0% found this document useful (0 votes)
22 views21 pages

Cyber Priority 2024

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
22 views21 pages

Cyber Priority 2024

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

MARITIME

CYBER PRIORITY
2024 / 2025
Managing cyber risk to enable innovation
DNV CYBER Maritime Cyber Priority 2024 / 2025 ABOUT THIS RESEARCH

ABOUT THIS RESEARCH SURVEY DEMOGRAPHICS

Sectors of the maritime industry


This report is published by DNV Cyber, a leading cybersecurity services
provider, drawing also on DNV’s position as the world’s leading Freight (e.g. ship owner, shipping line or We thank our survey
classification society and a recognized advisor for the maritime industry. carrier, freight forwarder) 38%
respondents from across
It is part of DNV’s Cyber Priority research exploring changing attitudes Offshore operators and production 17% the maritime industry.

and approaches to cybersecurity in key industrial sectors. Shipbuilding and yards 14%

Passenger transportation (e.g. cruise


13%
line, ferry line, yacht owner/operator)

The research draws on a survey of 489 maritime It is DNV’s second dedicated Maritime Cyber Priority Regulation and administration 11%
professionals along with a number of in-depth inter- report.
views with leaders and experts. This is part of a wider Industry services 11%
survey of 1,185 professionals across critical infrastruc- Fieldwork was conducted in September and October
ture industries, including maritime, energy, manufac- 2024. Survey respondents represent a range of Manufacturing and supply chain 10%

turing, and healthcare, among others. This report was functions within the industry, including those with
Ports and port services 9%
developed by DNV in partnership with FT Longitude in-depth knowledge of cybersecurity along with
(a Financial Times company). general managers and C-suite executives. Other maritime sectors 16%

Percentages reflect that respondents selected options if they work in multiple sub-sectors of the maritime industry, adding up to to 139%.

ACKNOWLEDGEMENTS Role Region

Engineering and Europe


technical services 7%
We would like to Matti Suominen Daniel Ng Jarle Coll Blomhoff 8% Asia Pacific
25% 27% Operations and
thank the following Director of Maritime CEO, CyberOwl, Head of Section Digital Americas
maintenance
interviewees for Cyber Security, Wärtsilä a DNV company Ship Systems, Ship Middle East and Africa
Regulation and compliance
7% 28% 57%
their time and insight: Classification, DNV
IT
Lim Shih Hsien Svante Einarsson 8% 18%
Executive Vice Presi- Head of Maritime Cybersecurity
15%
dent, Cyber IT and OT, Cybersecurity, DNV Other roles
Seatrium Cyber

Seniority Annual revenue of organization

Board member Less than $50m


5% 4%
6% 7% Executive level 20% US$50m - $99m
(EVP or C-suite)
US$100m - $499m
19% Senior manager, function
7% US$500m - $999m

489 50 71% 5
30% head or director 45%

Manager or supervisor US$1bn - $4.9bn


11%
Specialist US$5bn - $9.9bn
maritime professionals (>) countries support, develop or operate Interviews with industry 30% 6%
5% US$10bn or more
surveyed represented operational technology leaders and DNV experts Analyst, associate or
technical support role
3% 2% Don't know/not
Entry-level applicable

2 3
DNV CYBER Maritime Cyber Priority 2024 / 2025 CONTENTS

CONTENTS

01 Cybersecurity moves up the maritime agenda 07


The rate of attacks is increasing rapidly 08
Leaders see cyber as their biggest risk 09
Activity is growing in line with investment 09
A multiplicity of threat actors 10
Opportunity and momentum 11

02 Embracing innovation while addressing vulnerabilities 13


Enthusiasm about digitalization is growing 14
Accepting risk demands extra vigilance 16
Procurement as an opportunity 16
Third-party risk moves into the spotlight 17

03 The overconfidence + under preparation trap 18


A false sense of security 20
Cybersecurity experts are less confident than maritime executives 20
The strategy might not match the reality 21
Everyone should be part of the cyber effort 22
Adversaries are increasingly sophisticated 22

04 Investment and the regulatory imperative 25


Evolving regulation leads to welcome investment 26
Compliance alone is not enough 27
New skills and talent needed for compliance 28
Investment needs to spread wider 28

05 Cybersecurity challenges and how to overcome them 31


Boost collaboration and transparency for higher industry standards 33
Reimagine cyber as an essential enabler of innovation – not an obstruction 34
Accelerate cyber tech to overtake adversaries 36
Strengthen the cyber culture and enhance preparation for cyber incidents 37
Keep up with regulation and build connections across the industry 37

References 38

4 5
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 01

01
CYBERSECURITY
MOVES UP THE
MARITIME AGENDA

6 7
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 01

01 CYBERSECURITY MOVES UP THE MARITIME AGENDA LEADERS SEE CYBER AS THEIR BIGGEST RISK ACTIVITY IS GROWING IN LINE WITH INVESTMENT

The cyber threat is causing concern at the highest Maritime organizations are acting on their concerns
levels of the maritime industry. Seven in 10 professionals and improving their security. More than six in 10 (61%)
Awareness of cyber risk and investment in cybersecurity have (71%) say that their leaders consider cybersecurity to maritime professionals say their organization is invest-
be the greatest risk their organization faces. The ing more in OT cybersecurity than they were a year ago,
grown rapidly. proportion is higher among cyber professionals (80%) and the proportion increases to 68% when it comes to
than it is among senior leaders themselves (70%), but IT environments. This compares favourably with the
the trend is clear and reflects broad industry concerns: situation in our 2023 survey, when just 40% felt they
80% of all executives say their business has started were investing enough in OT security.
THE RATE OF ATTACKS IS INCREASING RAPIDLY According to the Netherlands’ NHL Stenden University taking cybersecurity more seriously in the wake of
of Applied Sciences, the industry in 2023 experienced rising geopolitical tensions in the last year. But will this be enough? Svante Einarsson, Head of
Cyber criminals have the maritime industry in their 64 cyber events on a scale to create media-worthy Maritime Cybersecurity at DNV Cyber, says that greater
sights. DNV’s new survey of industry professionals disruption. A decade earlier, there were just three such The prospect of an attack on the organization’s IT leadership awareness of and support for cybersecurity
finds that one in three (31%) experienced at least one events; none at all were registered in 2003.1 Across the domain is their top concern – probably because many is just the start. The next step is implementing a
infiltration by attackers in the 12 months leading up to industry, problems are mounting up, including a string of the highest-profile incidents to hit vessel operators workable response, which is far less straightforward –
October 2024. In our 2023 study, just 17% had had a of attacks on European ports in 2023 by hackers and ports, such as NotPetya, have targeted these as we discuss later in this report.
serious breach over the course of five whole years. associated with Russia.2 systems.3 But the security of operational technology
(OT), which are the industrial control systems that “Most leadership discussions in shipping touch on cyber
The real number could be even higher. “An average Against this backdrop, our survey of almost 500 mari- govern many types of physical assets, is also growing risks, but the question is whether they can form a
shipping company will experience somewhere between time professionals confirms that the maritime industry in importance. In our survey, 71% believe their organi- strategy to resolve and mitigate those risks,” says
65 and 80 incidents a year,” says Daniel Ng, CEO of needs to strengthen its commitment to cyber resilience. zation is more vulnerable to cyber attacks on its OT Einarsson. “That is where more work is needed because
cyber analytics business CyberOwl, a DNV company, This means embracing security by design – engaging today than at any other time in its history. cyber often sits within IT, and IT in shipping has tradition-
a global expert in cyber risk monitoring and threat cyber professionals throughout the development and ally been viewed as a back-office function rather than as
management onboard maritime vessels. “But if you ask procurement of new software, technology, technology As ship-to-shore connectivity has advanced, so too has the a strategic enabler. CISOs have an uphill battle to be
them how many incidents they have had, they might tell components and infrastructure. Doing so is more use of internet of things (IoT) devices that connect physical heard and to make sure cybersecurity is front of mind.”
you that it was none. That’s because the immediate important than ever. With 61% of industry professionals assets to both the wider network and remote navigation
outcome was a malfunctioning computer that they accepting a rise in cyber risk as the price of innovation, and safety systems. With at least 42,000 ships worldwide
replaced without understanding the root cause, and the industry needs to manage cyber risk to experiment, already connected to satellite services,4 companies have to

