As shipping is no stranger to piracy, according to Justin Fimland, founder and president of NuHarbor Security, the DNV attack shows the asymmetric impact of supply chain attacks on key vendors.
Fimlaid spoke to Container News, about the recent incident of a ransomware cyber attack on DNV’s ShipManager software, which led to a disruption of over 1,000 ships globally.
Justin Fimland noted the fact that DNV and their captains were well prepared and briefed on legacy operating protocols, and as a result, further damage was avoided.
“The lessons from this event are that critical components of international commerce machinery remain vulnerable to cyber threats, and the unpredictability of these threats demands the means for business continuity, even if newer systems are offline,” he told Container News.
Responding to whether the digital transformation of the shipping industry increases cyber vulnerability, he confirmed the rising risk caused by new technologies and digital systems pointing out, though, that this is something that happens to every organisation on an edge computing journey, not just the shipping industry.
“While these systems can speed up commerce and information sharing, they can also become a single point of failure. A single cybersecurity attack can have a one-to-many effect,” he emphasised.
An attack on a central communication hub can impact the timeliness of information that all ships using that system might send or receive, according to Fimland.
President of NuHarbor Security believes that “the actual impact on operations depends on the contingency plans operated by the shipping company and individual ships.”
Additionally, Justin Fimland noted that “the greatest responsibility falls on the person or unit responsible for system availability”, as the “onus is on them” to protect and restore impacted systems.
The best precautionary measure is the accumulation of well-executed cybersecurity tactics, according to Fimland, who said that “Specific to ransomware, this includes securing email gateways to prevent spam and other nefarious email activity, training staff members to spot social engineering and other malicious communication, and implementing a robust endpoint security strategy.”
