Innovative technologies have found their way to the maritime transport sector as they minimize the costs and maximize the benefits in everyday operations. At the same time, these new technologies enhance the interconnectedness of core port and shipping operations to the whole supply chain. As such, any interruption to the core of these operations may have a consequent knock-on effect to the wider economy and industries related to the supply chain, as illustrated in the CyRiM Report [1
Despite the increasing numbers of cyber incidents to corporate networks and data, the maritime transport sector is rather slow in addressing cyber risk [2
]. Well-established regulations and guidelines have been implemented for decades on topics such as environmental and crew safety and, more recently, on ballast water management; these risks are tangible. However, cyber risks are different. Their intangible nature means that their consequences are not palpable; therefore, it is difficult for them to be initially identified and addressed. Infected applications, computers in the office, or operational technology (OT) systems on board may continue to operate without any noticeable performance issues. Unlike any other risk, when a cyber breach occurs, it can affect the entire infrastructure of an organization, including its fleet and offices around the world.
This threat landscape will only grow, as ships at sea increase their connectivity, exchanging data so they can increase supply chain visibility and performance. Unfortunately, while connectivity solutions have evolved, achieving greater resilience, a single specific vulnerability in one industry or organization can swiftly cascade to affect other industries and organizations due to the lack of appropriate security controls [1
Maritime transport companies are part of a complex supply chain that, at present, is digitalized. Digitalization is taking place so that performance in the overall supply chain can be improved [3
]. At the same time, shipping companies are providing remote access to on-board systems to third party service providers and vendors for software updates, performance monitoring, and maintenance [4
]. These two intertwined activities increase the cyber-attack surface. It is not a farfetched scenario in which a critical cloud service provider or even a satellite communications services provider could be interrupted or ceased altogether because of a cyber breach. Such incidents could cascade on a global scale and impact all economic activities. The most profound example is the NotPetya malware attack in July 2017, which had a huge impact on global economic activities, costing approximately $
892.5 million [5
]. Research institutes and regulatory authorities are struggling to model, let alone quantify, cyber risk, mainly due to the lack of relevant data. When the threats move at the speed of light, they can be hard to comprehend.
In other leading industries, such as banking, manufacturing, retail, and healthcare, boards of directors and executive leadership are gradually becoming more aware of the cyber threat to their businesses and the need to manage cyber security at the enterprise level. A 2020 survey conducted by the Information Systems Audit and Control Association (ISACA) [6
] found that 82% of respondents understood the board of directors to be “concerned” or “very concerned” about cyber security. Similarly, in shipping, as our research identified and demonstrates in Figures 1 and 2, more than 90% of experts consider cyber security to be either very or somewhat important for their working environment. However, this concern does not always align with how board members allocate resources to tackle cyber risk. Hence, security professionals are tasked to address this emerging threat without the necessary tools in place [7
Even though the industry is cognizant of the importance of cyber security, confusion persists about how serious the cyber threat actually is, the risks that it poses to their enterprises, and the prioritization it demands. Going beyond the technical interpretation of cyber security, this paper aims to tackle the following research aim: Identify how cultural differences affect the level of understanding on maritime cyber security.
It should be highlighted that the paper is constructed based on the data extracted during two high-profile industry workshops. Members of the research team were invited to present in these two workshops. As such, an opportunity arose to put together a set of questions to be shared with the participants to extract valuable data from experts with deep knowledge of the maritime transport sector. Due to that restriction, the research environment was not fully controlled by the research team. Research was not conducted in the typical academic way, but it was a great opportunity to extract raw data and present it to an academic audience seeking rare true insight knowledge. Therefore, the research team extracted, analyzed, and present the findings in this paper, so they could provide rare evidence for an issue of paramount importance for the maritime transport sector. This paper makes a valuable contribution to current literature by focusing on outcomes extracted from experts and links them with existing literature.
Following the introduction, the related literature review on the key stakeholders involved in the maritime transport sector and the illustration of maritime cyber-crime importance for the sector is presented in Section 2
. Section 3
describes the theory that supports the work conducted from the research team and shows how the data was collected through a survey. Outcomes of the survey are thoroughly discussed and presented in Section 4
. Section 5
presents a conclusion and proposal for future research.