31%
of industry professionals have
that means the underlying issue is still in their system gain competitive advantage, and take a lead in ensuring accept that the ‘air gap’ that once protected their vessels experienced at least one infiltration
and still causing problems.” the resilience of businesses and societies. and physical infrastructure from attack has now closed. by attackers in the last 12 months.

Respondents believe the maritime industry is managing cyber risk, despite rising vulnerabilities The industry is increasing investment in cybersecurity

I am confident that senior leadership in my business sufficiently


I am confident
understands that senior
the cyber threatsleadership in my business
that my organization facessufficiently
in today's 33% 45%
understands the cyber threats that my organization faceslandscape
geopolitical in today's 33% 45% My organization is investing more in IT cybersecurity
geopolitical landscape this year compared to last year 35% 33%
My organization is investing more in IT cybersecurity
I believe that my organization is more vulnerable to cyber-attacks on 35% 33%
I believe thatenvironments
my organization is more this year compared to last year
its OT today than itvulnerable toany
has been at cyber-attacks
other timeon in 33% 39%
its OT environments today than it has been at any other its time in
history 33% 39%
its history 31%
31%
My organization's focus on cybersecurity has increased as a result of
My organization's focusgrowing
on cybersecurity hastensions
increased 38% 42%
geopolitical in as
thea last
result of
year 38% 42%
growing geopolitical tensions in the last year
My organization is investing more in OT cybersecurity 32% 29%
this year compared to last year
The leadership of my organization considers cybersecurity to be the
The leadership of my organization considers cybersecurity 42% 29% My organization is investing more in OT cybersecurity 32% 29%
greatest current risk to my to be the
business 42% 29%
greatest current risk to my business this year compared to last year

Q: To what extent do you agree or disagree Slightly agree Strongly agree


Slightly agree Strongly agree with the following statements about cyber Q: To what extent do you agree or disagree
Slightly agree Strongly agree risk in today’s threat landscape? Slightly agree Strongly agree with the following statements?

8 9
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 01

A MULTIPLICITY OF THREAT ACTORS Attackers linked to geopolitical tensions "Around eight in every 10 incidents are still delivered
Geopolitical tensions increase the possibility of via the USB sticks that are necessary for vessel opera-
Cyber crime is a growing business in many
The cybersecurity threat is now coming from all sides, nation-state sponsored attacks on high-profile critical tions,” says CyberOwl’s Ng. “One of the worst cases we
countries. Criminals have realized that they
and maritime professionals are more concerned about infrastructure. The 2023 distributed-denial-of-service saw recently involved a port where the same USB stick
can do this from home and make more
every potential threat actor than they were in 2023. attacks on Dutch ports, which aimed to paralyse them, spread malware linked to espionage on to eight
money than they could from doing
were attributed to pro-Russia hacker groups and were vessels. A threat starts on one ship or terminal and can
anything else.
Externally, geopolitical tensions are motivating state- widely interpreted as a backlash against the Nether- quickly spread across multiple fleets.”
backed cyber incidents and there has been a rise in Matti Suominen, Director of Maritime Cyber lands’ support for Ukraine.10, 11
opportunistic criminal activity.5 Internally, there is the Security at Wärtsilä Better training would help to address this human
possibility of human error. The economic importance of the maritime industry, at a threat, as would more user-friendly interfaces for
time of conflict and unease, makes the sector vulnera- cybersecurity-related systems across the industry. “It’s
Although well-trained crew members are vital to a vessel’s ble to attacks. Disrupting critical trading routes is seen important to recognize that staff will be crucial
cyber defence and response, the unintentional threat they as a major victory by terrorist organizations, which responders to any attack,” says DNV Cyber’s Einarsson.
create in an industry that relies on USB drives and large “They don't necessarily have an interest in shipping have already claimed responsibility for a recent rise in “This further emphasizes the need for continuous
crews of international workers is significant. The threat specifically. They just understand that there is a huge kinetic attacks on vessels, including the Iran-backed training programs that recognize that portable data
is magnified as these crews work closely with onshore cost attached to disrupting that activity,” says Matti Houthi attacks on Maersk and CMA CGM in the wake of devices are useful tools for the industry but also carry
staff and with third parties, such as manufacturers’ Suominen, the Director of Maritime Cyber Security at tensions in the Middle East.12, 13 risks that need to be managed carefully.”
service engineers, all of whom can inadvertently introduce Finnish technology major Wärtsilä.
viruses or malicious code into operational systems. Crew and other accidental threat actors OPPORTUNITY AND MOMENTUM
The scale of the cost – which can run to tens of millions Alongside human errors such as software misconfigura-
Criminal enterprises of dollars each day – is one reason why ransomware tion, crew members and other staff such as service The threat to the maritime sector is unlikely to ease off
There is a notable increase in concern about criminal attacks are becoming more common. Since the engineers can introduce viruses to onboard systems any time soon. More than a third of maritime professionals
gangs, which are realizing how profitable ransomware NotPetya attack on Maersk in 2017, for example, which through USB drives. These drives remain in common use in our survey (37%) expect to face more cyber attacks in
attacks can be – ransomware attackers across all indus- caused a total shutdown of the shipping company’s in the maritime industry. In July 2024, USB sticks contain- the next 12 months than in the past 12 months, despite the
tries collected some USD 1bn in cryptocurrency payments systems and cost it some USD300m,7 there has been a ing malware were found plugged into computers on sector’s plans to increase investment in cybersecurity.
in 2023.6 Eight in 10 (79%) maritime professionals are string of similar attacks. An attack on Voyager World- vessels in Norway, Greece and the Netherlands.14 Just 11% predict that incidents will become less common.
concerned about this threat, up from 56% in 2023. wide, a manufacturer of navigation systems, disabled Although it is not uncommon for infected USBs to be
the company’s systems,8 and several major ports discovered on ships, this instance is notable because the Businesses are starting to frame cybersecurity as a
experienced disruptions to their operations – causing same malware code was found at different places prerequisite for era-defining innovation, and cyber­
delays, misrouted cargo and heightened safety risks onboard vessels at different locations over a course of security investment is becoming as much about
– following a ransomware incident in April 2024.9 several months. enabling opportunity as it is about managing risk.

