Skip to main content
Article

Navigating cyber risk in the shipping industry

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)|Marine
N/A

By Ben Abraham and Andrew Hill | April 24, 2020

As the global shipping industry navigates a changing risk landscape, shipowners may need to consider a broader strategy to mitigate against cyber risk.

NotPetya illustrated that no industry sector is beyond the reach of a cyber-attack, and any organisation can end up as collateral damage.

It might be said that the marine sector is a relative latecomer to an event nobody wants an invitation to, the cyber-attack (although under-reporting rather than good fortune might explain this). Back in 2017, the cyber-attack, dubbed ‘NotPetya’1, affected a vast number of organisations, including Maersk, causing significant financial loss. Maersk was not the intended target of the attack - they just happened to be using a version of Microsoft Windows the malware was designed to exploit. NotPetya illustrated that no industry sector is beyond the reach of a cyber-attack, and any organisation can end up as collateral damage.

That we are witnessing an increase in cyber incidents affecting the maritime sector is hardly surprisingly given the greater reliance on technology for both onshore and offshore operations. As smart ship solutions continue to reshape the marine industry, greater exposure to cyber risk is surely an inevitable side effect.

What are the cyber threats?

Cyber risk can broadly be categorised as two types of threat: malicious acts (i.e. cyber-attacks designed to breach the security of computer systems) and non-malicious acts (e.g. an employee sending sensitive information to an incorrect recipient). These threats can also cross over, for example, the employee who inserts a memory stick containing (unbeknown to them) malware into a computer. While cyber-attacks continue to take the lion’s share of cyber risk publicity, the reality is that employees making mistakes remain the most significant source of cyber threat for any organisation. The power of an individual’s curiosity to click on a link they shouldn’t remains potent, which seems likely to continue as phishing scams become ever more sophisticated (rest in peace the Nigerian lottery winner scam).

How is cyber risk affecting the maritime sector?

A recent example illustrating the toxic combination of malware and employees failing to observe basic cyber security principles occurred in July 2019, when the US Coast Guard issued a safety alert2 following a cyber incident which had completely debilitated the computer systems of a large container ship bound for New York. Neither those working onboard, nor those working onshore, were able to rectify the problem. A team of specialists were therefore dispatched by the US Coast Guard to board the vessel prior to docking.

The resultant investigation by the Coast Guard, in conjunction with the FBI, concluded that: (1) the ship’s computer system did not contain any antivirus software; (2) the crew had common login details; and (3) portable data storage devices were routinely plugged into the ship’s computer system without any screening.

Contact Us

The absence of the most basic cyber security measures could easily be exploited by any moderately sophisticated threat actor.

Whilst the impact stemming from the security intrusion onboard the vessel appears to have been limited, what is clear, however, is that the consequences of the incident could have been much worse. The absence of the most basic cyber security measures could easily be exploited by any moderately sophisticated threat actor intent on causing harm by accessing the vessel’s control and monitoring systems.

Whether this incident of poor cyber security represents an isolated occurrence or is indicative of a sector that, until relatively recently, arguably considered itself outside the margins of cyber risk is unclear (although Jason Tama, captain of the Port of New York was quoted as saying what was discovered on the vessel was “not anomalous”).

Supply chain cyber risk

Owing to the interconnectivity of technology, a shipowner cannot only be concerned about the cyber security of their own operations. In line with most other sectors, organisations operating within the maritime industry will invariably be reliant to some degree on technology provided by third parties. In most, if not all cases, the shipowner has no control over the cyber security of those service providers.

It follows that, even if the shipowner has studiously embedded cyber security best practice across their organisation, they are still reliant to some degree on key technology service providers doing the same to minimise their own cyber risk. The unavailability of those technology services due to a cyber incident can have a significant impact on organisations which rely upon such services to fulfil their own operations.

GPS spoofing and jamming – a new cyber risk on the horizon?

A trend that has recently emerged (or is just being more widely reported) in the maritime space is satellite communication interference, more commonly referred to as ‘GPS spoofing’ and ‘GPS jamming’. It is essential for the ship’s officer to know the vessel’s position and speed. This is even more critical as the vessel departs and arrives in port. In the absence of navigation satellite systems, the ship’s master can of course revert to paper maps. In the cover of darkness, however, satellite positioning technology becomes essential.

