Wake-Up Call

On Tuesday, June 27, Maersk was hit by the “NotPetya” computer virus that shut down its container business. Soon mainstream and industry media outlets were reporting stoppages at Maersk operations in Rotterdam, Los Angeles, Mumbai, Auckland and a dozen other ports around the globe. Fear of the unknown – and prospects that the virus could spread – caused worldwide consternation throughout the maritime industry. 

Maersk was both quick and transparent in its response, using social media and other communication channels to inform its customer base at more than 75 ports worldwide. The day of the attack it confirmed it had been hit, and the next day it started laying out corrective actions. Chief Commercial Officer Vincent Clerc and later CEO Søren Skou held interviews describing the company’s response. During the initial chaos, Maersk took the unprecedented step of shutting down all its Information Technology (IT) systems until it could better assess which ones were infected.

Throughout the incident, Maersk continued to restore operations, one port at a time, with updates to its customers as frequently as three times a day. The updates included the status of specific regions and of different functions within Maersk’s systems. Many Maersk terminals were processing transactions manually in order to restore operations within two days. As for the IT systems themselves, Maersk said that, rather than rush things, it “applied the up- date available for the affected systems in accordance with the IT vendors’ recommendations prior to the re-enablement of any systems.”

While new business was restored relatively quickly, the backlog of information on existing business (e.g., the “track and trace” function for containers) took longer. In addition, it took longer to reissue bills of lading and to restore full customer service in regions like the Middle East, South Asia and West Africa. By July 10, Maersk reported it was “servicing both import and export customers close to normally,” and by July 25 it was back in full compliance with both U.S. and E.U. regulations related to advance submission of manifests. Maersk also waived demurrage and detention charges during the periods when it was unable to release containers.

THE AFTERMATH

Was the incident a surprise? In one interview, Chief Commercial Officer Clerc noted that, like all firms with complex IT systems, Maersk was aware of its potential vulnerability but added, “We did not think it could hit us so hard and so fast.”

Other experts were also well aware of such vulnerabilities. “Port IT professionals knew that such a cybersecurity incident was coming,” says April Danos, Director of IT at Louisiana’s Port Fourchon and Chair of the Info Tech Cybersecurity Subcommittee of the American Association of Port Authorities (AAPA), “not necessarily this type of attack, or against Maersk, but we all knew it was coming.”

Adds Kate Belmont, a specialist in maritime cybersecurity and Counselor in the New York office of Blank Rome, “Threats from cyberattacks take many different forms and come from many different actors. Cyber criminals and bad actors consistently target the maritime industry. Ports, shipping companies, the bunkering community – any aspect of the industry that is reliant on IT is a target and is vulnerable.”

Maersk says the NotPetya virus “was a previously unseen type of malware, and updates and patches applied to both the Windows systems and our antivirus were not an effective protection in this particular case.” The company’s investigation indicated that Maersk was not specifically targeted but received the virus from tax-related software used by many companies that operate in Ukraine.

Part of the problem is that “Many port IT shops are resourced to the cyber threats of yesterday,” says Port Fourchon’s Danos. “While installing security patches has always been an essential part of IT operations, now the threat and patch notifications are becoming more frequent, more complex and thus more time-consuming to implement. The staffing levels cannot keep up with the continuous security workload, which can create momentary windows of vulnerability that can be exploited.”

The effect on Maersk was substantial but not debilitating. In its second quarter report, the company noted that “Business volumes were negatively affected for a couple of weeks in July and, as a consequence, our third quarter results will be impacted. We expect the cyberattack will impact results negatively by $200-300 million.” Nonetheless, the company reiterated its expectation for profits above $1 billion for its Transport and Logistics business.

As for the larger impact, “The incident served as a huge wake-up call for the industry as a whole” says Cynthia Hudson, CEO of HudsonAnalytix, a firm specializing in cybersecurity for maritime clients. “If it could happen to Maersk, one of the largest and most sophisticated behemoths in the industry, it could happen to any company.”

One repercussion that could be greater next time is that a virus could spread to other firms. According to Maersk’s report, there was no data breach or data loss to third parties. Still, according to Hudson, “The sophistication of the virus shows the future potential for such malware to migrate not only across a single enterprise but across that enterprise’s entire network of customers and suppliers.”

The impact on networks is also a concern of Philippe Donche-Gay, Senior Executive Vice President and President of the Marine & Offshore Division at Bureau Veritas: “Cybersecurity in general requires a holistic approach involving not only one company, its assets and processes, but also its suppliers, partners, customers and all parties with which it interacts digitally, as seen in many breach cases.” While concerns were initially focused on ships rather than the entire maritime chain, he says that “This is changing, and there is now an increasing focus on entire logistics chains including ship- owners, shipyards, manufacturers and ports.”

