Cybersecurity at Sea: Protecting the Global Supply Chain
Ann Johnson: Welcome to "Afternoon CyberTea", where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] This week on "Afternoon CyberTea", I am joined by Fabio Catassi. Fabio is the Chief Information Officer for Mediterranean Shipping Corp. In this role, Mr. Catassi has overall responsibility at the IT organization, including infrastructure, development and security for both MSC headquarters in Geneva and the network of all of its agencies. He was formerly the President and CEO of MSC Technology, based in Warren, New Jersey. Welcome to "Afternoon CyberTea", Fabio.
Fabio Catassi: Thank you, Ann, for the introduction. And it's a real pleasure to be here with you today.
Ann Johnson: So Fabio, you've been leading IT and security for a global organization with headquarters in Geneva. You have agencies around the world. You obviously have very critical logistics infrastructure. I would love to explore the leadership through that lens in the context of global shipping, supply chain, and of course what it means to run real world infrastructure. So let's get to a few questions. What does leading IT and security in maritime logistics differ from leading in a purely digital company?
Fabio Catassi: Well, in shipping, technology failure isn't an abstract. It stops ships, block ports, disrupt economies. So we are not just protecting data, we are protecting the logistics, physical operation, cruise, cargo, safety. So that means, for example, IT, OT, satellites, vessel, wars, all can converge. So security decisions have real-world consequences, not just digital ones. So that's fundamentally change how you lead. So MSC approach reflected this philosophy, which Security must be embedded in the operational processes. It cannot be treated just as a separate IT concern.
Ann Johnson: Yeah, I would think that in addition, I remember the, and I don't remember the geographic name of the canal right now, but I remember the ship that was stuck for the period of time.
Fabio Catassi: That was in the Suez Canal. It was from one of our competitors, but of course, it lost the power and that's brought a blockage that had an immense impact on economies, both the local ones of Egypt, the fact that the canal was not operational, and of course with all the rerouting that we had, anybody in the industry, for example, to do around Africa.
Ann Johnson: Yeah, and I think that's what I want our listeners to understand, is that if global shipping were to have a security or an IT event, it doesn't just impact you as a company. It impacts your peer companies. It also can impact global supply chains and of course the global economy, and of course be a tremendous cost to you as you're trying to reroute ships in a different location and fuel and time and just wear and tear, right?
Fabio Catassi: Yeah, absolutely. And, you know, 90% of the goods that move worldwide, they are moving through the oceans. So it's really, there is no aspect of our life as a modern civilization that is not touched in this way or any other by ocean transportation. So if that gets disrupted, of course, this means that there is a real-life impact on economies and of course ultimately the people.
Ann Johnson: Exactly. And because of that, and I don't think that folks, I think that number is going to really hit folks when they realize that over 90% or roughly 90% of global shipping is done on the water. That means that you're working across multiple jurisdictions, multiple governments, multiple regulatory environments. How do you manage all of that?
Fabio Catassi: It's a huge challenge, first of all, because shipping is global by nature, but regulations are deeply local. We have offices in 154 countries, so we operate under a myriad of overlapping frameworks, IMO, GDPR, court authorities, national laws, you name it. And often these are all simultaneous. So the challenge here is to, when you look from a security perspective, for example, is to create global consistency in security governance, but while remaining compliant and practical at the local level. Because effectively, you cannot design anything for just one regulator. And it's what we do, we design for cost and variation, also because very often there are changes. Certain jurisdictions are better to plan things. Other countries, they make announcement at the last moment, etc., and you need to be able to react and be ready so that the flow of goods continues uninterrupted.
Ann Johnson: That makes perfect sense. And like a lot of global organizations, trying to find that baseline governance standard that then you can just not have to modify continually but you have that, you know, high-level baseline that will apply across a lot of regulatory environments is something that we certainly find useful. So, your industry is obviously very physical. It's also digital. Where do you think that the biggest blind spots are emerging for an organization that really has to be dependent on both the physical and digital footprint?
