SCHIFFFAHRT |
SCHIFFFAHRT | SHIPPINGGuest Commentary: Angeliki ZisimatouDirector Cybersecurity | American Bureau of Shipping (ABS)Risk, requirements and regulation:preparing for growing cyber threatsCyber incidents in maritime are increasingin number and sophistication, with newforms of connectivity and new digital technologiescreating additional risk for an industrythat for a long time felt insulated from direct,targeted cyber attacks. To address theserisks, the industry has seen the implementationof various regulations driven byindustry-led initiatives, but a global unifiedstandard has yet to be developed. Shipownersmust address recent regulations while keepingan eye on the horizon for the development ofa more substantial regulatory framework.New Unified Requirements from IACScovering ships and systems, new rules fromthe US Coast Guard covering US flagged vessels, guidelines fromEMSA and Bimco are all in place or coming soon. Since the introductionof provisions in the ISM Code, the IMO has kept an eyeon cybersecurity and will focus on the topic as a discussion itemagain in the near future.Cyber presents a multi-faceted problem for shipping, a realitycompounded by contrasting approaches to the problem that dividealong familiar lines. Many operators are taking the issue seriously,but the response often depends on their size and capability– and whether they have previous experience of a cyber incident.Some are investing heavily, establishing their own Security OperationsCentres and cyber teams as well as addressing supply chainvulnerabilities. Smaller operators are less well advanced in theprocess of assessment and preparedness.The same pattern broadly applies among vendors, with largeoriginal equipment manufacturers working to IEC standards andsmaller technology providers sometimes struggling to meet theIACS requirements.At the same time, the noise around the subjectand the welter of competing products are confusing buyers whofind it hard to determine what will and won’t make a difference.The same trend can be observed among shipyards, with somefully engaged and others believing their role as an integrator isprimarily to collect information from vendors. In fact, therequirements of the IACS URs are quite specific in terms of whatship and system security should look like and there may be gapsin the data collected.Among the challenges for operators is that effective cybersecuritygenerally requires a risk-based approach, whereasmost maritime regulations attempt to be prescriptive in nature tobetter guide operators and assist them with implementation efforts.The lack of common data formats and the assumption thatimplementation of minimum security control levels is goodenough can lead to compliance, but not necessarily security.Some vessel operators continue to believe that being »airgapped«from the internet or using only minimal connectivity reducestheir risk to an acceptably low level. This assumption discountsthe reality that 83 % of organizations reported at least one© ABSattack attributed to insiders, normally employees,whether intentional or otherwise.All operators, regardless of size, shouldstart from the same baseline, but there are norestrictions on going further. All should, atthe very least, have completed a risk managementplan to understand their assets, associatedvulnerabilities, and mitigating actions.A major factor in building that plan isunderstanding the human factor and therisks that accrue from the lack of trainingand awareness. Crew training in particular iscritical, as many crewmembers have not hadcybersecurity training and are not aware ofthe risks.With geopolitical risks against shipping continuing to grow, theneed for awareness, preparation and training will continue togrow. Ships operating in high-risk areas present remote targets ofopportunity that hackers can target to disrupt shipboard systemsor carry out phishing and social engineering attacks against crew.In these cases, vessel operators need to establish procedures thatencourage crew to play a role in minimising cyber risk and understandingwhat potential threats look like. The landscape is constantlychanging, so this training and knowledge building must beconsidered as an ongoing process. The most important step is notto rely solely on the controls provided by regulations to feel cybersecure.Using them as a starting point, vessel operators must acknowledgethe necessity for additional measures, which will inevitablyrequire increased investment and resources. This commitmentto enhanced cybersecurity should be an ongoing effort.The industry would also benefit from an anonymised system ofreporting so that experiences and risks can be shared, similar tothe ship safety database developed some years ago by ABS andLamar University. USCG already requires a degree of informationsharing regarding cyber incidents, so the trend will accelerate.The industry also needs to carefully consider the cybersecurityof new technologies in shipping and the ever-present risk stemmingfrom the long supply chain that connects third party equipmentand system suppliers to operators.The potential of machine learning, IoT, blockchain technologiesand digital twins is clear, but some of these applications pose technologyrisks that have not been tested enough to provide historicvulnerability data. The prospect of AI in shipping is exciting tosome, but do users understand how it can be exploited for malignintent?At a time of so much information available to shipowners, therole of class as a source of impartial advice has never been moreimportant. Some digital security experts suggest that cyber incidentsof one sort or another are virtually inevitable, and it is bestto consider them as such. The risk is real, but class has a collectiveresponsibility in helping to defend the shipping industry and it isone we take seriously.32 HANSA – International Maritime Journal 04 | 2025