Heightened concern for all threat actors, especially cyber-criminal gangs Expectation that the number of cyber incidents will increase in the year ahead

79% 79%
2023
73%
71%
66% 2024 100%
63% 61% 62% 63%
59%
56%
29%
50% 49%
44% 46%

35%
66%
36%
50%

Q: To what extent Q: During the next


are you concerned 23% 12 months, do you
Foreign Organized Terrorist Malicious Hacktivists Vandals or Competitors Unintentional about the potential anticipate your
powers cyber-criminal groups insiders or script kiddies threat actors for the following organization handling a
and state- gangs former (amateur threat (e.g., caused by
sponsored insiders (e.g., actors using human error among cyber threat actors 12% larger or smaller number
actors employees or existing software engineers, software to attack your organi- 0% of cyber incidents than
partners) to launch attacks) misconfiguration, zation? (‘Concerned’ Decrease Stay the same Increase Don't know it did during the past
runaway pen-testing) respondents). 12 months?

10 11
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 02

02
EMBRACING INNOVATION
WHILE ADDRESSING
VULNERABILITIES

12 13
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 02

02 EMBRACING INNOVATION WHILE ADDRESSING


VULNERABILITIES

The maritime industry is dedicated to digitalization opportunities, and is


willing to manage greater cyber risk to pursue them.

ENTHUSIASM ABOUT DIGITALIZATION IS GROWING In practice, executives struggle to manage change as


new processes and connected systems introduce
Maritime organizations are pursuing technology unexpected vulnerabilities. This is inevitable because
innovation that can improve their efficiency and technology prioritizes performance and utility over
effectiveness and help them decarbonize.15 This has led resilience.
to the industry investing in data-enabled solutions such
as real-time route optimization, continuous asset
monitoring and management, and autonomous vessels.

More than seven in 10 maritime professionals in our


survey say that advanced data analytics, the IoT, AI,
high-bandwidth satellites and remote and autonomous
operations are the top technology opportunities for the Modern scrubber systems are equipped
next two to three years. Across most technologies, the with remote connectivity. They are
proportion of senior executives seeing them as an retrofitted onboard old vessels,
opportunity rises higher than the average (see chart). sometimes without there being a
suitable risk assessment at procurement
But maritime businesses face a dilemma: the advan-
or in advance of installation.
tages of these technologies are accompanied by an Svante Einarsson, Head of Maritime Cybersecurity
increase in cyber risk. at DNV Cyber

Optimism for the business opportunities presented by digital technologies

Maritime
total
81% 80% 79% Senior
75% 77% 77%
75% 73% executives
71% 69%

62%
57% 59% 59%
55% 55%

41%
38%

Q: To what extent
do the following
technologies repre-
sent an opportunity
for your business
AI and Internet Edge Advanced Digital Quantum High- Satellite Remote/
machine of things computing data twins computing bandwidth imagery autonomous over the next two to
learning analytics satellite operations three years? (‘To an
communications extent’ responses).

14 15
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 02

ACCEPTING RISK DEMANDS EXTRA VIGILANCE PROCUREMENT AS AN OPPORTUNITY the budget is ostensibly targeted at innovation rather installation. Any organizations that has not looked into
than a standalone security spend,” he says. "Examples supply chain security represents a risk to its customers.
Well over half of maritime professionals (61%) believe Most of the maritime professionals in our research of this include specifying a code of connection for IoT
that an increase in cyber risk is acceptable in the (70%) agree that cybersecurity is involved in the early and connected OT systems and defining a minimal Quite often the maritime industry is inconsistent in how
pursuit of innovation and advantage. What this means stages of new infrastructure projects, during which security architecture specification.” it approaches these issues, warns Seatrium’s Lim. “The
is that cybersecurity practitioners can play an impor- new technology can be embedded into core business largest organizations are very aware of the risk and
tant role in enabling business objectives by helping the operations. But only 32% agree strongly, which THIRD-PARTY RISK MOVES INTO THE SPOTLIGHT have strong requirements, such as asking for penetra-
organization understand when risks are acceptable or suggests there is ambiguity around the scale of the tion testing before anything new goes into production
even necessary, according to organizational risk team’s involvement. Third-party suppliers of technology and connected – for both IT and OT. But smaller organizations and
tolerance levels. systems are another significant risk because they could individual ship owners are more narrowly focused on
Four in 10 (41%) say that cybersecurity is not typically be supplying new technology that includes vulnerabili- the bottom line, avoiding additional new costs.” This
Lim Shih Hsien, Executive Vice President, Cyber IT and involved in procurement in general, and this proportion ties exploited by threat actors. In the US, the govern- aligns with the data from our research (see chart).
OT at Seatrium, a leading Singapore-based marine and drops significantly among professionals from ship- ment has warned that some eight in 10 ship-to-shore
offshore engineering solutions provider, urges organi- building and yards (27%). The greater involvement of cranes at US ports are manufactured by a single Chinese Maritime organizations might be using technologies
zations to take a risk-based approach to each technol- cyber teams among this group likely reflects IACS government-owned company that retains remote access that promise bottom line improvements, but neglecting
ogy investment. “Start by thinking about the business UR-E26/27 requirements that seek to establish cyber- and has failed to address software vulnerabilities.16 to protect themselves against the risk that vulnerabili-
objective with any new innovation,” says Lim. “You have security standards throughout the lifecycle of newbuild ties will be introduced into their systems. Instead, they
to think about what the business is trying to achieve vessels, and which therefore appear already to be The supply chain of technology components is another should have more exacting requirements for their
before thinking about the enabling technologies. That driving positive behavioural change in the industry. weak point, because these components could have been supply chains, overseen by stronger procurement and
will help shape your risk tolerance as part of the scope manipulated during delivery, storage, construction and change management processes.
and scale of what is needed.” “The failure to incorporate cybersecurity into the early
stage of new projects and initiatives leaves the indus-
If businesses invest in technology despite the risk of try scrambling to address the problem later on,” warns
new vulnerabilities, then IT and OT cybersecurity teams DNV Cyber’s Svante Einarsson. “Retrofitting security

61% 70% 41%


must work closely with the business’s marine depart- measures is also more time-consuming and costly than
ment while playing an important role in the assessment, embracing security by design.”
procurement, and implementation of these technolo-
gies. But in practice this is not yet always the case. CyberOwl’s Ng adds that the most forward-thinking of maritime professionals believe that an of maritime professionals agree that cyber- say that cybersecurity is not typically
maritime organizations are, however, already baking increase in cyber risk is acceptable in the security is involved in the early stages of involved in procurement in general, and
pursuit of innovation and advantage. new infrastructure projects, during which this proportion drops significantly among
cybersecurity requirements into their specifications for new technology can be embedded into executives from shipbuilding and yards
innovation, as part of the innovation process. “That way core business operations.

