No Safe Harbor: Cyber Risks in the Maritime Domain

At the Hack the Port conference in March 2022, DHS CISA director Jen Easterly highlighted the many cyber risks in the maritime supply chain.

At the broadest level, 70-80% of world trade travels by sea. The world’s shipping industry is a truly global phenomenon – relying on an interlocking network of international participants.

Consider a typical merchant vessel, the fictitious M/V RUSTY SCUPPER.

  • She sails under a foreign “flag of convenience”, meaning she’s registered in the West African nation of Togo where there is more forgiving oversight.
  • Her owners are an amalgam of moneyed interests who pooled their capital in a limited-liability company in the Cayman Islands.
  • She is insured by a company in London.
  • She hauls cargo for many suppliers to many buyers, from washing machines to wicker furniture to cheap plastic toys, coordinated by a shipping firm in Hamburg.

You only need to read about long wait times at the Port of Los Angeles to understand one aspect of what a supply-chain breakdown could look like.  Worse is the NotPetya malware attack that took down shipping conglomerate Maersk and cost $300 million in damages:

A major cyber disruption can have almost unending downstream effects: no toys under the Christmas tree, no petroleum to drive your car, and no bicycle pump to fill up the bike’s tires so you can pedal to see the empty grocery store shelves after the gas runs out. I guess you’re walking. Ugh! Those new sneakers didn’t make it either.

Yet, the threats don’t really differ between the maritime domain and other major industries, running the gamut from advanced threat actors to cyber criminals—either after money or information. The complexity of defending this industry is compounded by the fact that it comprises many systems. No one actor or oversight body exists to protect it.

The excellent Atlantic Council report covers many same issues in depth and is well worth a read by industry insiders:

Leave a Comment