3.1. Theory That Supports Our Work
One of the main findings of the analysis relates to the perception of the topic of cyber security. This is evident throughout the responses collected for the various questions of the survey, as presented in Section 4
. As such, the research team tried to identify a conceptual framework that justifies this approach. The most apt piece of academic work that closely aligns with this observation is the book by Nisbett [26
], entitled: “The geography of thought: How Asians and Westerners think differently … and why
”. According to Nisbett [26
], different cultures perceive specific topics in a different way. Specifically, and related to the composition of participants of this research, East Asian thought is “holistic”, while Westerners focus on specific subjects. To elaborate, East Asians interpret specific subjects as part of the whole, examining the relations between objects and events within that discipline. Applying this concept to maritime cyber security, East Asians perceive cyber security as another risk factor, part of the overall aggregated risk affecting maritime transport operations. This argument is reinforced as it is demonstrated from the findings of this research, presented in Section 4
. In contrary, the West approach emphasizes notable subjects aiming to tackle any challenges related to this through specific attribution. With Nisbett in mind, applying this concept to maritime cyber security, Western managers perceive cyber security as a standalone risk element to be dealt with by IT professionals. That demonstrates a clear differentiation between the mindsets and approaches that the maritime transport practitioners who participated in the two workshops (Asia and Western representatives) undertake when dealing with cyber security in the maritime transport sector.
Shipping is a truly global industry, as Kumar and Hoffmann [27
] (p. 36) state: “A Greek owned vessel, built in Korea, may be chartered to a Danish operator, who employs Philippine seafarers via a Cypriot crewing agent, is registered in Panama, insured in the UK, and transports German made cargo in the name of a Swiss freight forwarder from a Dutch port to Argentina, through terminals that are concessioned to port operators from Hong Kong and Australia
”. As such, maritime transport stakeholders, irrespective of their physical location or their racial decent, should develop a common, fundamental mindset that could grasp the risk factor called cyber security. That is something difficult to achieve as the sector needs time to develop and adopt that common mindset. The first step towards that direction is for regulatory bodies to introduce relevant documentation, either mandatory or advisory. An apt example is the IMO, with its guidelines and consequent resolution on cyber risk management [13
], as analyzed above.
3.2. Data Collection
A unique opportunity was offered to test the theory presented above through direct engagement with industry experts from Asia and Europe. Data for this paper was collected by the authors during two industry-focused workshops. The workshops were designed for tackling issues related to cyber security in shipping; they were not designed for collecting academic research data. This was a limiting factor when trying to conduct further statistical analysis of the collected data, as the research team had no control over participants’ demographics. However, as several key industry experts participated, it was a great opportunity to collect data for such a contemporary issue as the challenges posed by cyber threats in the maritime transport sector. Both events took place in December 2020, virtually, allowing for stakeholders, from a large number of countries, to participate. Data were collected with the use of an online tool; it was anonymized and securely stored. Each participant was able to submit one or multiple responses, as indicated in each question.
The first workshop was conducted by a large Chamber of Commerce based in East Asia. As aforementioned, data collection was conducted during the workshop and the questionnaire was designed and tested prior to that. However, the overall event was not purposely conducted for data collection; as such, data collected was a “by-product” of the workshop. Therefore, detailed statistics for the demographics of the respondents are missing. The research team only have information related to the overall number and country of origin of participants of the workshop. Additionally, during the workshop, a lively discussion with the participants took place, which indicated their willingness to share information with authors. During the workshop two authors were main speakers in the event.
The second workshop was conducted by a large shipping association based in Greece with representation throughout the EU. Unlike the previous workshop, one of the authors was the main speaker, presenting the same questionnaire during the session. Similar to the previous workshop, a lively discussion with the participants took place. Participants were willing to share additional information with us. Further information is demonstrated in the following section, where the survey is presented in detail.
Data from both workshops were analyzed instantly from the research team. The analysis was conducted on a regional level but also in combination, so that a better understanding of the overall responses of the maritime sector could be obtained. The findings are presented in Section 4
. Prior to that, it is demonstrated in the following section how the survey was designed.
As was evident from the aforementioned literature review, cyber attacks in the maritime transport sector have increased substantially over the last decade. For that reason, the introductory question posed to participants of this survey aims at highlighting the importance of cyber security in daily operations for the maritime transport sector. Table 1
presents the list of questions used in the survey.
Apart from the initial question, which attempted to understand the importance of cyber security in the maritime transport sector, the questions composing the survey were grouped in two themes: (A) How the industry is coping with the new IMO 2021 regulation requirements; (B) how shipping companies experienced changes in daily operations due to COVID-19 from the spectrum of cyber security.
