In the high-stakes game of maritime security, the enemy isn’t always who you think. While the headlines scream about geopolitical hotspots like the Red Sea and the Black Sea, Marlink argues that the silent, insidious threat of cyberattacks is arguably the biggest menace to business continuity in the shipping industry today. It’s a bold claim, but one that’s backed by the stark reality of the industry’s transformation. We’ve gone from a niche, low-bandwidth business to a high-value target with political and economic significance, and the bad guys are taking notice.
The maritime industry’s digital evolution has been a double-edged sword. On one hand, it’s brought us into the 21st century, connecting ships to shore with high-speed internet and advanced applications. On the other, it’s made us a juicy target for cybercriminals. The good news is that counter-measures exist. The bad news is that the game is still heavily weighted in favour of the attackers. The industry is a patchwork of leaders, followers, and laggards, and it’s the laggards who should be causing us sleepless nights. Until recently, these stragglers have been relying on little more than anti-virus software and a lot of hope. But with the odds shifting in favour of the hackers, it’s time to get proactive.
The regulatory landscape is evolving, but it’s a slow process. The IMO’s 2021 additions to the ISM Code were a step in the right direction, but they were more of a guide to best practice than a hard-and-fast rule. The TMSA and SIRE standards up the ante, but they’re specific to certain market sectors. The US Coast Guard and IMO are cooking up more regulations, but in the meantime, the newest kids on the block are the IACS Unified Requirements E26 and E27. UR E26 sets mandatory cybersecurity baselines for new builds, with E27 covering shipboard systems. It’s a start, but it’s a low bar, and it only applies to newbuildings. Why would owners protect their new ships but leave their existing assets vulnerable?
The answer, sadly, is often down to cost and convenience. But as the old Andorran goat herder’s saying goes, “A man with two houses doesn’t leave one unlocked to protect the other.” Owners need to wake up and smell the cyber-coffee. The value of their assets, the risk to their cargo, and the impact on their balance sheet from a successful attack are all the same, regardless of the ship’s age. The pressure for adoption of similar measures to existing ships is likely to grow, with charterers and insurers best placed to exert pressure on vessel owners to ensure that compliance is consistent across the fleet.
But here’s the rub: the IACS URs have their critics, who fear that box-ticking is driving compliance rather than positive action. It’s a fair point, but it overlooks the reality of obtaining consensus within IACS. The growing pressure for cybersecurity, however, enables shipping companies to meet the baseline standards and go further, adopting more rigorous approaches in terms of technology, training, procedures, and awareness. The evidence from tried and tested industry standards is that they can embed cyber risk awareness within the supply chain and make it a condition of doing business.
So, what does this all mean for the future of the maritime industry? It’s clear that owners need to face the uncomfortable truth that to retain their status as reputable, investable operators, they will need to implement an in-depth cyber audit across their fleets. UR E26 should be a starting point, not an end point. The industry needs to get serious about cybersecurity, and fast. Because in this high-stakes game, the enemy is always evolving, and we need to be one step ahead. The future of maritime security is digital, and it’s time we all woke up and smelled the cyber-coffee.