Acceptance for higher cyber risk as a trade-off for digitalization Smaller companies appear less mature in securing their supply chains

Maritime cyber experts 68%

41% Annual revenue of


Maritime senior executives 64% respondent's organization
Cybersecurity is not typically
50%
included in my organization's Maritime total
procurement requirements 38%
and processes Less than $500m
32%
$500m - $4.9bn
31%
Maritime total 61%
$500m - $4.9bn
70%
Cybersecurity is incorporated
in the early phases of new 70%
Other critical infrastructure industries, infrastructure projects in
72%
including energy, manufacturing, and 50% my company
healthcare (excludes maritime) 77%
Q: We should accept an
increase in cyber risk if it Q: To what extent do you
means experimenting with agree or disagree with
new technology the following statements?
(‘Agree’ respondents). (‘Agree’ respondents).

16 17
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 03

03
THE OVERCONFIDENCE
+ UNDER PREPARATION
TRAP

18 19
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 03

03 THE OVERCONFIDENCE + UNDER PREPARATION TRAP we take,” warns Einarsson. “Businesses have a sophis-
ticated adversary to contend with, which complicates
sionals in our research say they know exactly what to
do if they are concerned about a potential cyber attack
the picture significantly.” – up from 57% in 2023 – the reality could surprise them.

The maritime industry appears confident that it is prepared for and resilient Many organizations may not even be at the initial, Suominen warns that the sector’s desktop planning
‘detection’ stage of readiness when it comes to recov- exercises are often too limited in scope to stress-test
to cyber attacks, but digging deeper there are some signs of a false sense ering from a cyber incident. “Our experience is that the multiple interdependencies and assumptions of a
of security. maritime organizations are not as ready to detect or complex supply chain. They do not, for instance, always
handle a cyber incident within the OT domain as they include suppliers, customers and other partners within
might think,” says Einarsson. the business.
Maritime organizations’ awareness of cybersecurity suggests that they may not be accurate. Yet most
issues is increasing, and professionals say their organiza- maritime organizations report in our survey that they To this end, CyberOwl’s Ng explains that one mistake “You may have everything set up to respond to an
tions are expanding their budgets to try to stay ahead of have done enough already to prepare for specific that operators can make is to underappreciate the incident in theory, but the moment you try to collabo-
the threat (see section 1). But spending money on cyber is attacks and consequences of incidents, such as the complex, multifaceted nature of a cyber incident, which rate internally – to make sure each team does the right
obviously not a guarantee of enhanced resilience. cyber-related theft of sensitive data (77%), asset is illustrated by the speed at which a virus carried on a thing let alone all the vendors and other partners – it
downtime (80%), physical injury (75%) and environ- USB stick can spread across different fleets. “Opera- becomes much harder,” he says .
One concerning finding from our research is that mental damage (74%). tors don’t always prepare their responses to minimize
maritime businesses might be simultaneously overcon- cross-contamination risk,” he warns. "Organizations may think they have adequate response
fident in their defences and underprepared for the CYBERSECURITY EXPERTS ARE LESS CONFIDENT plans in place, but without testing them with exercises
sophistication of today’s cyber threats. THAN MARITIME EXECUTIVES In fact, says Seatrium’s Lim Shih Hsien, the maritime they are just theoretical,” adds CyberOwl's Ng.
sector often appears to have made less progress than
A FALSE SENSE OF SECURITY Maritime professionals’ confidence does not match up other industries on cybersecurity. “Compared with
to what some experts are experiencing in practice. other critical infrastructure sectors, as well as finance
More than eight in 10 maritime professionals (83%) DNV Cyber’s Svante Einarsson, for example, says that and government, maritime is behind the curve.”
believe that their organizations have a good cyberse- organizations might feel like they are prepared because
curity posture. And 71% are confident that their they know that more and more resources are being THE STRATEGY MIGHT NOT MATCH THE REALITY
organizations would quickly return to business as deployed to manage the cyber risk, but the reality is
normal following a cyber attack. more complex than that. A further problem, says Wärtsilä’s Matti Suominen, is
that the reality of a cybersecurity incident often turns
The average maritime cyber incident takes
These are bold assertions to make. And the recent “We must remember that cyber risks do not occur out to be different from what the organization expects
57 days to resolve... that's two months.
scale and number of cyber incidents in the industry randomly and can emerge independently of any actions and has planned for. While 86% of maritime profes- Daniel Ng, CEO at CyberOwl, a DNV company

Industry confident in its preparation against cyber attacks Industry fairly confident it has prepared against potential outcomes of a cyber attack

I am confident my organization would A grounded vessel 21% 39% 28%


return to business as normal quickly 39% 32%
following a cyber-attack Multiple grounded vessels 30% 36% 22%

Asset downtime interrupting operations 12% 46% 34%

Physical injury or loss of life 16% 34% 41%


My organization has a good 41% 43%
cybersecurity posture Closure of a major port or strategic waterway 27% 35% 24%

Harm to the environment 17% 38% 37%


30%
Theft of sensitive data (cargo manifests, crew details, client information) 15% 42% 35%

I know exactly what to do if I am concerned 39% 47% Deactivation/shutdown of the organization's core IT systems 13% 39% 39%
about a potential cyber risk or attack
Heightened regulatory scrutiny 14% 48% 26%

Q: To what extent do you agree or disagree with Q: To what extent would you say your organization has
the following statements about cyber risk in taken the necessary steps to prepare for the following
Slightly agree Strongly agree today’s threat landscape? (‘Agree’ respondents). Not at all / Hardly at all To some extent To a great extent potential outcomes of a cyber incident?

