Tightening regulation raises hopes for greater investment in cyber security to be unlocked
New research published by DNV reveals that less than half (40%) of maritime professionals think their organization is investing enough in cyber security at a time when vessels and other critical infrastructure are becoming increasingly networked and connected to IT systems.
While the maritime industry has focused on enhancing IT security over recent decades, the security of operational technology (OT) – which manages, monitors, controls and automates physical assets such sensors, switches, safety and navigation systems, and vessels – is a more recent and increasingly urgent risk. Three quarters (75%) of the 800 industry professionals surveyed by DNV believe that OT security is a significantly higher priority for their organization than it was just two years ago. Just one in three is confident that their organization’s OT cyber security is as strong as its IT security.
“The maritime industry is still thinking IT in an era of connected systems and assets,” says Svante Einarsson, Head of Maritime Cyber Security Advisory at DNV. “With ship systems being increasingly interconnected with the outside world, cyber-attacks on OT are likely to have a bigger impact in the future.”
DNV’s new research report Maritime Cyber Priority 2023: Staying secure in an era of connectivity reveals an almost universal expectation that cyber-attacks will disrupt ship operations in the coming years. Three quarters of maritime professionals believe a cyber incident is likely to force the closure of a strategic waterway (76%). More than half expect cyber-attacks to cause ship collisions (60%), groundings (68%), and even result in physical injury or death (56%) as an overwhelming majority (79%) of professionals say the industry considers cyber security risks to be as important as health and safety risks.
While this new era of connectivity is resulting in new vulnerabilities, it is also enabling new possibilities, according to DNV’s research. Some 87% of maritime professionals say the future of the industry relies on an increase in connected networks, and 85% say that connected technologies are helping the industry reduce emissions.
“Cyber security is a growing safety risk, perhaps even “the” risk for the coming decade,” says Knut Ørbeck-Nilssen, CEO Maritime at DNV. “But crucially, it is also an enabler of innovation and decarbonization. Because as we pursue greener, safer, and more efficient global shipping, the digital transformation of the industry is deeply dependent on securing these inter-connected assets. Making it vital that we work collaboratively to strengthen our collective cyber security.”
DNV’s wider Cyber Priority research explores the changing attitudes and approaches to cyber security in key industrial sectors, and includes a complementary report on the energy industry: Energy Cyber Priority: Closing the gap between awareness and action.
Stronger incoming regulations set a platform for cyber security investment
Tighter regulation of maritime cyber security is on the horizon as industry bodies and government authorities seek to encourage the sector to improve its security posture. Maritime organizations must prepare to comply with new rules, including the IACS Unified Requirements and the EU’s NIS2 Directive from 2024. Most maritime professionals believe that regulation provides the strongest motivator to unlock much-needed cyber security funding, according to DNV’s research. 84% believe that it will drive investment in cyber security, but only just over half are confident the effectiveness of cyber security regulation (56%) and in their ability to meet requirements. Just 36% of maritime professionals agree that complying with cyber security regulation is straightforward and almost half (44%) say that regulatory compliance requires technical knowledge that their organization does not possess in-house.
“Regulation only sets a baseline for cyber security. It’s doesn’t guarantee security. Rather than taking it as our goal, the maritime industry should use it as a foundation, on which to further improve and adapt to the changing threat landscape,” says Svante Einarsson, Head of Maritime Cyber Security Advisory, DNV. “As we have seen in the safety domain, regulation becomes more straightforward and effective when it is supported by industry players coming together to share knowledge. Our research indicates that the industry needs to take big steps forward in openly sharing cyber security experiences – the good, the bad and the ugly – to collectively create security best practice guidance for a safer, more sustainable maritime sector.”
Barely three in 10 (31%) maritime professionals believe that organizations are effective at sharing information and lessons learned around cyber security threats and incidents. This lack of transparency is reflected in the belief of the majority (60%) that the maritime industry lacks standards for building an effective, repeatable approach to cyber security.
In the Maritime Cyber Priority 2023, DNV recommends maritime organisations take the following actions.
- Consider cyber security as an enabler
- Treat cyber risks like safety risks in an operational setting
- Champion insight-sharing across the industry
- Reframe regulation as the baseline to improve cyber security posture
- Rethink how to manage supply chain vulnerabilities
- Resource a strategy for more effective training
- Maintain an ‘analogue fallback option’ amid the shift to connected systems
DNV Cyber Priority research
DNV’s Cyber Priority research explores the changing attitudes and approaches to cyber security in key industrial sectors. The research draws on surveys of industry professionals complemented by in-depth interviews with leaders and experts. In June 2023, we published the latest edition of the research with reports on cyber security in the Maritime and Energy industries:
Maritime Cyber Priority 2023: Staying secure in an era of connectivity. Research based on a survey of 801 maritime professionals conducted in March and April 2023, complemented by in-depth interviews with leaders and experts from leading maritime organizations including the US Coast Guard, Wärtsilä, Meyer Werft, Bundeswehr (German navy), Stena Drilling, Beazley, Hamburg Port Authority, UK Chamber of Shipping, and DNV.
Energy Cyber Priority 2023: Closing the gap between awareness and action. Research based on a survey of 601 energy professionals conducted in February and March 2023, complemented by in-depth interviews with leaders and experts from leading energy sector companies including Equinor, Dominion Energy, Vattenfall, Institute for Security and Safety, Skagerak Energi, SCADAfence, and DNV.
DNV is an independent assurance and risk management provider, operating in more than 100 countries. Through its broad experience and deep expertise DNV advances safety and sustainable performance, sets industry standards, and inspires and invents solutions.
DNV combines specialist sector knowledge of with engineering expertise and information system best practice to secure critical infrastructure projects and operations from cyber threats. The company provides many of the world’s most successful and forward-thinking companies with clear and practical advice to uncover their cyber risks, build a powerful force of defence against threats, recover from attacks, and unite stakeholders behind cyber security programmes that everyone can believe in.
DNV in the maritime industry
DNV is the world’s leading classification society and a recognized advisor for the maritime industry. We enhance safety, quality, energy efficiency and environmental performance of the global shipping industry – across all vessel types and offshore structures. We invest heavily in research and development to find solutions, together with the industry, that address strategic, operational or regulatory challenges.