The Economic Impact of Cyberattacks on the Maritime Industry
1.2. Problem Statement
Not only ships, but port facilities are also potential victims of cyber attacks. In the case of the Port of Antwerp, a drug syndicate that cooperates with certain mafia and terrorist organizations successfully infiltrated the system to move thousands of containers containing drugs and illegal firearms to evade customs inspection. If we can imagine that the same incidents occur for the movement of dangerous goods and hazardous cargoes, very catastrophic consequences will occur. In other cases, such as oil rigs, offshore facilities, and yachting races, it is clear that the dependency on technology should be offset with increased cybersecurity measures.
Due to the rapid increase in the use of technology, especially automation, in the last ten years, the maritime community is becoming more and more vulnerable to cyber attacks. According to a study by security research firm IOActive, 21 out of 32 shipping companies surveyed were using outdated systems, such as Windows XP and Windows 98, which have well-known vulnerabilities to cyber attacks. In other cases, the use of base transceiver stations (BTS) on certain ships that still use unencrypted WiFi for data transfer are soft targets for these attacks.
A cyber attack occurs when a computer or mobile device is intentionally exposed to malicious code, such as viruses, trojans, and worms. Internationally, some frightening incidents have occurred. For example, Maritime Silkroad’s (DMT) vice president, Mr. Cyrus Menke, claimed that his company lost hundreds of millions of Euros on intellectual property due to a persistent attack on its communication systems. Another case involves a fraudulent transfer of 75 million dollars from a bank account in Cyprus, which also involves a German shipping company with offices in Hamburg. Although this case has not been reported in the media, it is a critical case for the merchant.
1.3. Research Questions
The research will develop a qualitative assessment method to provide an in-depth understanding of how real cyber security incidents are and the duration of impacts. This will involve working with security professionals and industry experts to identify and analyze specific incidents and their consequences, through a series of structured interviews and a Delphi-style study.
The research question will aim to clearly identify these vulnerabilities and any resulting costs, and will investigate which specific types of attack have had the most impact. This will involve understanding the nature of the threats and the frequency with which attacks occur, to determine their overall effect on the industry.
A sound research question should aim to cover points that need extensive research in order to fill gaps in the literature. One of the biggest issues that researchers found in the second question of this paper, “Effect of cyber-attacks on the maritime industry,” is that ship owners and operators have been quick to embrace the significant efficiency gains offered by a more connected, digital approach to business. It has transformed the ability to monitor, track, and control physical assets and equipment in ways that have delivered considerable cost savings, but has also opened new vulnerabilities in the process.
2. Literature Review
There is also a more recent piece of work from Cepolina, E., et al. who have written a report on the economic impact of a cyber attack on a complex system. Though this is more general and does not focus on the maritime industry, it is still related as it can be looked at from an analogous point of view. The report describes the damage to reputation and the direct and indirect costs as the aftermath of a cyber attack on a complex system. This is also very similar to the kind of impacts the attacks will have on the maritime industry. There are descriptions of simulation of attack and defense strategies and also propagation of attack through the network, which have been becoming ever increasingly possible as technology advances. This is highly relevant to the maritime industry and the types of simulation can be carried over to the complex systems within ports and other locations connected to the maritime industry. This can give insight into how modern-day and future cyber attacks will affect the various locations within the maritime industry and may give ideas of how to prevent or minimize outcomes of such attacks. The use of simulation and modeling for the types of attacks and different locations can also draw a direct comparison with Cepolina, E. et al.’s work and throughout the different research, similar models may be used to demonstrate the different types of attacks, location, and associated impacts.
Schatz, E.G., has written a paper on locating the significant risks in a maritime port system. This is closely related to cyber attacks and focuses on a methodology of identifying vulnerable locations from an attacker’s perspective and then analyzing the risks associated with each different type of attack. This can then be used to apply risk management to different areas of the port system to try and reduce the possible outcomes of attacks if they were to occur. Although location and various different types of attacks have their own different associated risks and Schatz, E.G. only focuses on physical events, it would still be useful to interpret each location from an attacker’s perspective in a cyber attack and then try to prevent the attacks occurring or reduce the risks of the outcome. This is because, should there be an expected economic impact of a certain attack type on a location, it can be further researched and risk management may be applied similar to Schatz, E.G.’s scenario. All the tools and methodology may be directly transferable to the cyber attack scenario, but further research can be initiated in a more theoretical way drawing comparisons between the two types of risks.
