Sign On (SSO).

#2: Build a resilient system

Designing a cybercrime-proof system is not an easy task, but there are many things you can do. For example, separate IT and OT (operational technology) networks gated with firewalls complicate hacker access to the complete system.

Hackers sometimes enter a ship’s system through the crew’s smartphones when the phones are being charged via a PC on board. Make sure to use power sockets that run on networks separated from the IT and OT systems – and always keep all software updated.

(In fact, focusing on your OT systems at all can be a great start; some companies are still neglecting this. Read this blog post for more details!)

#3: Integrate only proven products

According to Per Christensen, you can strengthen security by being discerning and only using products that have been thoroughly tested with cybersecurity in mind.

One way to test your control system is to perform a network storm test to evaluate system performance when subjected to high network loads. At DEIF, we perform network storm tests on our controllers, pushing them to the limit before putting them on the market.

#4: Work with a knowledgable partner

Building a resilient infrastructure and identifying potential leaks is complex, and it is advisable to find a partner that can assist you. The market is booming with potential partners, but Per Christensen's advice is to go with a partner with industry knowledge. He also highlights that classification societies are trustworthy partners; DNV GL, for example, is a world-leading classification society that is also a frontrunner in cybersecurity.

Having a cybersecurity strategy is a great start if you’re looking to boost your defences against the rising threat of cyberpiracy. If you are not already working on doing so, we strongly advise you to give it priority – for the sake of your business and your staff.

·       Contact us to learn more about cybersecurity at sea

·       Read this blog post on deif.com  to learn more about OT security and the IACS UR E27 standard

·       Discover the iE 350 Marine controller and its advanced cybersecurity features