Fabio Catassi: The biggest blind spot is the assumption that operational systems are isolated, because they are not. So especially now, modern vessels, terminals, are all connected to the environment. But they are built often on legacy technology that was frankly not designed for cyber threats. When you add then third party, the human factor that of course in the security area is probably still the biggest unknown and uncertainty. This, of course, creates issues. And again, people are not really, they think that vessels are air gapped or whatever, today with satellite or whatever else. This is not a reality anymore. LEO satellite, for example, has brought high bandwidth, low latency to vessels. And that is great. It's great for crew welfare. It's great for constant monitoring, for environmental controls so that we can control in real time emissions or whatever else within the ships. But at the same time, now the vessel is wired and connected to the LEO satellite constellations, like any other digital assets that we have around the world.
Ann Johnson: That makes perfect sense to me. But thinking about, I was in Singapore last year. I spent a little bit of time there, and they were touring me through the port there. And you're probably familiar that their port has gone almost completely robotic and digital. They're certainly moving that direction. And they were talking about how shipping has been a very targeted piece of infrastructure for a lot of nefarious actors, right? And how they think about cyber and resilience because of that, because of the volume that goes through that port and the volume of goods that go through that port. Can you talk also a little about how you're thinking about resilience versus security versus just prevention of having any type of attack or any type of system outage?
Fabio Catassi: So, incidents like the NotPetya attack were really an eye-opening for the industry in its effects and consequences, etc. And then there were other incidents over the year that really showed how this is an area in which you cannot just rely on prevention. That is not enough. When you are in a globally connected ecosystem, resilience is essential, critical. First of all, you need to really be geared to have fast detection, containment, and recovery. So make no assumptions.
Ann Johnson: You're doing modernization right now at scale. So can you talk a little? You are well known for your leadership. So I want to talk a little bit about leadership and how you get the company on board when you're modernizing systems. There's of course risk in that. And you're also defending against modern threats.
Fabio Catassi: Well, first of all, let's say that because we are standardizing data and process globally, while our operation runs 24 by 7. There is never a holiday, never a night or a period where there is not something that is operating around the world. So from my perspective as a leader of this endeavor, it means that I need always to set clear architecture principles. So that's what the thing that we did when we started this process. And of course while the technology evolved, we keep reevaluating the technology we are using, how the architecture, etc. But then everything that is related to security is embedded from day one. Because if you arrive at the end of the process or in the middle of the process to start to think about security, you are already too late and then you have a massive technical debt you need to readdress and you waste time, money and velocity in providing solutions to the business. So the biggest, one thing that I often do is to be the argin to sometimes resisting shortcuts, when maybe the business is really pressuring for something to be done super. And I have to make, see the fact that maybe we solve today problem, but we create tomorrow risks. And because the culture that now we have established inside the organization and we have a great partnership with the business, they understand. And so that is how we keep progressing, but we do it in a way that is sustainable and safe for our organization.
Ann Johnson: That makes a lot of sense. And then you have to think about, and I know you think about this a lot because you're involved, you know, deeply in the planning, but the sequence, right? How do you think about sequencing innovation when you're dealing with a global organization that's operating I like to say, you know, we're building the plane as we're flying it. So you have a global organization that's operating. How do you sequence innovation so you minimize any new risk exposures?
Fabio Catassi: First of all, my analogy that I use the countless times, that we are running a marathon while we're doing steeple chase, jumping around. And once in a while we have to do the 100-meter speed dash. So that is how I feel our operation as IT transformation runs. And going to your question, we start with foundations. So identity, data governance, visibility. Before you start to scale, if you have this approach, then you can move incrementally. There is also the risks that you want to take. So you don't lack enthusiasm, especially when new technology breaks in like the little revolution that we are having or big revolution we are having with AI. Of course, there was immediately when we started a lot of enthusiasm and I was one of the people that was enthusiastic about it. But we look at it with a clear eye saying, Okay, this is what we want to do. And then this doesn't mean that this innovation is blocked, but is, we create our own gates of readiness so that when we move to the next phase, we have built the governance and the building blocks so that, allow us then ultimately to move faster, but without having issue and especially without breaking trust. Because there is nothing worse than implementing something rushed and then you have a problem, a security incident, etc. And then you expect the possibility to keep investing in that area just because you rushed things through and you didn't do all what needs to be done to lay a solid foundations.