20 21
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 03

EVERYONE SHOULD BE PART OF More than three-quarters of maritime professionals


THE CYBER EFFORT say that the cybersecurity training their staff receive
In the physical world, nobody would come
does not prepare them for more sophisticated
across a fire and leave it because they’re
Suominen says that many maritime organizations see attacks. This does not reconcile with their confidence
not the person who puts out fires on
cyber incidents as a problem for their cybersecurity that their organizations can recover quickly from a
vessels. If you were the first there, you
team to resolve. Although non-cyber executives may be would grab the fire extinguisher and go. major attack.
familiar with planning and training exercises for critical But in cyber, we've profiled it such that
safety incidents, they are less engaged when it comes cyber is reserved for one team of people. “We are seeing people receive AI-generated commu-
to cyber. nications that look highly realistic,” says Suominen.
Matti Suominen, Director of Maritime “We used to teach people to just look out for anything
Cyber Security, Wärtsilä
This underestimates the seriousness of the threat, that looks suspicious, but these messages do not look
particularly considering the safety implications of suspicious – they come from the right person, they're
infrastructure that is disabled or malfunctioning. It also written well, and the AI responds convincingly to
excludes professionals who could make a significant questions and comments.”
contribution to overall resilience. Critical professionals
such as ships’ masters and chief engineers, as well as This is reflected in our survey data. More than
the broader crew, are invaluable to cyber defence, but ADVERSARIES ARE INCREASINGLY SOPHISTICATED three-quarters of maritime professionals (78%) say
require training and support to make the most of their that phishing attacks built using generative AI make it
skills and experience. Even if maritime organizations’ confidence in their much harder for organizations to distinguish real emails
from fake messages sent by malicious attackers.

53%
current state of preparedness is justified, cyber is not a
Crucially, as an attack on maritime OT can have a
physical impact – such as by interfering with ships’
challenge that can stay ‘fixed’.
Are maritime organizations likely to step up their 78%
navigation and propulsion systems or disabling their On a global scale, cybersecurity is turning into an arms cybersecurity preparations to keep pace with these say that phishing of maritime profes-
safety controls – cyber risks should be seen as safety race as threat actors invest in their own capabilities as developments? The answer is not clear cut: more than attacks built using sionals say their senior
generative AI make leaders underestimate
risks. However, this reassessment requires a shift in soon as they encounter an obstruction. Many have half of maritime professionals (53%) say their senior it much harder for the speed at which the
mindset across the sector. access to extensive resources because they have the leaders underestimate the speed at which the cyber organizations to dis- cyber threat is evolving,
tinguish real emails which has implica-
support of nation states and well-funded criminal gangs. threat is evolving, which has implications for the level
from fake messages tions for the level of
This means that the sophistication of their methods of investment that will be available. We explore these sent by malicious investment that will be
might outstrip their targets’ ability to respond. funding challenges in the next section. attackers. available

Doubts employees are prepared for most sophisticated attacks Cyber threat evolving, aided by AI

Slightly agree
Slightly agree Slightly agree

Strongly agree
Strongly agree Strongly agree

33%
39% 39% 42%

37% 37% 36%


19%

Q: To what extent do you agree or disagree Q: To what extent do you


The cybersecurity training that
The cybersecurity my organization
training provides provides
that my organization to our workforce
to our workforce with the following statements about cyber The use of generative AI in phishing Senior management in my organization underes- agree or disagree with
protects protects
against the mostthe
against common threats but
most common is notbut
threats advanced enough to
is not advanced enough to risk in today’s threat landscape? attempts is making it harder for us to judge timate how quickly the cyber threat is evolving the following statements?
prepare employees for today's
prepare employees formost sophisticated
today's actors actors
most sophisticated (‘Agree’ respondents). which emails are real and which are not and becoming more sophisticated (‘Agree’ respondents)

22 23
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 04

04
INVESTMENT
AND THE
REGULATORY
IMPERATIVE

24 25
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 04

it is also important that the cyber security risk of quickly, but companies need to do more than just meet
existing vessels is addressed sufficiently. the core requirements.

EVOLVING REGULATION LEADS TO WELCOME Some say that the maritime industry has been slow to
INVESTMENT introduce regulation that is strict enough to counter the
threat, even if this slowness has been for understanda-
In our survey, two-thirds (66%) say that regulation and ble reasons. “Replicating the regulation that applies in
compliance prompt cybersecurity funding and activity other sectors is very difficult in maritime because the
in their organization. No other factor is anywhere near industry is so diverse and dispersed,” says Seatrium’s
as significant. Lim Shih Hsien.

“In the maritime sector, regulation is now setting the Daniel Ng at CyberOwl says that businesses might now
bar that the sector itself is aiming at,” says Blomhoff. be more prepared for regulation of IT cybersecurity
04 INVESTMENT AND THE REGULATORY IMPERATIVE “We believe that regulation like IACS UR E26 and E27
will have a significant positive effect because it ensures
than they are for OT cybersecurity. “Most executives
say they are confident in areas like monitoring
suppliers build components that are resilient, before networks and providing thorough incident response
New regulation has concentrated the minds of maritime executives, driving they are integrated onto a vessel. However, it is impor- and reporting,” Ng says. “They are often less prepared
tant to note that building cyber resilience is not a than they think on the OT side.”
the industry to increase investment in cybersecurity. regulatory check list, but rather a regulatory continu-
ous improvement process.”
Since 2021, when the International Maritime Organiza- Today, there are new rules across the industry’s sub-
tion added new provisions to the International Safety sectors, with different jurisdictions imposing their own DNV’s class notation is fully aligned with the latest IACS
Management code for merchant shipping, cybersecu- requirements. More recently, these have included the requirements, and well over 300 vessels and systems
rity regulation in the maritime industry has proliferated. European Union’s NIS2 Directive which looks at overall have already signed up to comply with the DNV rules Doing the bare minimum for compliance
critical infrastructure and the International Association since they were released for the first time in 2018. is not enough. There is much more to do
“The maritime industry has used regulation effectively of Classified Societies’ (IACS) unified requirements to really make use of these capabilities
to keep safety high on the agenda and to secure (IACS UR-E26 and UR-E-27). E26 governs vessel design COMPLIANCE ALONE IS NOT ENOUGH and features. Otherwise, it’s like buying a
funding. Now with the increasing cyber threat, we also and operation for yards, designers and owners, while car with a safety belt, but never putting
need to amend with impactful cybersecurity require- E27 applies to essential onboard systems as well as Looking at cybersecurity through the prism of compli-
the safety belt on.
ments to lift the industry baseline,” says Jarle Coll original equipment manufacturers. Both are mandatory ance – rather than focusing on the nature of the threat Matti Suominen, Director of Maritime Cyber
Blomhoff, Head of Section Digital Ship Systems at DNV. for new vessels contracted after 1 July 2024. However, itself – would be a mistake. Regulation is moving Security at Wärtsilä

Regulation is the greatest driver of cybersecurity investment Industry confident it has the capabilities to perform activities required under new regulation

Very confident
Regulation and compliance 66% Fairly confident
35% 15% 22% 36%
A cyber incident or near-miss in my organization 32% 32%
52% Not particularly
confident / Not
Avoiding financial or reputational damage 31% at all confident

Advances in digitalization across our business 29%


38% 37%
Pressure from customers 28% 35% 37% 36%
39%
Strategic investment in new connected assets or infrastructure 13%

Geopolitical volatility 13%


24% 23% Q: For each of
Due diligence around new third-party relationships 9% 11% 17% 15% 15% the following
Q: Which of the following activities, please
Procuring systems to connect operational assets (retrofitting) 9% drivers are most likely to Perform Demonstrate Build Track whether Encrypt all Provide indicate your level
lead to greater funding continuous full visibility of cybersecurity all employees sensitive data thorough of confidence that
Due diligence around capital expenditure (e.g., M&A) 7% and activity around monitoring of the supply obligations have received and control incident
your business is
systems and chain and any into all new adequate cyber access response and
cybersecurity within your networks vulnerabilities contracts with training and reporting currently able to
Pressure from suppliers 5% organization? suppliers awareness perform them.

