Skip to content
hacking shipping industry

Cyber security in the shipping industry

I recently visited Athens to visit some clients and attended the Digital Ship conference and, my goodness, was it an eye-opening experience!

Whether or not you consider yourself a professional in the maritime industry, a service provider or just a general citizen of the world, technology and digitalisation is everywhere; the maritime industry, it seems, is JUST coming around to the fact.

Much like HR, PR, marketing and communications, the maritime industry generally (not a universal statement!) is a little behind the times when it comes to embracing the digital era we live in.

Beware, it's coming. In fact, it's already here.

After my morning wake-up routine, not a pretty one, believe me, I headed to the event with trepidation and excitement.
I'd not been to a Digital Ship event before, but after Tuesday's conference I'll make sure it won't be my last.
A veritable who's who of shipping professionals in one space; what could be better for a recruiter?! But as soon as the presenters took to the floor it became evident to me that this was going to be much more of an educational visit than it was a business opportunity.

Digitalisation is happening across the industry and has been for a long time.

Software to improve vessel efficiency, to track where your cargo is and ECDIS are obvious examples of the industry coming to terms with technology, but it's actually becoming illegal not to keep up; by 2018 all vessels must have ECDIS technology on them.
In the same year the GDPR regulations come in to effect (May 25, 2018 for anyone unaware), in an attempt to regulate data and information in Europe.
All of these things present a massive dilemma for an industry that's slightly stuck in its ways: what are we going to do to make sure we're compliant, safe and on top of things?

The initial vibe I picked up from the shipowners was one of negativity towards digitalisaton.

"We don't need to worry about that until it happens, then we can rectify it. We'll adopt protective measures when it's actually happened to us"
Scary thought – it's likely to have already happened to your ship or company and you had no idea or wouldn't listen when someone detected it had.

A number of speakers mentioned that they'd seen a lack of interest, understanding or awareness by the C-Suite in the industry, who felt irresponsible for securing the cyber safety of their companies and instead put this on young talent and bringing the knowledge in to the company. The digital revolution is well and truly under way in the industry, so the idea of "putting a plaster on the hack" isn't plausible to sustain a safe working environment.

Ernst & Young cite that 87% of C-Suite members of staff questioned in their recent survey in the transportation industry "lack confidence" in their systems and 44% of those surveyed admitted their organisation doesn't have a security function. Of course, this is generally across the transportation industry, however it's an alarming percentage of industry leaders who aren't up to speed.

The Nautical Institute has been monitoring cyber security since 2014. On initial discussions with shipping companies, most didn't know they were at risk to cyber-attacks. I’d recommend reading their 12th issue of “The Navigator” magazine, totally dedicated to cyber security.

You may be thinking at this point, "This blog is ridiculous and doesn't apply to me, I'm not an Executive, Owner or Manager" You'd be wrong to think this.

Across the day it became apparent that literally anybody can be responsible for a cyber-attack on their organisation. I say organisation, not vessel, because it's bigger than just shipowners or managers. I was astounded and terrified to learn of the multiple ways a company can be targeted, whether it be for financial gain or just a bragging right.

I learnt that any organisation in the maritime industry could be hacked negatively (more on the negative later), for any number of reasons. Whether it be a shipowner, port or 3PL for information, to disrupt operations or to garner money, everyone is at risk.

This doesn't just apply to the maritime industry, of course. Hudson Analytix note that by 2020 an estimated 200 billion devices will be connected to the Internet of Things. 200 BILLION DEVICES! Makes you start to think about what you're doing with your own personal data, doesn't it!?

The new GDPR regulations coming in to place mean that every company, if hosting data, must have a CSO by 25th May, 2018. Should any data leak, the company it has leaked from has an obligation to report this within 72 hours to any staff or party that the data has leaked from otherwise they can incur a fine of up to 4% on annual revenue. This doesn't just apply to the maritime industry, however in a truly global industry when so much data is shared on a daily basis it's a big deal.

It's a big deal for everyone, really.

This blog has been largely negative and scary thus far, HOWEVER the point of the conference was to be the opposite. It's simple and easy to prevent scary things happening to your company; EDUCATE YOURSELF AND YOUR STAFF!

Not enough effort has been made by companies to help employees understand the various and, largely unknown, major pitfalls that can lead to cyber-attacks. Seafarers plugging their personal devices in to ECDIS equipment or USB sticks being put in to shorebased, office computers – they can both lead to a breach in security in some way, shape or form.

The overwhelming message of the conference was: EDUCATION, EDUCATION, EDUCATION!
People are ignorant to the matter; I certainly was!

Dr Whitfield suggested that there was poor communication regarding the problem and there was a lack of commitment and following up from the C-Suite downwards as well as a lack of business understanding; it is not a matter of "IF" something goes wrong, but "WHEN".

Regardless, it's inevitable that a cyber-attack is going to happen to your company regardless of your size or nature. Shipping companies should be coming to terms with the fact that you should be preventing the issues, rather than waiting to detect and then respond to them.

It's about educating the staff who are on the front line.

Training and educating on the technology in use is the most important factor, and once we're all aware the threat will become so much less of an issue.

There are campaigns like “Be Cyber Aware at Sea”, run by Jordan Wylie ( , and the CSO Alliance, run by Mark Sutcliffe ( , which are educating the maritime industry regarding cyber intelligence and resilience.

I mentioned earlier about a “negative” hack. Surely all hackers are horrible, faceless people in hoodies out to destroy your company? Well, no. Ethical hackers are able to conduct penetration testing on an organisation to test how cyber resilient your organisation is. Worryingly, when Ernst & Young offered this service to a number of vendors to the maritime industry, 0% took them up on their offer to test their services. Again, this is a simple and easy way for companies to test whether or not they’re cyber-secure, to educate themselves and also to change people’s perception of a “hacker” – all in all, it just makes sense!

It seems to me that we ALL, whether we be maritime professionals or just little Matt King from Spinnaker Global, should be paying more attention to what we're doing and trying to educate ourselves on the threats, rather than wait until it's too late and a hacker has spent all of our money on clothes we'd never wear, locked us out of our bank accounts and changed our name to Princess Consuela Banana-Hammock.

The digital era is real, and it’s here.

Matt King is Senior Consultant for Spinnaker Global's Sales, Marketing & Business Development division. Find out more about Matt's team here:

Thank you! Your subscription has been confirmed. You'll hear from us soon.