The Maersk cyber attack - wake-up call for the industry

At the time of writing this update, Maersk's systems remain unavailable due to a cyber attack. This directly affects Maersk Line, Safmarine, MCC, SeaLand, Seago as well as countless APM Terminals facilities.

On average, Maersk Line ships almost 3300 TEU per hour, generating a revenue stream of 2.9 million USD/hour. In the 20 hours which has gone since the attack, this adds up to 66.000 TEU and 59 million USD. This does not mean that Maersk has lost this level of business, as likely a number of customers will simply postpone their bookings a little while - but the keyword is "a little while".

The longer the outage lasts, the more of these customers will start to shift their cargo volumes to other carriers. Time is therefore of the essence in terms of getting systems restored following a cyber attack.

That the maritime industry is vulnerable to cyber attacks is a topic we at CyberKeel have covered extensively since 2013, and we have specifically warned repeatedly against the likelihood of ransomware (and similar) attacks.

A key component in the cyber defense for such attacks is having a solid plan for re-installing everything from back-up, something outlined as early as our white paper in 2014 about creating a maritime cyber-resilient organization. How quickly Maersk will get back online is at the time of writing this unknown.

We do not presently have information as to how Maersk was infected, nor the status of their cyber defenses prior to the attack. Hence, the following text is not based on any inside information from Maersk.

However, in general we have for the past three years performed a range of different penetration tests in the industry, onshore as well as on vessels, and our general take on the state of the maritime industry is that cyber defenses are quite low and systems are easily breached (although positive exceptions do happen).

The penetration tests have also shown that defenses can be significantly improved through relatively simple means, but it requires a willingness to allocate a few resources to do this. When we initiated our work on maritime cyber security in 2013, the attitude we encountered in most maritime companies was that this was not a significant threat. Over the past 12-18 months, there has been a gradual change in the mindset of the industry, and the prevailing attitude is now a recognition that cyber security may indeed be a genuine threat - however we also find that this recognition in many cases still does not translate into the allocation of appropriate resources to properly investigate the company's current level of cyber security nor the allocation of proper resources related to sustained heightening of cyber readiness.

This is a situation which is incongruent with the strong drive towards automation and digitization in the industry.

Whilst the Maersk incident is indeed unfortunate not only for Maersk but also for the many shippers and other supply chain stakeholders which are impacted, it is sadly also an incident which has been entirely predictable within the industry (although not in terms of who the unlucky first large-scale victim would be), and one which hopefully will act as a catalyst for the maritime industry to further enhance their cyber security posture.