The literary review focuses on all the previous works on the economic impact of cyber attacks. As the economic impact can be direct or indirect, it becomes a very complex topic to research. Moreover, some impacts can be on specific sectors. The literature review aims to uncover all the different types of impacts that have been studied previously.
2.1. Overview of Cyberattacks in the Maritime Industry
In 2011, the US National Broadband Plan literature suggested that the majority of economic and societal advancements are reliant on cybersecurity. This was echoed by Roland Freudenmann, who mentioned that the sustainable deployment of e-navigation and IT technologies in the maritime industry is reliant on a framework of confidence that these systems are safe from cyberattack. This is the key issue; as a rapid increase in the usage of advanced technology in an industry that was once fully operational without the need for internet systems makes the maritime industry a bigger target for cyberattacks, with potential attackers seeing it as an opportunity to extort vast amounts of money from companies with the data that they can breach. In reference to the Ponemon Institutes 2011 annual study concerning the cost of cybercrime, cyberattacks against companies incur a range of costs from the detection and defense against cybercrime to the damage control and the cost of fines that may be imposed by failing to protect client data. Attacks have a varying range of methods and may cause anything from temporary system outages with the intent to disrupt operations to the theft of intellectual property and sensitive information, which can have a lasting damaging effect on a company’s future.
Cyberattacks can be defined as an intentional malicious act to exploit technological devices for personal or political gains. This form of attack can cause serious harm to various industries as it often leads to breaches of personal information and company data, which is used to exploit and extort those affected by the cyberattack. As industries evolve into an age where advanced technology and the use of internet-based systems become more prevalent in everyday activities, the potential for damage caused by a cyberattack becomes more of a real threat. The maritime industry is no exception as recent advances in technology have seen a transition from traditional operational procedures to more advanced and efficient technical systems in the form of electronic chart displays, GPS tracking devices, and automated identification systems. In light of this, the potential for damage caused by a cyberattack on the maritime industry may be of serious economic detriment not only to the companies targeted but also the global economy.
2.2. Previous Studies on the Economic Impact of Cyberattacks
Since the turn of the millennium, cyber attacks have grown in prevalence and sophistication. According to a recent report published by the International Maritime Bureau, cyber attacks in the maritime sector increased by 400% between 2017 and 2018. Although it is widely recognized that cyber attacks present a significant threat to the global economy, there is little understanding of the exact mechanisms by which they do so. This is the first study to our knowledge that seeks to detail analyze the economic costs of cyber attacks, with a focus on the maritime industry. It is important to understand the economic impact of cyber attacks, insofar as it is the prospect of financial loss that will motivate firms to invest in cyber security. Without knowledge of potential losses, companies will continue to underinvest in security. This can be problematic for the maritime industry, in which investment in IT and cyber security has been historically low. A comprehensive understanding of the potential costs of cyber attacks will also allow firms to more effectively allocate resources for security, by focusing on the most vulnerable and costly elements of their IT systems. Finally, an understanding of the economic costs will enable the development of cost-effective risk management and risk transfer mechanisms, such as insurance.
