DNV warns of insufficient investment in cybersecurity

(OSLO, Norway) — New research published by DNV reveals that less than half (40 percent) of maritime professionals think their organization is investing enough in cybersecurity at a time when vessels and other critical infrastructure are becoming increasingly networked and connected to IT systems.

While the maritime industry has focused on enhancing IT security over recent decades, the security of operational technology (OT) – which manages, monitors, controls and automates physical assets such sensors, switches, safety and navigation systems and vessels – is a more recent and increasingly urgent risk. Three quarters (75 percent) of the 800 industry professionals surveyed by DNV believe that OT security is a significantly higher priority for their organization than it was just two years ago. Just one in three is confident that their organization’s OT cybersecurity is as strong as its IT security.

“The maritime industry is still thinking IT in an era of connected systems and assets,” said Svante Einarsson, head of maritime cybersecurity advisory at DNV. “With ship systems being increasingly interconnected with the outside world, cyberattacks on OT are likely to have a bigger impact in the future.”

DNV’s new research report, “Maritime Cyber Priority 2023: Staying Secure in an Era of Connectivity,” reveals an almost universal expectation that cyberattacks will disrupt ship operations in the coming years. Three quarters of maritime professionals believe a cyberincident is likely to force the closure of a strategic waterway (76 percent). More than half expect cyberattacks to cause ship collisions (60 percent), groundings (68 percent), and even result in physical injury or death (56 percent) as an overwhelming majority (79 percent) of professionals say the industry considers cybersecurity risks to be as important as health and safety risks.

While this new era of connectivity is resulting in new vulnerabilities, it is also enabling new possibilities, according to DNV’s research. Some 87 percent of maritime professionals say the future of the industry relies on an increase in connected networks, and 85 percent say that connected technologies are helping the industry reduce emissions.

“Cybersecurity is a growing safety risk, perhaps even ‘the’ risk for the coming decade,” said Knut Orbeck-Nilssen, CEO Maritime at DNV. “But crucially, it is also an enabler of innovation and decarbonization. Because as we pursue greener, safer and more efficient global shipping, the digital transformation of the industry is deeply dependent on securing these inter-connected assets. Making it vital that we work collaboratively to strengthen our collective cybersecurity.”

Stronger incoming regulations set a platform for cybersecurity investment

Tighter regulation of maritime cybersecurity is on the horizon as industry bodies and government authorities seek to encourage the sector to improve its security posture. Maritime organizations must prepare to comply with new rules, including the IACS Unified Requirements and the EU’s NIS2 Directive from 2024.

Most maritime professionals believe that regulation provides the strongest motivator to unlock much-needed cybersecurity funding, according to DNV’s research. Eighty-four percent believe that it will drive investment in cybersecurity, but only just over half are confident the effectiveness of cybersecurity regulation (56 percent) and in their ability to meet requirements. Just 36 percent of maritime professionals agree that complying with cybersecurity regulation is straightforward and almost half (44 percent) say that regulatory compliance requires technical knowledge that their organization does not possess in-house.

“Regulation only sets a baseline for cybersecurity. It’s doesn’t guarantee security. Rather than taking it as our goal, the maritime industry should use it as a foundation, on which to further improve and adapt to the changing threat landscape,” said Einarsson. “As we have seen in the safety domain, regulation becomes more straightforward and effective when it is supported by industry players coming together to share knowledge. Our research indicates that the industry needs to take big steps forward in openly sharing cybersecurity experiences – the good, the bad and the ugly – to collectively create security best practice guidance for a safer, more sustainable maritime sector.”

Barely three in 10 (31 percent) maritime professionals believe that organizations are effective at sharing information and lessons learned around cybersecurity threats and incidents. This lack of transparency is reflected in the belief of the majority (60 percent) that the maritime industry lacks standards for building an effective, repeatable approach to cybersecurity.

DNV recommends maritime organizations take the following actions:

•Consider cybersecurity as an enabler.
• Treat cyber-risks like safety risks in an operational setting.
• Champion insight-sharing across the industry.
• Reframe regulation as the baseline to improve cybersecurity posture.
• Rethink how to manage supply chain vulnerabilities.
• Resource a strategy for more effective training.
• Maintain an “analog fallback option” amid the shift to connected systems.

– DNV

By Rich Miller