New research published by DNV reveals that less than half (40%) of maritime professionals think their organization is investing enough in cyber security at a time when vessels and other critical infrastructure are becoming increasingly networked and connected to IT systems.
- Insufficient funding is the maritime sector’s biggest barrier to greater cyber resilience in 2023, as safety-compromising threats to the industry’s operational technology gather pace
- Tightening regulation raises hopes for greater investment in cyber security to be unlocked, according to DNV’s survey of more than 800 industry professionals, but concerns are emerging over rulebook effectiveness and companies’ ability to comply
- Cyber security is a pre-requisite for progress as more than half of maritime professionals describe digital technology as a key enabler of their decarbonization plans.
While the maritime industry has focused on enhancing IT security over recent decades, the security of operational technology (OT) – which manages, monitors, controls and automates physical assets such sensors, switches, safety and navigation systems, and vessels – is a more recent and increasingly urgent risk. Three quarters (75%) of the 800 industry professionals surveyed by DNV believe that OT security is a significantly higher priority for their organization than it was just two years ago. Just one in three is confident that their organization’s OT cyber security is as strong as its IT security.
“The maritime industry is still thinking IT in an era of connected systems and assets,” says Svante Einarsson, Head of Maritime Cyber Security Advisory at DNV. “With ship systems being increasingly interconnected with the outside world, cyber-attacks on OT are likely to have a bigger impact in the future.”
DNV’s new research report Maritime Cyber Priority 2023: Staying secure in an era of connectivity reveals an almost universal expectation that cyber-attacks will disrupt ship operations in the coming years. Three quarters of maritime professionals believe a cyber incident is likely to force the closure of a strategic waterway (76%). More than half expect cyber-attacks to cause ship collisions (60%), groundings (68%), and even result in physical injury or death (56%) as an overwhelming majority (79%) of professionals say the industry considers cyber security risks to be as important as health and safety risks.
While this new era of connectivity is resulting in new vulnerabilities, it is also enabling new possibilities, according to DNV’s research. Some 87% of maritime professionals say the future of the industry relies on an increase in connected networks, and 85% say that connected technologies are helping the industry reduce emissions.
“Cyber security is a growing safety risk, perhaps even “the” risk for the coming decade,” says Knut Ørbeck-Nilssen, CEO Maritime at DNV. “But crucially, it is also an enabler of innovation and decarbonization. Because as we pursue greener, safer, and more efficient global shipping, the digital transformation of the industry is deeply dependent on securing these inter-connected assets. Making it vital that we work collaboratively to strengthen our collective cyber security.”
DNV’s wider Cyber Priority research explores the changing attitudes and approaches to cyber security in key industrial sectors, and includes a complementary report on the energy industry: Energy Cyber Priority: Closing the gap between awareness and action.
Stronger incoming regulations set a platform for cyber security investment
Tighter regulation of maritime cyber security is on the horizon as industry bodies and government authorities seek to encourage the sector to improve its security posture. Maritime organizations must prepare to comply with new rules, including the IACS Unified Requirements and the EU’s NIS2 Directive from 2024. Most maritime professionals believe that regulation provides the strongest motivator to unlock much-needed cyber security funding, according to DNV’s research. 84% believe that it will drive investment in cyber security, but only just over half are confident the effectiveness of cyber security regulation (56%) and in their ability to meet requirements. Just 36% of maritime professionals agree that complying with cyber security regulation is straightforward and almost half (44%) say that regulatory compliance requires technical knowledge that their organization does not possess in-house.
“Regulation only sets a baseline for cyber security. It doesn’t guarantee security. Rather than taking it as our goal, the maritime industry should use it as a foundation, on which to further improve and adapt to the changing threat landscape,” says Svante Einarsson, Head of Maritime Cyber Security Advisory, DNV. “As we have seen in the safety domain, regulation becomes more straightforward and effective when it is supported by industry players coming together to share knowledge. Our research indicates that the industry needs to take big steps forward in openly sharing cyber security experiences – the good, the bad and the ugly – to collectively create security best practice guidance for a safer, more sustainable maritime sector.”
Barely three in 10 (31%) maritime professionals believe that organizations are effective at sharing information and lessons learned around cyber security threats and incidents. This lack of transparency is reflected in the belief of the majority (60%) that the maritime industry lacks standards for building an effective, repeatable approach to cyber security.
In Maritime Cyber Priority 2023, DNV recommends maritime organizations take the following actions:
- Consider cyber security as an enabler
- Treat cyber risks like safety risks in an operational setting
- Champion insight-sharing across the industry
- Reframe regulation as the baseline to improve cyber security posture
- Rethink how to manage supply chain vulnerabilities
- Resource a strategy for more effective training
- Maintain an ‘analogue fallback option’ amid the shift to connected systems.