SCHIFFFAHRT | SHIPPING»Hackers are increasing their use of AI«In a recent maritime cyber threat report, Norway-based SatCommspecialist Marlink highlighted the changing tactics of cyber criminals,who are increasingly attempting to bypass previously effectivesecurity controls using new tools. Analysts observed a continued risein common threats using Command and Control (C&C) infrastructureto create botnet threats, which are growing in number andcomplexity. Phishing continues to be the leading tactic used by attackersto gain access to corporate networks, though the SecurityOperations Centre (SOC) also detected an increase in blacklistedmalicious traffic. According to the report, malicious actors are evolvingtheir attack patterns and launching fraudulent campaigns thatbypass previously effective security controls, such as two-factorauthentication, forcing defenders to react and raise the securitylevel to ensure operations are safeguarded. During 2024, a significantportion of the threats neutralised by the SOC have continuedto follow the most common attack vector seen since 2022:phishing. However, in this period, there has been a notable increasein a more advanced form known as »reverse proxy phishing«.Phishing is a classic method where attackers impersonate legitimateentities (like banks or service providers) to trick users intoproviding sensitive information, such as login credentials or financialdata. Traditional phishing often relies on fake websites orfraudulent e-mails to capture user data. »Reverse proxy phishing«,on the other hand, is a more sophisticated version. Instead ofsimply creating a fake website, the attacker sets up a »proxy« thatsits between the legitimate website and the victim. This proxy capturesthe user’s credentials and, in real-time, forwards them to theactual site, making the victim feel like everything is normal. Thedanger of this method lies in the fact that it can bypass multi-factorauthentication (MFA), which is commonly used to protect sensitivesystems. Reverse proxy phishing is a technique used to steal credentialsor bypass multi-factor authentication. Once attackers gain accessto a network, they can deploy C&C infrastructure to remotelycontrol compromised systems. This could enable the creation ofbotnets—large networks of infected devices used for malicious activitieslike Distributed Denial of Service (DDoS) attacks. In 2024 Marlink took over Diverto & PortIT for the growing business fiel of cybersecurity. What synergies do you expect?Nicola Furgé: Marlink has brought togetherthe resources of Diverto, Port-IT withMarlink’s cyber solutions to addressgrowth of cyber threats and the increasingneed for compliance. This structurecombines existing expertise within Marlinkwith the skills, resources and geographicpresence from the acquisition of Divertoand Port-IT. Some 150 cyber expertswill focus developing and deliveringthe solutions customers need to addressemerging cyber challenges.How do you arm yourself and your systemsagainst cyber attacks?Furgé: Ideally owners and operators needto start with a blank sheet of paper. Even ifyou have deployed multiple protection layers(e.g. anti-virus, endpoint or network securitysoftware) you need to understandyour broader security posture, where therisks exist and what threats look like. Thatcan mean performing vulnerability assessmentsand penetration testing to understandwhere your security is and where itneeds to get to. We operate a portfolio of SecurityOperations Centres including onededicated to maritime, which will supportproactive threat detection as well as defensivesolutions for networks, protecting assetsdown to the level of individual users.4 questions to ...Nicola FurgéPresident | Marlink DigitalIn your opinion, does the cyber risk increasewith new ships as more digitaltechnology can be installed, or does it decreasebecause these new ships and theirtechnologies themselves are better protectedagainst cyber attacks?Furgé: Arguably the increase in use of digitaltechnology onboard does increasethe cyber risk. The increased volume ofbandwidth available to users and thereforeincreased volumes of traffic makes theindustry more exposed. This is particularlytrue in the case of LEO internetbecause the greater use by crew inherentlyincreases the risks for phishing and socialengineering attacks. Cyber security forLEO internet is applied as part of the typicalhybrid network configuration we deployfor owners and operators. The MaritimeSOC report published last year byMarlink also noted that hackers are increasingtheir use of AI to attack targetsand overcome two-factor authentication,so owners need to position themselves forincreased risks in future.What homework do shipowners have?Furgé: As well as the assessment of risk andspecific threats they face, shipowners needto remember that most cyber incidents havetheir roots in human behaviour. Thebest designed systems will support users toact safely and consistently but in all cases,owners need to ensure that crew are trainedto be aware of threats and have an understandingof what they need to do to protectthemselves, their colleagues and theiremployer from cyber threats. Shipownersalso need to understand how they are affectedby regulation, which is growingtighter as cyber risk increases. The most recent,IACS URE26 aims to provide a minimumset of requirements for cyber resilienceof ships. Intended for the design, construction,commissioning and operationallife of the newbuildings, it is likely thatequivalent requirements will be extendedto existing vessels in future. Its related requirement,URE27 aims to provide the minimum-securitycapabilities for systemsand equipment to be considered cyber resilientand is intended for third party equipmentsuppliers. Other regional regimes, somespecific to the industry and others moregeneral in nature, have the potential to levysevere financial penalties for non-compliance.Questions: Michael MeyerHANSA – International Maritime Journal 04 | 202533