26 27
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 04

NEW SKILLS AND TALENT NEEDED FOR COMPLIANCE areas of activity on either side of a central incident,
with preventative initiatives on the left and responsive
Many maritime organizations today are not finding initiatives on the right. “There is a need to balance
compliance easy, even if they are investing in it. preventative and responsive tasks to achieve resil-
ience, with governance touching on both areas of
More than four in 10 maritime professionals (42%) in our activity,” explains DNV Cyber’s Einarsson.
research worry that they lack the skills and talent required
to comply with cybersecurity regulation, for example. And While it might appear convenient for organizations to
31% say it is difficult to integrate requirements into ‘prevent and forget’, preventative and responsive
outdated and legacy systems. Often, this is because of measures must work in tandem as it is not commercially
the scale and reach of the operational business. The cost or operationally feasible to prevent every incident. “For
and practical challenges involved in securing vessels are years, the maritime industry focused its investments on
significant, even if the money is there to do it. ‘protect’ and ‘govern’ but now it is turning more to
responsive capabilities that have been under-prior-
“The sector is operating assets designed to be in service itized in the past,” says Einarsson. “This is a positive
for decades,” says Lim. “Getting these assets compliant development.”
and cyber secure through retrofits is prohibitively expen-

42%
sive when they weren’t originally designed with security in The rebalancing might mean an increase in investment
mind. This is a hugely capital-intensive industry.” overall, but much of the cost could be covered by a
more innovative approach to change.
INVESTMENT NEEDS TO SPREAD WIDER of maritime pro-
fessionals in our
According to CyberOwl’s Ng, for example, some research worry
Looking at where maritime businesses are focusing executives are ring-fencing parts of the substantial that they lack the
skills and talent
their investments, there is a slightly heavier weighting budgets that are put aside for decarbonization and
required to comply
on responsive cyber measures than there is on using that for cybersecurity. “The more thoughtful CIOs with cybersecurity
preventative cyber measures. are riding off the wave of the decarbonization drive,” he regulation
says. “In effect, they are building security budget into
According to the bow-tie barrier model, organizations that investment, and packaging it as secure digitaliza-
should visualize cyber risk management as two broad tion needed to decarbonize.”

Access to skills and talent the greatest challenge to complying with cybersecurity regulation Spending across the spectrum of cybersecurity activities, funding efforts to prepare for and prevent attacks as well as
detect and respond to them

Lack of available skills and talent 42% Identify 16% Protect 25% Govern 14% Detect 19% Respond 13% Recover 13%
Keeping up with sophistication of threat actors 36%
100%
Difficulty integrating with outdated and legacy systems 31%

Uncertainty on how upcoming regulation will be implemented 31% 45%

The rapid pace of regulatory change 24%


66%
Lack of funding and resources 23% 50%
14%
Complexity of regulation across geographies 22%

Sensitivity and inaccessibility of data 18%


Q: What are the main 41% Q: To your best estimate,
Complexity and size of our supply chain challenges your how would you say your
17%
organization faces when cybersecurity funding is
Complexity of regulation within my organization's home country trying to comply with 0% distributed across the
12% Preventative Govern Responsive
cybersecurity regulation? following areas?

28 29
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 05

05
CYBERSECURITY
CHALLENGES
AND HOW TO
OVERCOME THEM

30 31
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 05

BOOST COLLABORATION AND TRANSPARENCY FOR coordinating the industry’s efforts on climate change,
HIGHER INDUSTRY STANDARDS for example.17 There are also multiple examples of
collaborations that aim to improve safety – not least
In recent years, some of the most significant cyber the ongoing improvements to the International
incidents have come from threat actors infiltrating Convention for the Safety of Life at Sea (SOLAS).18
targets’ supply chains rather than the organization
itself (see section 3). Seatrium’s Lim Shih Hsien hopes that the maritime
industry will take inspiration from the way organiza-
This calls for greater transparency throughout the tions in industries such as technology have worked in
industry ecosystem. Organizations need to be engaged partnership. “Look at the way in which the big tech
in exchanging information and best practice, which players came together to form the FIDO Alliance, which
means sharing the details of critical incidents, attacks has now come up with common standards for pass-
and near-misses. Sharing knowledge and skills will help wordless authentication over web browsers. It doesn’t
to address the knowledge gaps that so many organiza- have to be regulators that drive change – the big
tions say obstruct compliance and their readiness more players can agree on stronger standards.”
broadly.
There are some signs that this collaboration is under-
Our research suggests that transparency is insuffi- way. For example, organizations such as the Maritime
cient. Most maritime professionals (70%) agree that Information Sharing and Analysis Center19 are provid-
their organization would inform important stakehold- ing platforms for sharing threat intelligence and best
ers about a significant but contained cyber attack, but practices across the industry.
only 38% strongly agree and 32% agree slightly. A
significant minority (39%) suspect that their suppliers
have not always been transparent about breaches in
the past. More broadly, 95% agree that the industry as

95%
a whole needs to collaborate more to tackle the threat
to critical infrastructure from cyber attackers.

Maritime organizations have a strong record of work- of maritime professionals agree that the
industry as a whole needs to collaborate
ing together in many other areas. Groups such as the more to tackle the threat to critical infra-
Global Centre for Maritime Decarbonisation are structure from cyber attackers

05 CYBERSECURITY CHALLENGES AND HOW TO


OVERCOME THEM
Strong support for open communication and collaboration on cybersecurity

The maritime industry is increasingly aware of the severity of the cyber


threat it faces and is strengthening its cybersecurity posture, but more If my organization experienced a significant cyber-attack, but
contained it without suffering any negative impacts, we would still 28%
action is needed. inform all of our key customers and suppliers
32%

I believe cyber attackers may have infiltrated my organization's


supply chain but our suppliers have not reported it because they are 28% 10%
The maritime industry faces four key cybersecurity — Assigning clear roles, responsibilities and worried about damaging their professional relationship with us
31%
challenges: resources to handle OT cybersecurity in a continu-
My organization would swiftly inform our stakeholders if it suffered a
ous manner onboard vessels and onshore 26% 52%
cyber-attack that exposed information about them
— Ensuring that experienced cyber professionals,
who know how to build and implement cyber­ — Securing the many interdependencies and compo- There should be more collaboration among organizations within
critical infrastructure industries to ensure we are aligned in our 29% 66%
security resilience in the design of new systems nents in complex supply chains. approach to cybersecurity
and vessels, are given the access they need
Our survey data and interviews with DNV experts,
Q: To what extent do you agree or
— Enhancing detection and response capabilities to meanwhile, highlight five specific areas where organi- disagree with the following statements?
minimize the consequences of marine OT zations need to target their attention and investment. Slightly agree Strongly agree (‘Agree’ respondents).

