Every new technology solves problems but, if not properly maintained, also comes at an inherent risk that can grow over time. This is why the maritime mentality of building a vessel to last decades with occasional maintenance is not compatible with the fast-paced changes occurring in IT.
Threatspan helps quantify that risk and turn the obscure world of cyber security into a clear Euro/Dollar value.
Through vulnerability assessments, penetration testing, multiple intelligence sources, and continuous surveillance, they monitor a vessel or an office, look for any malicious activity, and ultimately compute the fiscal impact of any uncovered vulnerabilities in an organisation’s infrastructure.
Maritime companies have used Threatspan’s solutions to gain visibility into the behaviour of their critical networks and processes, even discovering previously unknown network activity. They have used these insights to strengthen security controls where it was needed the most. Conducting such reviews regularly significantly strengthens an organisation’s cyber security posture while also maximising the cost-effectiveness of security spending.
Currently, Threatspan is working with dredging and chartering companies while also making inroads in the energy sector.
In this PortXL Alumni Feature, Founder & CEO of Threatspan Leon Yen discusses the issue of cyber security at sea, and how this is tied to maritime innovation.
How did you come up with the idea for a maritime cyber security startup?
I spent much of my career in Silicon Valley, and my background is in IT cybersecurity. But my family has roots in maritime and shipping, so I’ve always been fascinated by this industry.
When Sami Jawhar (Co-Founder and CTO of Threatspan) and I thought of starting a cybersecurity startup, we wanted to pick a sector that we could bring value to. That’s why we picked maritime, because it was accessible to me.
At the same time, the maritime cyber attacks incidences increased dramatically, the Maersk ransomware attack in 2017 being a major hit. That was the event that cemented the idea of Threatspan.
Is there a major difference between conventional cyber security and maritime cyber security?
Yes. We come from a traditional enterprise environment. Cyber security is similar when it comes to industries like banking, finance or insurance. But when it comes to maritime, the IT environments are very different.
A ship is essentially a moving office. So much of our learning has been understanding nuances, like what shipping is all about, business models, the different maritime verticals, all of which are unique environments that require specific IT requirements.
Another big difference would be transparency. For example, if a bank suffers a breach, it is required by law to disclose and inform its customer base, and protect them post-attack.
But at sea, these guidelines don’t exist. When a ship is out at sea, it is in international waters and there are no regulations obligating them to disclose any information. So gathering relevant data on the extent of maritime cyber risk has been a challenge.
Shipping is unique in terms of the culture as well. Transitioning from a traditional enterprise environment to maritime, this has been the year of culture shocks for us!
Can you address the main misconception about maritime cyber security?
When you talk about cyber security, the first thing people think about are cyber attacks or hacking, due to high profile cyber attacks in the recent years, such as the Cosco attack in 2108.
But cyber risk isn’t necessarily about that. In fact, to compromise a ship completely is quite difficult.
The bad news is you don’t necessarily need to compromise a ship to make it unsafe. More times than not the main problems are cyber risks. This involves anything from getting hacked to getting fined if you don’t meet compliance requirements.
What were some challenges in achieving product-market fit for Threatspan?
We started off calling ourselves a maritime cyber security company, and now we’ve moved into cyber risk management, which is not just for shipping enterprises but also marine insurance companies.
Some marine insurance exclude cyber risk right now, because they simply don’t know how to quantify it. So we’ve identified that as a huge opportunity.
Each ship has its own vulnerabilities. So instead of a risk score, the risk is measured in terms of dollar amount exposure loss. This means that if you have containers with hundreds of thousands of dollars worth of cargo, or cargo that can be weaponised, the risks can be quantified to the dollar amount.
Why do many maritime players not see cyber risk as an important aspect of their business?
Traditionally, cyber risk is not seen as an ROI.
It doesn’t make companies money, and it’s not saving them money perceptively. When companies come to us, it’s usually because they have experienced cyber attacks or encountered incidences of cyber risks.
But when it comes to innovation, shipping and maritime industries are ahead. Because for them, these innovations mean cost reductions and improving the bottom line.
So how does cyber security fit into the larger trend of maritime innovation?
What we’re seeing is older vessels being retrofitted with new technologies, like better connectivity. This means they’re more exposed to cyber attacks without the necessary security.
The industry is also moving toward autonomous shipping within the next 5 to 7 years to save manpower costs. But if ships are remotely controlled, you’ll need more precision in terms of navigation or speed.
For example, instead of 100 sensors, the ship might have 1000, and systems are completely software controlled or managed. So there will be issues if security is weak.
At the end of the day, to adopt new technologies in vessels, you need strong security as a foundation.