Ann Johnson: I think that makes a lot of sense, and it does lead me to ask you a little bit about AI. The modern world at some point in time is going to move towards AI. I think there are some industries that are moving more quickly, some industries are moving more slowly, but we're seeing a lot of global interest in how AI can improve productivity, how it can improve efficacy. There's different things in cybersecurity but also in In just standard IT, but I want to talk about logistics for a moment because you are the world leaders in that. Where do you see AI can actually add real operational value with regard to maritime logistics?
Fabio Catassi: Well, there are a few areas like predetermined maintenance, anomaly detections, cargo visibility, operational optimization, efficiency, reduction of greenhouse emissions, documentation, security operation, etc., where AI has tremendous potential, and in some cases, it is already making a difference. Our approach is that AI is, at least where it is today as technology, is the most powerful where it augments humans. We truly believe that still the human factor is essential to the success of our business. But through AI, we have tools that help us see patterns earlier or act faster. And ultimately, even when we stay in a setup in which humans still take the decisions, they are able to do that in a way that is qualitative and timely much faster than in the past.
Ann Johnson: I love that. I was reading, you're going to laugh, I was reading a fiction novel over the weekend. And one of the things that happens, it was a thriller, a global thriller. And one of the things that happens is they're looking for some missing cargo on a ship. And they realize that a different ship had too much weight. And somehow that was, you know, they could sense that automatically from some ports. And I'm like, Well, that's fascinating. It was, you know, they described this high-tech technology where they could do the exact weight and knew it had three extra containers on it.
Fabio Catassi: Well, it's fascinating. It probably is also a bit fiction because when you look at to some of today, the largest ship vessel that we and some other competitors operate, they are able to carry 24,000 to use. So they are like three shipment field combined, football field combined. And so to be able to detect three containers out of that size and weight, it's really the next level of AI. Let's put it this way.
Ann Johnson: Well, I knew I was talking to you, so I was like, I wonder if AI could solve that, right? Anyway, what risks? So you're thinking about AI, how it can help you innovate. I'm sure your security team is thinking about AI, but what risks do you think about from AI adoption in your global infrastructure?
Fabio Catassi: First of all, over automation without oversight, the concept of agent controlling agents, etc. That is an area that I think that we are a little far from a moment where I would feel more comfortable in having a stack layer of AI agent independently operating. Then of course there is the evergreen problems that they are then potentially compounded by AI, or poor data quality, or regulatory misalignments, etc. Ultimately, as we were saying earlier, in infrastructure, mistakes aren't just theoretical. And also, they can affect also safety, continuity, etc. So that's why I stress all the time that the governance, human verification, and transparency matter to us much more than just the speed of execution.
Ann Johnson: I think that makes perfect sense. I mean, you have to maintain all of your, I'm using security loosely, not necessarily cybersecurity, but you have to maintain all of your security, your resilience, your systems, and slowly figure out where AI is going to add the most value with creating the least risk. Let's pivot just a second away from cyber for a moment. You have some globally distributed organizations. You have headquarters in Geneva, you have facilities, you know, a large facility in Warren, New Jersey. In this globally distributed organization, how much consistency do you drive or how much local autonomy do you allow?
Fabio Catassi: Well, you have to have global guardrails, guardrails of global governance so that you have a consistent baseline of operation. But then to, this means that then you can have the local teams with their own responsibilities and time connectivity, innovation that they want to bring up, whatever initiative they want, in a way that we feel it's safer. And even outside of the global IT organization in which we are quite structured, also inconsistent across the various technology sites that we have also in India, in Italy, etc. But this is also very much true for our agency network. We have created, for example, in our cloud infrastructure, the security baseline, the way in which systems deployment and monitoring, patching, etc, is globally managed and governed, more importantly. But then they have the freedom to innovate and to add elements to their IT needs, system, etc., in freedom from central headquarter. And that's a perfect situation because we have a very sustainable model where we don't create the fragmentation that, as you know much better than me, is the worst enemy that you can have from a cyber perspective. But at the same time, we are not steaming that local initiative and innovation.