32 33
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 05

REIMAGINE CYBER AS AN ESSENTIAL ENABLER OF from other sectors, like financial services, healthcare or oil
INNOVATION – NOT AN OBSTRUCTION and gas, which have a longstanding practice of incorpo-
rating security into a coherent digitalization strategy,”
Our survey suggests that maritime businesses are says Ng. “If you have always worked in shipping IT, with a
willing to accept that cybersecurity is a risk that comes focus on operations and offshore platforms, you are
with innovation (see section 2). For these organizations, having to learn cybersecurity quickly, and are likely to end
the opportunities of digital transformation are too up with a tactical rather than strategic approach.”
important to ignore – particularly because of industry
competitiveness and net zero – even if they expose the Cybersecurity leaders need to address these challenges
organization to increased cyber risk. in order to provide security guidance that matches the
ambitions of today’s digitalized businesses. They need
This means that organizations should integrate cyberse- to work with colleagues in other functions to understand
curity teams into transformation programmes at an their commercial objectives and tolerance for risk. They
earlier stage. The cybersecurity team now needs to play a can design a cybersecurity strategy that helps the
greater role in procurement and change management, for organization to safely pursue its ambitions.
example, working with supply chain leaders to make sure
that suppliers meet high standards and that processes According to Suominen at Wärtsilä, the reframing will
are in place for assessing their products and services. require a reset of the relationship between cybersecurity
teams and other peers. “There is too much box-ticking
But our survey shows that cybersecurity is often seen and too many buzzwords,” warns Suominen. “We need to
as a barrier to innovation instead of an enabler, and put standardized requirements in place so that product
that its value in the innovation process is underappreci- managers understand what is required in practice.”
ated. Cyber experts are significantly more likely than
senior maritime executives to strongly agree that a
good cybersecurity posture is a competitive advantage
(76% compared with 57%).
Everyone agrees on ideas such as security
CyberOwl’s Daniel Ng says that this perception often
by design, but there isn’t always consist-
comes from a lack of wider business experience within
ency on what this actually means.
maritime IT teams, which are often still responsible for Matti Suominen, Director of Maritime
cyber. “Some of the leading companies are hiring CIOs Cyber Security at Wärtsilä

Mixed views on whether cybersecurity is an enabler or blocker of innovation Mixed views on whether cybersecurity is an enabler or blocker of innovation

Connecting new digital technology to


Cybersecurity is overvalued as an enabler Connecting new digital
our ITtechnology to
infrastructure 26% 30% 43%
of innovation 33% 11% 26% 30% 43%
Cybersecurity is overvalued as an enabler our IT infrastructure 33%
of innovation 33% 11% Connecting OT assets to our IT infrastructure 33%
27% 27% 47%
Connecting OT assets to our IT infrastructure 27% 27% 47%

In my organization, cybersecurity is typically seen New product and service development 19% 39% 43%
as a hindrance to overcome rather than as a 31% 15% New product and service development 19% 39% 43%
In my organization,value-creating
cybersecurity business
is typically seen 31%
partner New partnerships and alliances 31%
as a hindrance to overcome rather than as a 31% 15% 11% 49% 40%
value-creating business partner New partnerships and alliances 11% 49% 40%
Sales and marketing activity 14% 52% 34%
My organization's spending on cybersecurity is Sales and marketing activity 14% 52% 34%
diverting funding away from other important 24% 8% 24%
My organization's spending on cybersecurity is
investments Scenario planning 11% 24% 51% 38%
diverting funding away from other important 24% 8% Scenario planning 11% 51% 38%
investments

Q: Would you describe the cybersecurity function


Slightly agree Strongly agree
Q: To what extent do you agree or disagree with Blocker Neither blocker or an enabler Enabler in your business as typically being more of a
Slightly agree Strongly agree the following statements? (‘Agree’ respondents) Blocker Neither blocker or an enabler Enabler blocker or an enabler of the following initiatives?

34 35
DNV CYBER Maritime Cyber Priority 2024 / 2025 CHAPTER 05

ACCELERATE CYBER TECH TO OVERTAKE ADVERSARIES Organizations will have to implement those capabilities and-recover plans, tested by regular exercises, will also
carefully, according to DNV Cyber’s Einarsson. “The help organizations become more prepared.
Emerging technologies expose maritime organizations to industry needs time to look through the hype around AI
new risks, including increasingly sophisticated deepfakes, to work out which tools offer the most value – both on a KEEP UP WITH REGULATION AND BUILD CONNEC-
but they can also provide cybersecurity professionals standalone basis and alongside other technologies and TIONS ACROSS THE INDUSTRY
with new AI tools that support resilience by improving processes,” says Einarsson . “AI tools regardless of their
threat detection and performing manual tasks. purpose will need to be qualified in terms of security The regulatory environment in maritime is constantly
and accuracy, and managed responsibly throughout evolving, both at an international level and on a jurisdic-
If cybersecurity teams deploy these tools wisely, with their entire life cycle.” tion-by-jurisdiction basis. To give themselves time to
sensitivity to any integration risk, they can use them to comply, maritime companies now need to be able to
perform transactional responsibilities – email sifting, STRENGTHEN THE CYBER CULTURE AND ENHANCE scan the horizon for forthcoming regulation.
for instance. This frees up people for more valuable PREPARATION FOR CYBER INCIDENTS
activities, such as providing advice on procurement However, although compliance is vital, organizations
and collaborating across functions. Cybersecurity is a siloed function in too many maritime that do meet the regulatory standards should not
organizations. It struggles to cut through to the leaders equate compliance with protection from cyber attacks.
Using AI in this way is currently more of an aspiration than a of other functions – let alone communicate with the They must go further.
reality. In our survey, executives report high levels of trust in whole organization. Everyone in an organization needs
the ability of AI-driven tools to carry out some cybersecu- the tools and knowledge to defend it from cyber For many organizations, the first step towards enhanced
rity tasks, but not many are implementing them. Just 22% attacks, and a strong cybersecurity posture can be resilience is to take time to understand how they
are incorporating AI into their IT cybersecurity, and only achieved through advocacy, awareness-raising and compare with their industry peers and build stronger
15% say the same of OT. Many in the maritime industry do, training. Training will have to be a significant priority for alliances with them. Leaders in the maritime sector that
however, understand that threat actors are moving far all maritime organizations and needs to be targeted, take cybersecurity seriously can become trusted
faster to adopt such technologies. Almost half (46%) say updated regularly, and carried out continuously for partners for customers that rely on their resilience. So
that if they do not add AI capabilities to their cybersecurity, organizations to stay ahead of sophisticated cyber every organization will need to catch up, but many have
they will fall behind malicious actors. threats. only a limited view of their performance in relative terms.