2.3. Current Cybersecurity Measures in the Maritime Industry
The maritime industry is cognizant of the cyber threats and has taken steps to accommodate the changing risk landscape. Without being specific to maritime, several states and international organizations have developed regulations on cybersecurity and critical infrastructure that encompass port facilities and ships. The International Maritime Organization (IMO) has identified that while existing regulation and codes are designed to ensure the security of ships and of port facilities, there is a need to provide specific guidance on how to protect the various systems which are now being introduced on ships which are considered as operational technologies. In a recent resolution, the IMO adopted the Maritime Cyber Risk Management in Safety Management Systems (MSC-FAL.1/Circ.3). It provides high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging threats and vulnerabilities related to onboard information technology (IT) and operational technology (OT) based systems. A security-based approach is essential and practical to addressing this increasingly significant safety concern. This resolution brings attention to the fact that cybersecurity is now an integral component of safety management and that it must be addressed in the planning and execution of operational, business, and emergency procedures. Cyber risk should be managed and treated as another form of risk that could compromise essential safety operations required to mitigate the consequences of events adverse to the safety and security of the ship. The guidelines enumerate functional elements related to identifying safety objectives and processes. These policies and procedures aim to ensure that the ship is designed, constructed, maintained and operated in compliance with applicable rules and regulations so as to reduce risk to a reasonable acceptable level. They provide detailed steps on how to control and manage changes to existing processes and functionalities, assess possible emergency situations and ensure that essential safety measures and procedures are in place to mitigate adverse safety and environmental impacts. This proactive planning in risk identification and assessment culminates in the development of plans to improve the overall execution of the safety management system. The guidelines emphasize that all of the aforementioned safety objectives and processes should be under continuous review and improvement.
3. Methodology
The primary method of data collection will be an online survey aimed at industry experts. This will be a modified Delphi method survey, in which a panel of experts answers questionnaires in two or more rounds. After each round, a facilitator will provide an anonymous summary of the experts’ forecasts from the previous round, as well as the reasons they provided for their judgments. Thus, experts will have the opportunity to adjust their answers in subsequent rounds based on the others provided. A well-conducted Delphi method provides accurate results matching those of empirical studies. It is also the best method for obtaining data for scenario-based studies when the scenarios are uncertain or unrealized. Due to the typically high ranking and busy nature of the industry experts, the online method is the most effective way to reach a broad selection of knowledgeable respondents. An incentive will be offered to participants in the form of a charity donation equivalent to their participation time (to be calculated at an industry standard rate).
The research design is a descriptive study aimed at establishing the qualitative and quantitative impact of cyber attacks on the maritime industry, combined with a primary survey of industry experts. Due to the covert and technical nature of cyber attacks, there is very little empirical data concerning its cost and impact. In order to establish the possible impacts, the research will utilize hypothetical scenarios based on real events. These will be developed in consultation with IT and industry experts and cover a variety of different attack methods and goals. The scenarios will then be evaluated using industry experts to assess their validity and effectiveness before being included in the expert survey.
3.1. Research Design
The research employs a multi-method approach for investigating cyber risks and opportunities from perspectives of information technology and security specialists, as well as various business managers in marine transportation companies. An appreciative constructivist stance was taken towards the investigation of possible security breaches and data/process integrity losses that can occur in the networked information infrastructure of the maritime industry, which has never been researched before. In order to do this, a grounded understanding of the information infrastructure and its use in the industry needs to be developed. This foundational knowledge is essential for the judicious selection of a valid and representative sample of IT/information security specialists and business managers. Due to the lack of available detailed information, a preliminary exploratory study was conducted utilizing ten semi-structured interviews with IT specialists and managers in shipping companies from various sectors in order to better understand the complex patterns of the use of information technology and systems in the industry. This was ascertained through purposeful sampling at a few shipping companies in the Toronto area and was very successful in providing rich data about the types of systems and networks used and the potential security risks affecting them. This data played a crucial role in the development of the multi-phase survey study, providing invaluable information for the design of the survey questionnaires. This will all in turn provide a foundation for informed selection of interview and focus group participants in later stages of the research.
3.2. Data Collection and Analysis
Quantitative data was also gathered from an industry-wide survey investigating cyber security behavior in the maritime industry. Measures to assess behavioral characteristics were adapted from a health behavior model developed by psychologist Icek Ajzen. This was used to provide an understanding of why certain companies are better prepared than others and provide an overall recording of the industry’s readiness to prevent and respond to a cyber incident. Owing to the dearth of information on the cost of cyber-incidents, results were compared with similar incidents and assumptions were made on the cost of it failing high importance industry functions. This detailed methodology to assess a single incident was completed using data analysis forms from a previous study on the economic impact of software failures.