The survey was available for responses only during the presentations delivered by the research team, which helped the participants get a better understanding of each question. Additionally, clarification was provided, when needed, as a live Q + A session was available, assisting the submission of full questionnaires, as in some cases participants drop out from a survey or they leave some questions blank if they do not fully understand them.
This was a unique, impromptu, opportunity to examine experts, and as such, the survey did not collect participants demographics. Instead, an investigative lead approach was adopted. Participants represented the whole spectrum of the maritime transport sector (e.g., port operators, shipping companies, consultants, ship management companies, technology solution providers, and academics).
Workshop 1: Up to 200 participants partially attended the event, while half of them (100) attended the entire event. Participants represented 30 countries.
Workshop 2: The total number of participants was 42, representing a total number of 15 European countries, whilst the majority of the participants were from Greece (a higher representation from Greece is considered as normal, due to the high representation of Greeks in the shipping sector).
The findings extracted during the two workshops are presented in the following section.
4. Findings and Discussion
This section presents the data collected, analyzes the findings, and discusses key points by linking them to the theoretical approach presented in Section 3
Based on the responses of the introductory question, it became evident that there is a consensus between maritime professionals regarding the importance of cyber security in the maritime transport sector. Specifically, the research team examined the importance of information or cyber security in the daily maritime transport operations, both in Europe and in Asia, as demonstrated in Figure 1
a,b. When European and Asian responses were combined, it was observed that more than 90% of experts considered cyber security to be either very or somewhat important for their working environment, as demonstrated in Figure 2
. This evidence shows that cyber security is more relevant presently for the maritime transport sector.
As shipping is already a heavily regulated industry, where the compliance mindset remains predominant, the IMO introduced specific guidelines to address cyber security in shipping. The nature of these guidelines is at a rather high level without offering any specific insights on their implementation. As such, theme A of this survey aims to explore: How the industry is coping with the new IMO 2021 regulation requirements. Through this theme, a novel knowledge approach was introduced, which is needed for future policy guidance and clarifies any doubts in the long-run.
It was deemed necessary, for the first question, to identify the competent authority that could provide guidance and assistance on the implementation of the IMO requirements. As presented in the literature review, the maritime transport sector consists of several entities that play a specific role in its successful development over the last century. Classification societies, P&I clubs, governments, flag states, marine insurance, and regional and international organizations now have to understand their role in addressing cyber security in shipping. Unlike the consensus unveiled in the previous question, the responses collected from the two working groups for this question highlight a significant difference regarding the competent authority for shipping. As demonstrated in Figure 3
b, the majority of maritime transport professionals in Asia (53%) state that classification societies are the predominant authority, suitable to assist and guide the maritime transport sector in addressing cyber security, followed by governments with 27% and flag states with 10%. This perception is not shared with their colleagues in Europe, where the IMO, classification societies, and P&I clubs share equal representation (approximately 25%), as demonstrated in Figure 3
a. At the same time, flag states seem to get similar percentages in both working groups. An aggregated response of both European and Asian is demonstrated in Figure 4
. As both groups consider classification societies to be the authority to assist the maritime transport sector in tackling cyber security, it is therefore the highest scoring sector, with 40%, while the second most suitable organizations for tackling cyber security in maritime transport are governments, with 20%. Therefore, as demonstrated in Figure 4
, classification societies have more “authority” than governments due to the multinational nature of shipping.
Aiming to understand the diversification between the responses in the two groups, examination of the broader picture should not be neglected. Going beyond cyber security, shipping professionals in Europe rely on the IMO’s authority to regulate the industry. Similarly, P&I clubs, created by shipping professionals themselves, have a long-standing tradition in handling claims. On the contrary, classification societies are the de-facto entities that define responses to all, short of regulatory requirements in Asia. As such, cyber security would be no different.
Based on the findings of the previous questions, question 3 from Table 1
goes beyond the regulatory requirements and explores if the IMO resolution can effectively protect shipping from cyber breaches. As presented in the literature review, industry specific press has criticized the IMO cyber resolution as high level and not offering any tangible outcomes for its implementation, let alone specific steps for its inclusion in shipping companies’ safety systems. Outcomes presented in Figure 5
a,b are aggregated in Figure 6
, and demonstrate findings regarding the IMO cyber resolution per region, Europe and Asia. The responses in Figure 6
are split, with half of the participants agreeing that the IMO 2021 cyber resolution is the answer to cyber security for shipping and the other half either disagreeing or not being able to agree or disagree.