22% “AI is currently giving the bad guys more of an advan-


tage than the good guys, because it’s easier to attack
something than to defend it,” says Suominen. “But we
This culture will help ensure the business is prepared to
respond to cyber incidents when they arise, which
makes the difference between a manageable problem
Industry analysis, including DNV Cyber research, can
provide vital insights into how the maritime sector as a
whole is progressing and help organizations to ascer-
say that they are incorporating
AI into their IT cybersecurity, and are now also seeing AI on the defence side – and more and one that turns into crisis. Deploying monitoring and tain their own strengths and weaknesses within the
only 15% say the same of OT valuable capabilities are on their way.” detection capabilities and organization-wide respond- supply chain.

High expectations for AI to support cybersecurity, but implementation currently uncertain for most High expectations for AI to support cybersecurity, but implementation currently uncertain for most

Threat detection and monitoring in data 83% We are currently incorporating AI into our IT cybersecurity 22% 32% 46%
Automated response to a cyber incident (such as disabling affected technology) 70%
We are currently incorporating AI into our OT cybersecurity 15% 43% 42%
Vulnerability management (e.g., scanning systems and networks for weaknesses) 81%
Analysing employee behaviour for suspicious/anomalous activity 73% Utilizing AI has already helped strengthen our cybersecurity posture 20% 27% 54%
Analysing email content to detect spear-phishing activity 85% Utilizing AI has not yet strengthened our cybersecurity posture, but we
Automated communication with suppliers about suspicious activity 63% are confident that it will 38% 16% 46%
Automated communication with customers about suspicious activity 62% Using AI will give our cybersecurity professionals more time to focus on a
wider range of value-adding tasks 48% 14% 38%
Assessing compliance with cyber regulation 75%
The risk of using AI in cybersecurity outweighs the benefits that it creates 22% 35% 44%
Source code analysis (e.g., static/dynamic application security testing) 69%
Email spam filters 87% If we don't use AI in our cybersecurity, we will not be able to keep up with
the threat actors that use it 47% 19% 34%
Biometric authentication systems 69%
AI in cybersecurity is mostly just hype and it will not play a meaningful
Automated security processes 78% 15% 50% 35%
role in cybersecurity in my industry within the next three years

Q: To what extent would you trust AI technologies to carry out Q: Which of the following statements about the use
the following cyber-related tasks? (‘To an extent’ responses). True Not true Don't know of AI in cybersecurity are true in your organization?

36 37
DNV CYBER Maritime Cyber Priority 2024 / 2025 REFERENCES

REFERENCES

1 MCAD Maritime Cyber Attack Database, NHL 14 Chinese Hackers Targeting Ships Across Europe
Stenden University of Applied Sciences. With Malware on USB Sticks, Supply Chain Brain.

2 Rotterdam: Europe's Largest Port Targeted in 15 Decarbonizing maritime: Overcoming challenges


Cyberattack Linked to Pro-Russian Hackers, Tech with innovation and ingenuity, DNV.
Times.
16 Concerns Over Supply Chain Attacks on US Seaports
3 Ports hit by Microsoft outage as supply chain Grow, DarkReading.
operators fear a rerun of NotPetya, The Loadstar.
17 New cross-industry collab targets shipping decar-
4 Maritime Connectivity Retail Revenues Amounted to bonization via energy efficiency, future fuels, and
$2.1 billion in 2023, Valour Consultancy. onboard carbon capture, Offshore Energy.

5 Shifting Tides, Rising Ransoms and Critical Deci- 18 International Convention for the Safety of Life at Sea
sions, CyberOwl, a DNV Company. (SOLAS), 1974 , IMO.

6 Ransomware Payments Exceed $1 Billion in 2023, 19 Maritime Information Sharing and Analysis Center.
Hitting Record High After 2022 Decline, Chainalysis.

7 Maersk Says June Cyberattack Will Cost It up to


$300 Million, Bloomberg.

8 Cyber Incident Victim: Voyager Worldwide, Cyber


Security Incident Database (CSIDB).

9 Major Maritime Cybersecurity Incident Exposes


Vulnerabilities, Offshore Cyber.

10 Pro-Russian Hackers Target Website of Europe’s


Busiest Port, gCaptain.

11 Anticipating the Next Black Sea Shipping Crisis,


Center for Maritime Strategy.

12 How Houthi Attacks in the Red Sea Threaten Global


Shipping, Council on Foreign relations.

13 Houthi Attacks and GPS Spoofing in the Bab


al-Mandab Strait, MCAD Maritime Cyber Attack
Database, NHL Stenden University of Applied
Sciences.

Images: Shutterstock; pages 1, 4, 6, 12, 15, 18, 23, 24, 29, 30, 36, 38.
GettyImages; page 39 . Unsplash; page 4. AdobeStock; page 24.
DNV; pages 12, 26, 32.

38 39
About DNV Cyber About DNV
DNV Cyber is a leading cybersecurity services DNV is an independent assurance and risk manage-
provider. We empower businesses with complex ment provider, operating in more than 100 countries,
needs to become safer and more resilient with with the purpose of safeguarding life, property, and
tailored solutions. Our global team of more than 500 the environment. As a trusted voice for many of the
experts brings over 30 years of IT and industrial world’s most successful organizations, we help seize
control system security experience to your business, opportunities and tackle the risks arising from global
helping you breathe easier and perform better. transformations. We use our broad experience and
deep expertise to advance safety and sustainable
We identify, prioritize, and communicate risk, guide performance, set industry standards, and inspire and
you through regulations, and align your cybersecurity invent solutions.
with your business goals. We bring you technology
and threat insight, help you to secure cyber invest-
ments, and implement cost-effective security control
measures. We detect and respond to threats, ensur-
ing continuous improvement and quick recovery.

We ask questions and listen, speaking your industry's


language. We collaborate and share insights, setting
industry standards and delivering best practice. We DNV Cyber was formed by merging Nixu,
safeguard your critical, enabling your business to thrive. Applied Risk and DNV in 2024.

Disclaimer. All information is correct to the best of our knowledge.


Contributions by external authors do not necessarily reflect the views of
the editors and DNV. © DNV, All rights reserved.

You might also like