LESSONS LEARNED

Maersk CEO Skou, in commenting on second quarter results, elaborated on some of the lessons learned: “We have been working to rebuild, restore and harden every affected element of our IT infrastructure. We only reinstate systems once we are certain they are safe and hardened against attack, and in some cases this involved some redesign of our IT and tools as well as recovery. Our current defenses have been penetration-tested. For security reasons, we cannot go into further details. We continue to investigate this incident, and we will take any lessons learned from this experience and apply them to our future efforts in this area.”

For the industry as a whole, Blank Rome’s Belmont notes that it “has already taken significant steps to address and mitigate the threat of cyberattacks. This summer IMO approved a resolution [MSC.428(98)] that encourages IMO member states to appropriately address cyber risk in safety management systems including addressing the operational risks associated with dependence on cyber-related systems. Additionally, a BIMCO-led industry working group released the second edition of Guidelines on Cyber Security Onboard Ships. The new version includes information on insurance and is aligned with the recommendations in the IMO’s resolution.” One of the challenges moving forward is complacency. “Maritime companies must be more proactive in addressing cyber threats,” Belmont says. “This means conducting risk assessments, employee training and developing breach response plans in addition to implementing a cybersecurity framework. In responding to a cyberattack and mitigating damages, maritime companies should have well-developed breach response plans, which often include utilizing cybersecurity lawyers and cybersecurity forensic analysts as well.”

Class societies will be part of the solution, adds BV’s Donche-Gay: “At Bureau Veritas, cyber threats combined with the arrival of new digital norms are generating demand for new services for our clients. We foresee that this new need will be massive.” He notes that BV is already assessing market requirements by auditing physical digital products, IT systems and digital services and contributing to the creation of emerging standards in areas such as data protection. He adds that “Bureau Veritas has been leading a working group of the International Association of Classification Societies on cyber safety and security in order to provide a unified response to cybersecurity.”

Another major challenge is the perception that a shipowner can simply adhere to a “checklist” approach to managing cyber risk. “There is presently no universally accepted standard for maritime cybersecurity,” says Cynthia Hudson, “so attempting to distill cybersecurity to a once-a-year, ship-centric audit activity that can be ‘certificated’ is a major mistake. Such an approach lulls shipowners into the mistaken belief that they might be completely protected from cyber threats. Although there is no common standard against which to measure, cyber risk management is still critical, and managing cyber risk involves everyone across the organization. It requires recurring analysis and self-assessment efforts that are focused on an individual organization’s circumstances and that inform and drive continuous improvements across the entire organization. It involves responsibly allocating precious resources – people, processes, tools and funding – in a sustainable manner.”

A further challenge is the need to continually improve expertise. “Training and education for maritime IT professionals is the key,” says Port Fourchon’s Danos. “Fortunately, AAPA has been at the forefront of providing IT professionals and its member port authorities with more meetings and seminars specifically on cybersecurity. And such training has increasingly encouraged collaboration between security and IT staff, two groups of professionals that were traditionally separate.”

WAITING FOR THE CAVALRY

Some industry officials have been passive, waiting for the government to come to the rescue with guidance and solutions. In response, the U.S. Coast Guard has taken a number of steps in recent years including sponsoring conferences in maritime cybersecurity, facilitating cyber-related exercises in ports and developing a cyber strategy.

It recently issued a draft Navigation and Vessel Inspection Circular (NVIC 05-17) called “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA)-Regulated Facilities” and is seeking industry feedback. The draft circular includes interpretive guidance about including cyber when identifying vulnerabilities for facility security plans. It also has guidance on implementing a cyber risk management governance program.

But will this evolve into formal regulations? Blank Rome’s Belmont thinks that “Major events such as the NotPetya attack have the potential to lead to regulatory initiatives. At this time there are no cyber risk management regulations for the maritime industry. The recent Coast Guard draft NVIC is helpful as it serves as policy guidance, but it is not binding on the industry. That said, it could be a precursor to a regulatory project in the future.”

BV’s Donche-Gay says, “We are encouraged by comments from the U.S. Coast Guard saying that cyber risk management is an emerging area with great potential for third-party standards and compliance such as might be provided by classification societies.”

The Coast Guard has regularly provided new guidance, adds Port Fourchon’s Danos. “But if a port IT shop is laying back waiting for government guidance to develop its defenses,” she says, “that’s a sign of trouble. For example, with the Coast Guard draft NVIC, IT professionals should already be familiar with the cybersecurity governance parameters. Otherwise, it may be too late for them. They may never catch up.”            MarEx