Ann Johnson: I like that approach, because it's all about balance, and there are local nuances, as you know, but you also can drive. We drive local innovation that sometimes becomes global innovation, because the compelling solution was so great that they built in some remote part of the world that you'd never expect, right?
Fabio Catassi: Yeah. And for example, if I may give you an example, we created in the AI area, the AI champion community, and we created in every region, we named the AI champion that comes from the business. They are not necessarily people with an IT background. Some of them do. Some others are of course technically savvy, but they are, let's say more from really the shipping business of the house. In their specific areas, of course, they disseminate and they make the evangelization of the organization on the various AI tools that we have and what they can do or not do. But then also they create their own initiatives. And we started to build the regional agentic AI farms in which the various regions create their own agents. Then we created the repository where they can what the agents does, the business objective, etc. And then the other regions can start to take advantage. And that is how we scale up, for example, in that area. So it's a model that we have used also in other areas of our IT transformation in the past. It works very, very well.
Ann Johnson: That's fantastic. And I'm glad you're so open to it. It's great to hear from a leader who isn't rigid that they must control or drive all innovation. So, you and I have a couple of things in common. One, I'm originally from the great state of New Jersey, and my mother's family was very Italian. But that aside, I also completed a dual major in political science and communication and started law school and chose to go into technology instead. I see that you completed a degree in classical languages and philosophy, attempted law school, and then also ended up in technology.
Fabio Catassi: Exactly.
Ann Johnson: But I think that background of not having, I don't have a technology degree. I think that background has really helped me think about problems a little bit differently. I'd love to understand how your philosophy training has influenced how you approach technology.
Fabio Catassi: First of all, it's beside the title of the subject, but when it comes to my where I end up as a career, I think the philosophy train you to in systems, ethics, long-term consequences, that make you able to abstract problems in a very different way. When you look to a solution, you are able to correlate many independent concepts much easier. And also technology is never neutral. So it shapes behavior, shapes responsibilities. So I think that the classical background, the philosophy background, etc., has been helpful to me in my career when I am faced with the problems, etc., to look not only to the practical solution, but also to look at the impact and the consequence of the choices that we were making through technology.
Ann Johnson: I think that's great. Do you think that studying philosophy also changes how you think about AI, responsible AI in particular?
Fabio Catassi: Well, yes, very much so, because this has been one of the biggest debates also at the beginning of this AI revolution with generative AI, etc. Normally, AI really raises questions of responsibility, agency, trust. So because I truly believe that humans must remain accountable, then you have to look at AI in that context, you know? So you cannot really, you need to be very, very careful in this area never to break trust. Because if you do, then you would have a permanent stain on the technology. And you've seen some of the things that are happening in the market, etc. They are giving a bad name sometimes to AI. But the problem there is not AI, is maybe a non-really responsible approach to how to implement and present this technology.
Ann Johnson: Makes perfect sense. I really appreciate you joining me. And as we conclude "Afternoon Cyber Tea", we always like to end on a note of optimism. So when you think about global critical infrastructure over the next decade, shipping, ports, logistics, what gives you optimism?
Fabio Catassi: Definitely that as the industry, we have learned hard lessons. We have adapted. Collaboration across all actors in the industry is improving. We are working with our competitors, with the authority, with the customers, etc., on the standardizations. Governance overall is maturing and technology, especially AI, can make shipping safer and more resilient. So I think that the combination of all these things, when it's put down in the hands of the people, really becomes an amazing opportunity to keep improving and make our planet better.
Ann Johnson: That's fantastic. Fabio, thank you so much for joining me on "Afternoon Cyber Tea".
Fabio Catassi: Thank you, Ann. It's really been truly a pleasure to have this opportunity. Thank you again for having me.
Ann Johnson: And many thanks to our listeners. Join us next time on "Afternoon Cyber Tea". [ Music ]
