Admiral Nelson's blind eye, Maersk and petya
At the Battle of Copenhagen in 1801, Admiral Nelson famously stated that he had the right to be blind sometimes. He raised his telescope to his blind eye and thus did not read the signal to retreat from the battlefield. Sometimes in life, turning a blind eye at a problem can result in reaping the benefits, in this case the Royal Navy won a significant sea battle. When considering the cyber threat to the maritime sector, turning a blind eye will not lead to a resilient security posture.
Recognising the dynamic nature of cyber risks to the maritime sector, BIMCO has just released a timely new edition of their Guidelines on Cyber Security Onboard Ships (2nd Edition). It includes new advice on how to segregate networks, the management of ship-to-shore interfaces and the handling of cybersecurity during port visits. There is also an additional chapter on insurance cover and cyber risk management. However, experience from other sectors suggests that standards (PCI-DSS), regulation (GDPR) and a desire to maintain a good reputation (Financial Sector) are equally if not more important drivers for change. Whilst the petya wiper virus did impact upon the maritime sector (the logistics chain), I suspect that most entities within the maritime sector will continue to underplay cyber risks, as the downsides of cyber risks have yet to be experienced across the maritime domain. It is not "going to happen to me" syndrome. This is not the time to play the Nelsonian blind eye to a significant threat. At the very least, we should develop a mature understanding of the scope of the cyber risks including IT, IoT and OT aspects, assure ourselves on the resilience of our supply chain and demonstrate that we can react to a cyber incident as effectively as the Maersk response. In which direction are you looking?