A Delphi method was used to gather expert opinion when quantification of impacts was not possible. This involved questioning multiple experts in 3 rounds, and after each round providing a feedback report on views and arguments from the previous round. This process continued until a consensus was reached.
Data was collected from a variety of sources due to the wide-ranging effects of cyber-attacks and a lack of single-source data. The primary empirical data consisted of interviews with industry professionals, a small number of suppliers, insurers, and legal experts. Company executives were targeted as the main source of understanding the impacts as they were felt to be the most in touch with the company financials.
3.3. Limitations of the Study
In addition to limits on the data available from industry, government, and insurance databases, the dynamic and complex nature of the maritime industry meant that a simplistic and concise analysis would not always be truly representative. The variety of ship types and operations combined with the complexity of the systems and networks, which were often built and modified over many years, meant that the potential impacts of cyber attacks and the measures to mitigate these impacts were highly variable. This factor was often seen as a positive for the industry itself due to the resulting flexibility and resilience in the face of attacks. However, meaningful analysis for this study was often not possible. The variability was further compounded by geographical and cultural differences in the way in which companies perceived and dealt with cyber attacks. An example was the different responses on questionnaires from US vs European-based companies of similar size and type where certain questions were misinterpreted due to differences in terminology or understanding of cyber attacks and their implications.
The limitations of this study were largely affected by the availability of data, its quality, and the dual need to provide meaningful analysis while protecting the interests of the respondents. As a direct result of the confidential nature of cyber attack incidents and the relatively immature insurance market, accurate data was not always available, and meaningful analysis was not always possible. A high level of respondents acknowledged the potential significance of cyber attacks on their company but were unable to provide specific details or examples. To avoid disclosing sensitive information, companies were often only able to provide limited details of cyber attack incidents, meaning that the impacts of different types of attacks could not be compared.
4. Findings and Discussion
From expert interviews, key findings concerning costs for maritime cybersecurity were summarized in a report by Nippon Foundation and Sasakawa Peace Foundation (released in second ed. 2019) that described through an illustration on current activities of a typical shipping company and annual spends for each activity. In-depth interviews were conducted with various company types, sizes, and areas of specialization. The costs were then rated at quantitative “low, medium, or high” for a general understanding of spending distributions. High spending was noted for: 1) creation of standards and implementation of rules and regulations, 2) security of developers and suppliers, 3) on-ship system security, providing important insights for detailed cost distributions. A separate study was conducted by security experts Masato Tomiyama and Dr. Ryusuke Miyamoto, who developed the first simulated cyber-attack on a maritime-specific Automatic Identification System (AIS, used for vessel identification and collision avoidance) and analyzed its network vulnerability through interface with other systems using a linear programming model. Results indicated that a substantial amount of money would need to be invested for recovery of systems to pre-attack conditions. This poses credible evidence on projected high future economic losses.
The global economy has relied heavily on the maritime industry. It facilitated over 90% of the volume of international trade. The actual shipment of trade goods, such as fuel, foods, and other materials with value produced by this industry, would not be possible without vessels to carry them from one location to the next. Taking this into account, it is not surprising to see that the global economy could be negatively affected by cyber attacks in the maritime industry. This is very important given current worldwide events (COVID-19), which has already put a hefty strain on the global economy. With this in mind, the economic losses caused by cyber attacks are the root impacts that would lead to other negative effects in the long run on both the industry and the global economy as a whole. It is not only foreseeable but also preventable. It is unfortunate to note that research on economic costs specifically related to cybersecurity is extremely lacking, to say the least. This holds true also for the maritime industry. Analysis from overall cybersecurity costs as a percentage of IT is the best indicator of economic losses incurred by any industry. Available data from Singapore’s experience for similar IT costs can be used as a reference and adjusted marginally to get a more accurate representation of maritime industry-specific costs.