This split in the responses, which is similar for both the European and Asian participants of the survey, highlights the issue that the IMO 2021 cyber resolution, unlike other IMO guidelines, does not provide a clear answer to the sector’s needs. For example, the ballast water management and sulfur cap regulations provide clear instructions on their applications, followed by technical specifications. As demonstrated from the findings of the survey, the IMO cyber resolution does not clearly pass the message required to the sector. The reason for that is because the IMO resolution is more descriptive rather than prescriptive.
Expanding on the previous question, the analysis explores the level of preparation for shipping companies when meeting the IMO 2021 resolution and, consequently, addressing cyber security. According to the practitioners who participated in the survey, and in contrast to the previous question, a difference between the responses in Europe and Asia was observed. While nearly half of the respondents in Europe believed that the sector is somewhat prepared (Figure 7
a), a roughly similar percentage in Asia believed the opposite (that the sector is somewhat unprepared, Figure 7
b). This difference became evident when the results from Europe and Asia were combined, as demonstrated in Figure 8
The observed difference in perception on the level of preparedness for the IMO 2021 requirements is derived from two main attributes. The first attribute, as presented in the analysis of the findings of the previous questions, is that the IMO resolution does not offer clear guidance to the sector. Therefore, as it is demonstrated in Figure 7
a,b that maritime transport stakeholders perceive differently what is required to meet the IMO resolution and address cyber security in the maritime transport sector. The second attribute is that there is a difference in perception in what cyber security entails. That perception derives from the increased technical savviness (as demonstrated in the literature review) compared to European counterparts, who are more “traditional” in operating the sector. Over the years, Asian maritime transport stakeholders are amongst the first to apply technology solutions that improve operations (e.g., minimize costs, etc.) [28
Following the preliminary analysis regarding the industry’s response to cyber security, predominantly concerning the IMO 2021 resolution, the second part of the questionnaire examined the industry’s perception of the impact of the COVID-19 pandemic in day-to-day maritime transport operations.
The first question of theme B explores if the COVID-19 pandemic affected the maritime cyber security landscape. Even though this is not a binary question, for matters of simplicity, the question was structured as such (yes or no). Responses collected from both focus groups in Europe and Asia, as illustrated in Figure 9
a,b and summarized in Figure 10
, concur that the cyber security of the maritime transport sector was affected by the COVID-19 pandemic.
This comes as no surprise, since, as noted previously, the number of cyberattacks since the appearance of the pandemic has globally, remarkably increased [23
]. However, when trying to identify the effect of the pandemic on the maritime cyber security landscape, it became evident that respondents from Europe who believed that the industry’s cyber security landscape was not affected, were twice as many as those from Asia, enhancing the points discussed in Figure 7
a,b regarding the misconceptions about cyber security. As aforementioned, this originated from the fact that Asian maritime transport stakeholders were amongst the first to apply technology solutions. Therefore, they were agnostic to the benefits of digital transformation in the maritime transport sector, along with the consequent potential cyber risks that they may face.
The next question of the survey examined whether the participants experienced a surge in cyberattacks in their organizations during the pandemic. This question aimed to narrow down the analysis, drawing from participants’ direct engagement within their organizations. While in Europe the responses were split (with 53% mentioning that they did not experience a surge in cyber attacks in their organization and 47% mentioning the opposite), in Asia, two thirds of the respondents mentioned that they did not experience any surge in cyber attacks in their organizations during the pandemic. Figure 11
a,b results are aggregated in Figure 12
, demonstrate that there was an increase by 40% in cyber attacks in maritime transport organizations during the pandemic, reinforcing the argument that there is a need to increase cyber resilience in the maritime transport sector.
Looking at the responses presented in Figure 11
a,b, an interesting realization that reaffirms what has been previously mentioned was identified. Asian maritime experts were more advanced in terms of security-minded technology solutions applied within their maritime transport organizations, compared to their European counterparts. As such, they were able to mitigate incoming malicious content. Having the appropriate measures in place and not allowing an increased number of attacks to penetrate their organizations ecosystem justified the responses presented in Figure 11
Similar to question 4, presented in Table 1
and analyzed above, the last question of the survey tried to identify the level of effectiveness of shipping companies in adapting to the new norm, due to the COVID-19 pandemic. This new norm entailed: (A) an increased number of employees working remotely (from home), (B) the adoption of digital solutions to facilitate this transition, and (C) uptake in number of cyber attacks affecting the industry.
