|The pivotal event in our understanding of the urgency of prioritizing Cybersecurity is surely the attack that struck Maersk shipping in 2017.
A.P. Moller-Maersk is the largest shipping company in the world. It is responsible for 20% of the world trade in containers. Every 15 minutes on average a Maersk ship will come to port somewhere in the world with upwards of 20,000 containers on board.
On June 27, 2017, Maersk was hit by the NotPetya virus. It was not targeted; it was collateral damage in a cyberwar between Russia and the Ukraine. Maersk was only one of hundreds of companies globally that were devastated by an attack that was spread through its accounting software. The result – the company operated for 10 days without IT. The shipping company that operated over 800 vessels and 76 ports around the world was dead in the water – and so were its customers. Maersk was forced to reinstall an entire infrastructure – 45,000 pc’s, 4000 servers, 2,500 applications. Only through a heroic effort by its staff was it able to get back on-line. The estimated cost to Maersk $300MM and globally the cost was estimated to be in excess of $10BB.
Maersk was an organization that had the capacity to recover from this incident. It begs the question, what hope is there for any organization large or small without the financial wherewithal to recover?
First, some unassailable facts: there remains a fundamental misunderstanding of the magnitude of the stakes in this game. And, it is a moving target. As digitalization has progressed, it has created much better technology for protection but also an exponential increase in the sophistication of the tools of the cybercriminals. Being “woke” to this issue is critically important if we are to adopt the measures necessary for our defense.
The timelines are getting compressed. In the first decade of this century we saw the emergence of cybersecurity, privacy and data protection as mainstream topics. The conflict between the consideration of “data as the new oil” – something to be shared – versus something to be protected at all costs began. Over that period, cybersecurity became weaponized. Ransomware and cyberweapons became a plague on business and government.
This pace will quicken. As new technologies ramp-up, including many critical to our Ocean Supercluster projects – edge computing, autonomous vehicles, digital twins, Robotic Process Automation (RPA) and more, success will depend on vigilance and protection on every dimension of operations.
Every sector has its own unique set of challenges and oceans industries are no different. They are unique in their dependency on many platforms that share data remotely and widely. Whether it’s communications, navigation aids, radar, on-board controls and more, the necessity for these systems to talk to one another presents a whole host of opportunities for intrusion. In addition, the proliferation of sensors of every conceivable description (especially in the oceans) and the dependencies and security risks inherent in this growth moves the problem into a whole new realm.
But. the top security risks do not stem from technology but from the lack of awareness and knowledge of the risks and plans to mitigate and respond accordingly. The good news is that many of these risks are eminently addressable. Even the smallest player can have the same protection as the largest enterprise if properly prepared.
So, what is to be done? With the firm understanding that Cyber risks are constantly evolving, here are some questions to consider:
- Have you completed any kind of cyber security maturity assessment to determine weakness? How are you prioritizing budget & resources against these risks?
- Are you testing for potential exposure by engaging cyber security professionals to test your vulnerabilities?
- Are you deploying cyber security & fraud training, practices and procedures? Are you making it personal? Do your staff know that BYOD comes with responsibilities?
- Do you have a clear understanding of your Supply Chain (Vendors/Third Parties) Contracts?
- Do you have a Cyber Security Incidence Response Plan which enables you to respond to a breach appropriately?
- Have you engaged with a security solutions provider to deliver ongoing security management and are they on retainer for critical incident response?
Of course, this goes much deeper. At the time of the incident in 2017, Maersk was 90% digital. It is moving quickly to 100% and fully autonomous shipping Is on the horizon.
Cybersecurity is a priority issue for boards and owners not only from a risk perspective. Building security into the design of products and services and delivering the processes for secure operations will be a source of significant competitive advantage now and in the future.
OSC Board Director