On Christmas Day 2022, the Port of Lisbon fell victim to a cyberattack for which LockBit has taken credit. The ransomware group demanded $1.5m by 18 January, threatening to publish seized files--financial reports, ship logs and more--if their demands weren’t met.
On 11 January, the same ransomware group--which The Guardian states is “widely thought to have close links to Russia”--was believed to be behind another cyberattack on the Royal Mail, which was forced to halt its international shipping.
And on 7 January, Norwegian company DNV shut down its ShipManager’s IT servers--used by over 6,000 vessels--as a result of a cyberattack.
“Some of these incidents are not really big in the mainstream media,” says Belgian ambassador to Luxembourg Thomas Lambert. But--considering that shipping represents around 80% of global trade in terms of volume, 70% in terms of value (per The World Bank)--a single cyberattack could greatly impact supply chains.
Despite the world’s reliance on shipping, of the roughly 90,000 ocean vessels, it’s estimated that only 5-10% are adequately prepared to defend against a cyberattack, according to leading cybersecurity firm Mission Secure. “If you take the 20 largest shipping companies on the planet, you cover almost 70% of ocean-going ships, but that brings vulnerability,” the ambassador explained, adding that there is a rise of hacking “not just in one ship, but an entire fleet.”
Vulnerability in software therefore can quickly escalate to a much larger problem and can carry enormous consequences: a 2022 UN Conference on Trade and Development maritime transport report said that, given world reliance on shipping, there is an “urgent need to boost resilience to shocks that disrupt supply chains, fuel inflation and affect the poorest the most.”
Increased automation, new risks
Among the evolutions that have been taking place in shipping is more automised operational technology (OT) which, on one hand, may equate to fewer crew necessary. Yet, on the flip side, it can bring new security vulnerabilities. For example, IT or OT security could be breached in a way that the two are no longer operating in sync--meaning a digital screen could be telling an operator one set of facts while the ship could be manoeuvring in a completely different way, unbeknownst to the user.
As the ambassador additionally points out, it’s not impossible to imagine the risk of a port blockage--at Antwerp, for example, one of the leading ports in Europe. In March 2021, for example, the Ever Given ship disrupted billions of dollars of trade for almost a week after getting lodged in the Suez Canal (albeit not due to a cyberattack).
“It’s not difficult to see what the risk is if you can block a major port,” Ambassador Lambert explains. “There is a really big vulnerability delta between the increased risk of hackers--and for the moment, just taking the scenario of criminal hackers, not even mentioning the risk of states [in] the new geopolitical situation since February of last year…”
The ambassador, who is also a candidate reserve officer for the Belgian navy, said the next generation of drone motherships will be “unmanned and connected”. Plans are well underway for the Belgian and Dutch navies to procure 12 motherships which include a range of unmanned systems (aerial, underwater and surface). “The mothership will launch micro motherships with additional drones on board so the ship stays out of the danger zone. The drone goes into the danger zone, then launches diving drones that can indentify mines or other objects, either drop a charge or be a kamikaze and sail into a mine so it explodes.”
Furthermore, in order to have a longer range, an additional flying drone could be launched so the subdrones can go even farther, “extending the range to tens of kilometres”.
Although the main objective is to fight against sea mines, use could be broadened, be it for patrol, hydrography, surveillance of the seabed and underwater cables, windmill parks, etc.
Potential for the grand duchy
Plenty of questions are arising not just with the expanded use of unmanned ships but also with new markets, like floating windmill parks. The Benelux countries “provide a big maritime punch worldwide,” explains the ambassador. “But that also brings responsibility, both from the private sector [and] for the government side.”
A 7 February (invite-only) conference is being organised with the Belgian Embassy and the Luxembourg Maritime Cluster to discuss more on these topics and exchange best practices. In the short-term Ambassador Lambert hopes there will be increased awareness on some of the vulnerabilities in the sector which, in turn, has wide potential to disrupt supply chains.
The ambassador sees Luxembourg as being able to “assist in increased cybersecurity for the maritime sector, which would then be applicable in other sectors.”
He adds, “I can safely say our Belgium and Luxembourg shipping companies want to make sure that we are at speed with the evolutions and requirements in terms of cybersecurity. But it holds also the promise of an increased competitiveness, if our operators can market the fact that they have a high degree of security in terms of cyber protection.
“You never have absolute protection, it's impossible. But you can organise a multilayered system, and you can win time--and time is very important.”