As demonstrated in Figure 13
a,b, 86% of European participants mentioned that shipping companies were either very or somewhat effective in adapting to the new norm. In comparison, opinions on the same matter from Asian participants were limited to almost half of the percentage demonstrated above (46% were either very or somewhat effective). Overall, Figure 14
illustrates that a strong majority of industry practitioners (68%) believed that the industry was effective in adapting to the new norm due to the COVID-19 pandemic.
The difference in responses illustrated in Figure 13
a,b reaffirms the trend identified throughout this survey regarding the level of maturity and understanding of what cyber security entails between the European and Asian participants. With reference to the findings of Figure 14
, this comes as no surprise, as, unlike other industries, shipping, due to its nature, is used to having its most valuable assets operating remotely. Ships operating globally, thousand miles away from their shipping company’s offices, have established procedures and technology solutions for decades.
In this section, the findings of the survey were demonstrated and discussed. Section 5
summarizes the key points of this research.
It became apparent throughout the paper that the increased adoption of digital solutions in the maritime transport sector introduces an insidious threat in cyber space. Ports and ships, being two of the most vital components of the supply chain, are vulnerable to cyber breaches, due to their complex operational environments. Both ships and ports have IT and OT systems composed by various third-party vendors, which, in most cases, require remote access, increasing cyber attacks to surface. Thus, maritime transport stakeholders have to take prompt actions in order to mitigate cyber risk. In order for this to happen, first and foremost, maritime transport stakeholders should understand what cyber security is; how it may affect their business; and the specific countermeasures that are suitable for their organization, and consequently adopt them to tackle these threats.
This research, unlike mainstream academic approaches, was initiated from the data collected during two targeted workshops, with the participation of more than 250 senior maritime transport practitioners. Due to the limitation of the research environment and the level of control available to the research team, it was decided not to over interpret the data with the use of quantitative statistical methods. The research team believes that its analysis will satisfy social scientists in terms of interpreting data collected in this activity by using a qualitative lens.
This impromptu engagement was commonly themed in order to address one key industry concern: whether cultural differences affect the level of understanding of maritime cyber security. As the two workshops were conducted virtually in Asia and Europe, it was realized that the predominant perception for cyber risk differs in these two geographical areas. The main analysis has reiterated that each group had a different understanding. A similar observation was conducted by Nisbett [26
], who mentions that different cultures perceive specific topics in a different view. As stated by Nisbett and reaffirmed by our findings, East Asians think “holistically”, while Westerners focus on specific subjects. This differentiation can also be attributed to the level of maturity regarding cyber security, as presented in the findings section. As such, Asians understand cyber security challenges better and consequently incorporate them in their aggregated business risk management. In contrast, the less mature Western maritime transport stakeholders perceive cyber security as an impartial risk factor to be dealt in isolation.
Findings presented in this research highlight that many maritime transport stakeholders are not aware of what cyber security entails and do not fully realize the degree of dependence of their businesses on software-enabled systems, platforms, and services. While they might acknowledge the existence of cyber threats in general terms, as apparent in Section 4
, they miss important details; understanding how these cyber threats can affect their organizations’ daily operations. A holistic approach to cyber risk management begins at the senior management level and extends downwards to the entire organization.
Acknowledging that this paper was elaborated based on an opportunity that arose from the authors’ engagement with the industry, we believe that further, targeted, academic research is to be conducted, with statistical tools, such as ANOVA, in mind. To achieve that, the research outline should include details of targeted audience profiles, along with a questionnaire, which will be designed to collect information related to participants and their demographics. Such an approach would facilitate the implementation of aforementioned statistical tools and thus present a statistical analysis of the results. Specifically, future research should explore two main topics: (1) revalidate our findings as to how cultural differences affect the level of understanding of a specific topic, in this case maritime cyber security, with further research, such as longitudinal research, which could enhance our findings; (2) explore whether the surge in cyber attacks, partially due to pandemic, affected the sector’s response to the IMO cyber requirements. This research should take place in a more academic style, where the theory should be tested against our main finding, that there is a different perception of cyber risk based on cultural background. To achieve this, enhanced collaboration between all key stakeholders (academics, cyber experts, maritime transport sector stakeholders) should take place. As we initiated this piece of research, due to our wide links with maritime transport stakeholders, we would happily participate in any future discussions, which we are sure will take place soon due to the urgent need to tackle such an important issue as maritime cyber risk management.