In the wake of the Petya cyber-attack, which disrupted a host of industries around the world, including the shipping sector, Captain Rahul Khanna (RK), Global Head of Marine Risk Consulting, AGCS, Captain Andrew Kinsey (AK), Senior Marine Risk Consultant, AGCS and Emy Donavan (ED), Global Head of Cyber, AGCS discuss the growing threat cyber risk poses to the maritime sector and what companies can do about it.
How much of a threat is cyber risk to the shipping sector? Which parts of the industry are exposed?
AK: The digital era is opening up new possibilities for the maritime industry but its growing reliance on computer and software and increasing interconnectivity within the sector, also makes it highly vulnerable to cyber incidents. The shore-based offices of shipping companies are often the target of hackers. However, cyber poses a threat to all parts of the shipping sector, as recent examples testify (see box). The risk of an attack or incident occurring is significant but ship-owners are often reluctant to share information for fear of being identified. This is a big problem and there are efforts underway to form an anonymous incident reporting platform.
Other common vulnerabilities include: lack of awareness, ineffective policies and procedures and an undeveloped cyber risk management culture. To date, the vast majority of attacks have been aimed at breaching corporate security, resulting in loss of critical data, financial loss or IT problems, rather than taking control of a vessel itself. In addition to this threat, it is estimated that as many as 80% of offshore security breaches could be the result of human error.
How would you describe the awareness of the shipping industry when it comes to cyber risk?
RK: The good news is that there is a growing awareness about the risk of maritime cyber-attacks. However, the sector as a whole still doesn’t have a particularly heightened risk awareness. As no major incident involving a vessel has been reported to date, many in the industry remain complacent about the risks involved, with cyber incidents largely regarded as onshore affairs, even though the number of incidents impacting the shipping industry has been increasing in recent years.
A changing geopolitical scenario could transpose cyber risk into a real threat and if cyber risks are not appropriately addressed, it is only a matter of time before the maritime sector suffers a major cyber-attack on a vessel. The potential for a cyber disruption or a cyber-attack could catastrophically impact the safe navigation of a vessel, both in terms of its position and in terms of its stability and cargo operations. Just imagine if hackers were able to take control of a large container ship on a strategically-important route. They could block transits for a long period of time, causing significant economic damage
What should shipping companies do to best mitigate cyber risk. How can they best protect themselves?
AK: There are a growing number of resources available to help mariners learn about common vulnerabilities. Just one example is the internationally-recognized United States Maritime Resource Center, which assists the industry in cyber awareness, safety and security through evidence-based research.
Then there are an increasing number of cyber security guidelines which can be followed. Last year, the United Nations’ global shipping regulator, the International Maritime Organization (IMO), approved interim guidelines on maritime cyber risk management, which provide high level recommendations on cyber security (see below). Meanwhile, guidelines have also been issued by other important organizations such as BIMCO, CLIA, Intercargo and Intertanko.
There are standard practices that can be implemented to reduce cyber risk, such as defining personnel roles and responsibilities for cyber risk management and identifying the systems, assets and data that, when disrupted, pose risks to ship operations. Ship-owners also need to implement risk control processes and contingency planning, developing and implementing activities necessary to quickly detect a cyber event. Identifying measures to back up and restore cyber systems impacted by a cyber event is obviously crucial.
These are challenging times for the shipping industry. Budgets are tight and there is pressure to delay maintenance and reduce crew levels and training. However, IT security cannot be put on the backburner. It is vital that investment in cyber risk education and security is not neglected at this time, despite economic pressures, as this risk has the potential to have catastrophic consequences, given the right confluence of events.
What role can regulation play?
RK: Earlier this month (June 16) the IMO made the decision to incorporate cyber risk management on a more permanent footing with the adoption of cyber risk management requirements into the International Safety Management Code (ISM Code). Owners will need to comply with this by the start of 2021 and this means that there will now be a lot of impetus on ship-owners to create a concrete cyber risk management plan. The largely self-regulated tanker industry is expected to take such steps much before 2021. Many companies are looking at employing a cyber risk officer, with part of the role being to carry out regular stress testing.
How does cyber risk insurance work in the maritime sector? What is covered?
ED: Typically, hull policies would exclude coverage against cyber-attack or any loss arising from a malicious act involving the use of a computer system. Shippers would be encouraged to purchase standalone cyber insurance coverage. Most of the risks for shippers would be similar in nature to other non-marine businesses (ransomware, hacker / privacy breach, etc). In general, marine, as well as general liability (GL) and property, policies expressly exclude cyber. We absolutely recommend that shippers, like other businesses, purchase a standalone cyber policy for these types of risks.