The NotPetya cyber-attack of June 2017 affected some 2,000 organizations across 65 countries, causing estimated economic losses of $2.5 billion to $3 billion1 and exposing vulnerabilities in the marine supply chain. The virus led shipping group Maersk to suspend operations as it was forced to reinstall 4,000 servers, 45,000 computers and 2,500 applications, causing congestion at a number of ports worldwide and resulting in business losses in excess of $300 million2. The attack also disrupted operations at logistics company FedEx, resulting in $300 million in lost business and clean-up costs3.
According to Volker Dierks, Head of Marine Hull Underwriting, AGCS Central & Eastern Europe, such attacks have increased awareness of the potential for cyber business interruption losses and physical damage to vessels arising from a cyber-attack. As a result, shipping companies are now engaged in more detailed discussions with insurers about how to protect against cyber exposures.
“Three years ago operators saw ships as largely isolated from cyber risk but now they realize that their vessels and the logistics supply chain are all connected,” says Dierks.
This has seen increasing interest in insurance solutions, most notably for physical damage and business interruption cover for industrial control systems, as well as insurance cover for supply chain cyber exposures.
“There has been a significant increase in the awareness of the shipping industry as to the potential risks from cyber, be they malicious or accidental,” agrees Chris Turberville, Head of Marine Hull & Liabilities, UK, AGCS. “As the technology on board increases, so do the potential risks. Safeguards need to be introduced at the same rate as new systems. We cannot wait for more significant problems to occur before we react.” The shipping industry and regulators are now taking cyber security far more seriously. The International Association for Classification Societies (IACS) plans to publish guidelines covering cyber security practices in the shipping industry by the end of 2018. Last year, the IMO issued guidelines on maritime cyber risk
management and called for cyber risks to be addressed in existing safety management systems by 2021. According to Captain Rahul Khanna, Global Head of Marine Risk Consulting, AGCS this deadline is not soon enough: “The industry needs to take the initiative and address this much earlier than 2021.”
While the vessel safety management system (SMS) is the best platform for the cyber security program to reside on, the fact that cyber is a non-traditional maritime risk should not be overlooked, Captain Andrew Kinsey, Senior Marine Risk Consultant, AGCS, believes. Given the nature of this risk and the potential impact of the failure to adequately protect a vessel, a new approach is warranted.
“We cannot approach our procedures and auditing process the same way we do with the majority of our operational risks within the SMS. Merely having an SMS is not sufficient to prevent catastrophes,” says Kinsey. Robust training and auditing – including independent cyber-security audits to ensure procedures are adequate – and having dedicated personnel assigned to provide captains with effective guidance and procedures will be necessary, according to Kinsey.
Many shipping companies are already looking to improve cyber security on board their vessels. For example, some are reducing the threat posed by interconnectivity by separating IT systems for different functions, such as navigation, propulsion and loading. “Cyber security is a race without a finish,” adds Kinsey. “It is continually making inroads into the way we operate and manage vessels on a daily basis. The nature of ports and shipping lanes is such that the fate of one company can impact the fortunes of all.”
Much attention has been devoted to the introduction of the General Data Protection Regulation (GDPR) in May 2018, which enforces tougher data protection requirements on businesses across the European Union (EU). In the same month, a less well-known EU directive was introduced which also has significance for the maritime sector.
The EU Network and Information Security Directive (NIS) will necessitate “essential
services” providers, such as large ports and maritime transport services in the EU, to demonstrate that they have taken sufficient measures to manage cyber security risks. It also requires companies to report cyber incidents, including those that disrupt services. As with GDPR, the penalties for breaches of the new laws will be substantial. For example, the UK has announced it could impose sanctions of up to $22.6 million (£17 million) in fines if companies do not report serious breaches.
“The current lack of incident reporting masks the true picture when it comes to cyber risk in the marine industry,” says Khanna. “The NIS directive will help to change this and will bring more transparency around the scale of the problem.”
1. RMS, Centre for Risk Studies, University of Cambridge Judge Business School, Cyber Risk Outlook
2. Financial Times, Moller-Maersk Puts Cost Of Cyber-Attack At Up To $300m, August 2017
3. Bloomberg, FedEx Cuts Profit Forecast On $300m Hit From Cyber-Attack, September 2017