The latest Thetius report, commissioned by CyberOwl and HFW, gathers insights, assesses current and future cybersecurity challenges, evaluates the industry’s response to evolving regulations and technological advancements, and highlights the importance of integrated cybersecurity practices throughout the vessel lifecycle, from design to maintenance.
Key findings of the report include:
- 7% of stakeholders paid a ransom within the last 12 months. In 2023, nearly 14% admitted to paying a ransom.
- The cost of ransom payouts is also on the decline. The average price paid is now less than $100K, whereas in 2023 it was $3.2m.
- 17% of shipyards feel they have adequate in-house cybersecurity expertise to design and construct a cyber-secure vessel.
- 10% of OEMs incorporate security-by-design in new systems. This leaves owners unaware and vulnerable to potential risks in critical systems.
- 32% of shipowners include cybersecurity in their newbuild teams. Many smaller companies assign cyber responsibilities to personnel that may lack cybersecurity knowledge.
| Thetius’ “The Lifecycle Dilemma: Navigating Cybersecurity Risks Across Designing, Constructing and Operating a Vessel” report delves into the shifting risks and disconnected approaches in cybersecurity across each stage from initial design through to its operation and maintenance. | 
Designing a cyber-secure vessel is no longer a choice but a necessity. Cybersecurity cannot be an afterthought. Instead, it must be integrated from the outset, ensuring that vessels are secure-by-design rather than relying on costly and complex retrofits later.
Related News: Industry leaders collaborate on survey for enclosed spaces fatalities.
Gard: Measures against leakage of hazardous containerized cargo - In 2023, 14% of shipping stakeholders reported paying ransoms, averaging USD $3.2M, but ransom payments have since decreased, with only 7% admitting to paying cybercriminals, mostly under USD $100K. However, new cybersecurity challenges are emerging, particularly the inconsistent application of cybersecurity standards across a vessel’s lifecycle.
While IACS Unified Requirements E26 and E27 set standards for new builds, they don’t apply to existing vessels, leading to inconsistent cybersecurity practices. Additionally, only 17% of shipyards have in-house cybersecurity expertise, and just 1 in 6 shipowners fully understand what a cyber-secure vessel should look like at delivery.
Many shipowners lack clear cybersecurity guidance, creating uncertainty during vessel handovers. Older systems that were designed before cybersecurity was prioritized remain on vessels, requiring continuous visibility and a collaborative response plan in case of attacks. Furthermore, crew training is often inadequate, as many seafarers are unprepared for real-world cyber threats.
Effective cybersecurity relies on strong collaboration across the supply chain, as it is critical to a vessel’s seaworthiness and resilience. Without early collaboration in the design phase, stakeholders risk exposure to cyber threats and costly retrofits.
- Designing a Cyber-Secure Vessel - A vessel that is cyber-secure by design requires embedding cybersecurity requirements into the architecture of the vessel and its systems at the earliest stage. All stakeholders involved in the delivery of a vessel must consider cybersecurity during the design phase.
- Constructing a Cyber-Secure Vessel - During the construction of a vessel, secure systems are integrated and networks are segregated to prepare the vessel for operation. Audits and certifications of the vessel’s systems take place to ensure any vulnerabilities are minimised. Collaboration between shipyard, shipowner and OEM is critical, but there are several hurdles to achieving a harmonised and transparent approach across supply chain stakeholders.
- Operating and Maintaining a Cyber-Secure Vessel - Once the vessel is transferred from the shipyard to the shipowner, the responsibility for maintaining cybersecurity during its operation falls on the owner of the vessel. However, they are often constrained by decisions made during the design and construction process.
A significant challenge in ensuring cybersecurity for vessels is the uncertainty surrounding new class requirements and their practical implications. While 56% of shipowners claim to be aware of and understand the new class rules, only 1 in 6 know what to look for when taking delivery of a vessel from a shipyard. This indicates a gap between shipowners’ theoretical understanding of cybersecurity regulations and their ability to apply that knowledge to ensure their vessels are cyber-secure.
This issue is further compounded from the shipyard’s perspective, where only 17% have adequate in-house cybersecurity expertise, and 46% are concerned about lacking the necessary knowledge and skills to design and construct a cyber-secure vessel. Moreover, 93% of crew members feel underprepared to navigate current cybersecurity challenges and acknowledge the need for additional training.
Recommendations: Use E26 and E27 to catalyze change - The IACS requirements present a significant opportunity for change in the maritime sector. As the first set of mandatory cybersecurity standards, they provide clear specifications, offering shipowners valuable insights into where their current practices may be lacking. These requirements, specifically E26 and E27, address the entire lifecycle of the vessel, emphasizing that cybersecurity should no longer be viewed as a one-time fix but as an ongoing, integral process throughout the vessel’s life.
Embed cybersecurity into the design phase - Stakeholders should adopt secure-by-design principles to integrate cybersecurity from the start of a vessel’s lifecycle, avoiding costly upgrades later. This includes enabling “monitoring-by-design” to maintain protective measures as cyber threats evolve. A Code of Connection (CoC) for IoT and OT systems could be specified, setting a minimum security standard to enhance cybersecurity from the design stage and providing clear guidelines for secure system connections, similar to practices used in the defense sector.
Clearly understand operational consequences of design choices - As this report sets out, security choices made at design have consequences during operation of the vessel. Making the right decisions can significantly reduce the lifetime cost of managing the cyber risk of the vessel and building in the flexibility for changes as risks evolve.
Balance left with right of bowtie - This report has exposed the lack of preparedness across the sector from the shortage of secure-by-design products to the knowledge gaps across the supply chain. The reality is that it will take a while for the supply chain to implement sufficient system hardening and preventative measures. In the meantime, not enough is being done to minimise the impact of an inevitable breach, commonly known as the right side of a well-established bowtie method for risk assessment. Shipowners should consider implementing simulated cyberattacks and surprise drills to test both shore and crew preparedness.
Promote collaboration, transparency, and data sharing - A lack of shared intelligence means that attackers can exploit similar vulnerabilities across fleets. Some companies fear reputational damage and legal liability when reporting incidents, while charterers, insurers, and regulators lack visibility into cyber risk exposure. The industry needs a more collaborative and transparent approach to cybersecurity and risk management across the lifecycle of the vessel.
Encouraging information flow of cyber risks will improve security across the supply chain. This goes well beyond just sharing information on vulnerabilities. It should include sharing design patterns and risk mitigations. With a significant skills gap in the industry, pooling existing knowledge will be crucial. This approach will also help ensure that each stakeholder understands their roles and responsibilities and has the necessary tools to fulfill them.
Source: Thetius: Designing a cyber-secure vessel is a necessity - SAFETY4SEA
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments