Digital fog ahead – seeing through the complexity of maritime cybersecurity

16 June 2017

Professor Paul Dorey Ph.D. CISM F.Inst.ISP

  • global-xpress

Where digitisation appears then cybersecurity is never far behind.

Early on, banks and retailers discovered that their websites, systems and databases made tempting targets for criminals to steal personal data or even money. Later digital adopters in the utilities and energy sector found that cyberattacks can even have physical consequences like water pollution or the widespread power disruption suffered by the Ukraine in 2015.

Now the wave is reaching the maritime industry. Ships, ports and maritime support activities continue to adopt digital systems to handle commercial, cargo and personal information, and even control the ships or port facilities themselves. The more we digitise the more interesting the systems become to cyber attackers and the more significant the potential impact could be when they do attack.

Of course, not all things are the same. Older vessels usually have much less digital technology than those currently leaving the shipyards. The degree of digitisation also differs where some just have navigation and communications whilst others support remote digital monitoring of cargoes, highly-sophisticated engine rooms or significant communication demands. The message here is that cybersecurity investment needs to be appropriate to the risk, as nobody has the luxury of bottomless digital budgets.

Clearing the fog

It is good that the growing importance of cybersecurity in maritime has been recognised, but with this urgent enthusiasm a fog has now started to appear. Interest is leading to action and a wide range of groups are producing their own cybersecurity guidelines and the Classification Societies is now also working on a draft set of recommendations. It is better to have guidance than have none at all, but some in the industry can see the risk of every association, nation, region or even ports starting to set different expectations.

The good news is that the fog is showing signs of clearing. The industry has formed a joint working group under the Chairmanship of George Reilly of ABS to pick up on the direction set by IMO cybersecurity guidelines and establish a common way to describe marine cybersecurity risk. The Classification Societies and key associations are keen to be part of this. I am delighted to have been retained by Inmarsat to be the facilitator for this group and bring my financial services and energy sector experience to bear.

Through this blog I will provide occasional updates on our approach towards a consistent view, especially where one maritime system connects to another. We don’t expect, or desire identical standards to be developed everywhere, but consistency of approach to risk management would help a lot. If you are active in maritime cybersecurity risk management and the development of new standards and guidelines, we would encourage you to be part of this thinking. So please do record your interest by emailing me at

Professor Paul Dorey will be presenting at the ‘Dispelling the myth – the reality of cyber security in the shipping industry’ event as part of London International Shipping Week 2017 on Wednesday 13 September 2017. The event is free to attend, to register your interested in attending click here.

About the author

Professor Paul Dorey Ph.D. CISM F.Inst.ISP, Director, CSO Confidential & Visiting Professor in Information Security, Royal Holloway, University of London, has over 30 years’ management experience in information security and established one of the first dedicated operational risk management functions in Europe. At BP he built and managed Information security, BCP, Privacy and Information Management Standards & Services globally across the corporation, including the digital security of process control systems. Prior to BP, he set up and ran global strategy, security and risk management functions at Morgan Grenfell and Barclays Bank. He has received several awards including Chief Security Officer of the Year, IT Security Executive of the Year, and IT Security Hall of Fame.

Paul has consulted to many governments and for several years sat on the Permanent Stakeholders Group of the European Network Information Security Agency (ENISA). He was one of the founders of the Institute of Information Security Professionals (IISP), and after five years as Chairman of the Board is now Chairman Emeritus. He was appointed to be a Fellow of the Institute in March 2015.

In addition to his speaking and lecturing activities and acting as an expert witness, he helps companies and government departments in building their information security strategies, risk governance and metrics including acting in interim CISO roles and supporting CISOs in developing their functions. He was recently appointed as Chairman of The Internet of Things Security Foundation.