4.1. Economic Losses Caused by Cyberattacks in the Maritime Industry
A major enveloped model created by the authors of this report is a likely cost of a cybersecurity breach to a port contending for the title of the World Container Port with Rotterdam or Singapore, known as Port X. The attack is an advanced persistent threat (APT) where the malware allows the attackers to map the entire network and maintain access to create maximum damage over a period of one year. This begins with the infection of a computer connected to the crane loading control system. This malware causes an automatic shutdown of a crane followed by an attempt to overload and destroy the system PLC. An investigation would result in the spread of the malware to the entire IT network as well as failure of effective management of terminal cargo handling and reduced confidence and trust in customers. The total cost of the attack would be between a low case of $110 million to a high case of $340 million. The difference between both cases in all likely costs rests on how the port and external stakeholders react to each event and the level of damage done.
Cyber attacks have the potential to cause severe economic loss throughout the maritime industry. The reliance on information technology and communication systems has opened up the industry to a higher threat of attack than in previous years. According to a recent study, cyber attacks on port infrastructure, logistics, and shipping companies would cost the global economy up to $110 billion a year – greater than the GDP of many nations. The aggregated costs of increased insurance premiums in the aftermath of an attack, the potential for class action lawsuits and compensation against third-party liability, as well as the cost of IT cleanup from viruses, worms, or malware could range between a low case of $1.4 billion and a high case of $9.6 billion.
4.2. Impact on Maritime Companies and the Global Economy
It is important to emphasize that the economic loss suffered by maritime companies affects not only the companies themselves, but the global economy. Several informants mentioned that the effects of a cyber-attack on economic activities were significant. For a company directly hit, rounded costs were estimated as being in the region of $250 million, while another company thought that a typical figure for a medium sized firm would be between $2-3 million. At the national level, one country estimated that cyber-attacks cost them around 2% of their GDP. Simulation exercises carried out in another developed country showed that the maritime sector was the third most vulnerable to cyber-attack and that disruption would lead to a significant movement of capital to more secure markets. This simulation was based on the perceived intent of cyber-attacks being carried out by another state in order to disrupt the economic activities of the target state. This is a pointed issue considering that many companies in the maritime sector might be involved in the utilities or services of a state and could be seen as legitimate targets in a time of hostility. Loss of business was considered to be a problem for companies located in any state whose political climate might result in them being a target for cyber-attacks. These companies would face a situation where they would no longer be able to obtain global impact on Maritime Companies and the Global Economy 25. A more insidious effect was that experienced by shipping companies from another state who were discriminated against in a cargo chartering or shipping contract. The increase in global economic uncertainty caused by cyber-attacks to the maritime sector was also considered to be damaging as companies would be forced to diversify into more secure but possibly less profitable markets.
4.3. Case Studies and Examples
Case studies and examples. This contains a collection of examples demonstrating cyber attacks on the maritime industry and their impact that were identified through this project and through direct contact with industry. The examples cover a wide range of attacks and the breadth of impact that they cause. No company names have been identified in order to maintain anonymity and enable the industry to openly report on cyber attacks.
The first case details an attack that was perpetrated using malware that installed a keystroke logger and backdoor exploit on a company’s PC. This attack was only discovered after the company noticed that their financial transactions to third party suppliers were not being completed. This resulted in the company employing an IT forensic professional to determine that money had been redirected to a fraudulent account. It is estimated that over $200,000 was stolen over an 18-month period. This type of attack has become very common on land-based systems and has been the greatest known cyber security threat to the industry. It is likely that it will become an increasing threat to shipping companies as they transfer to electronic payment and billing systems.
The second case describes a company who had their enterprise webmail server hacked. This was identified after it was noticed that the server was sending extremely large amounts of spam. Gazprom, which owns the server and has an established IT security policy and guidelines, had to shut down the entire server to stop the spam emails from being sent. An analysis of the server concluded that an immediate and complete rebuild was the only way to ensure that security was restored and it would also reduce risk from attack recurrence. This incident caused significant operational inconvenience and direct cost through IT professional services, but the major impact was reducing the trust and confidence in the security of electronic systems. This case provides evidence to support the claims by many industry professionals who stated that cyber security attacks are often underreported.