There have been multiple documented incidents of GPS spoofing and GPS jamming, particularly in waters within the proximity of conflict zones.

Over the last three years there have been multiple documented incidents of GPS spoofing and GPS jamming, particularly in waters within the proximity of conflict zones. In 2017, for example, the captains of several vessels operating in the Black Sea reported that their GPS was placing them at an airport 25 miles inland of Russia3. More recently, in July 2019, the master of a vessel attempting to dock at Shanghai Port, could see on his Electronic Chart Display another ship in the channel which was disappearing and then reappearing4. Later, as the master was taking his vessel into the river, the GPS signal was only intermittently available. He suspected GPS jamming activity.

With no end in sight for the political instability that appears to be a key driver for this type of threat, the risk poses potentially dangerous consequences and significant financial implications for shipowners. Training the crew to utilise alternative navigation methods and the use of anti-jamming devices can help mitigate the risk, although not eradicate it altogether.

A new cyber security regulatory regime for shipowners

It has been received wisdom for some time that the maritime sector is not immune to the threats associated with cyber risk. The real-life events that have unfolded in recent years (and these are just the reported ones) demonstrate this. No doubt, cognisant of this, the International Maritime Organisation (IMO) issued a resolution back in 2017 requiring that cyber risks are appropriately addressed in existing safety management system ahead of the first inspection by ISM auditors after 1 January 2021. The IMO’s guidelines mean that inactivity can no longer be an option5.

While the Network and Information Systems Directive (EU) 2016/1148 (the NIS Directive)6 didn’t quite receive the build-up and fanfare garnered upon the General Data Protection Regulation (EU) 2016/6797, the implications of this piece of legislation for shipowners that offer services to the EU should not be overlooked. While each EU Member State has their own implementing legislation for the NIS Directive (and therefore subject to some variances), all such implementing legislation is required to apply to “Inland, sea and coastal passenger and freight water transport companies” subject to specific threshold criteria laid down by each Member State.

In essence, the duties imposed upon shipowners captured by the applicable legislation in the Member State where they have their ‘main establishment’’8 include (1) a requirement to take appropriate and proportionate measures to ensure the security of network and information systems and (2) the duty to notify [the designated competent authority] of security incidents. Sanctions for non-compliance vary from one Member State to another but, in the United Kingdom, by way of example, competent authorities have the power to levy fines of up £17m for the most serious breaches9.

Mitigating cyber risk

To help mitigate against cyber risk, an ability to identify the risk and manage it effectively should be embedded across all aspects of a shipowner’s operations, whether it be technology risk or people risk (both onshore and at sea). It is recognised there is a cost associated with implementing cyber security measures to counteract cyber risk. There may be occasions where the existence of cyber risk is acknowledged but the cost of remediating that risk is considered too great. How such decisions will be perceived through the lens of the increased cyber security regulatory framework remains to be seen.

While managing technology and people risk is accepted as an effective front-line defence against cyber threats, residual risk can never be eliminated altogether. It is incumbent upon the insurance industry to create solutions that not only reflect the current risk environment, but also respond to how such risks actually impact a particular business sector.

CyNav is a brand-new, innovative solution developed in-house by Cyber and Marine coverage specialists at Willis Towers Watson to address both cyber threats in their broadest sense and those unique to the shipping sector (e.g. satellite interference and regulatory detainment business interruption). CyNav’s primary focus is on supporting business continuity and assisting shipowners with resuming normal operations as a soon as possible following a cyber incident.


Footnotes

1 Financial Times, August 2017. Moller-Maersk puts cost of cyber attack at up to $300m. https://www.ft.com/content/a44ede7c-825f-11e7-a4ce-15b2513cb3ff

2 The Wall Street Journal, July 2019. Coast Guard Details February Cyberattack on Ship. https://www.wsj.com/articles/coast-guard-details-february-cyberattack-on-ship-11564133401

3 The Maritime Executive, September 2017. GPS Spoofing Patterns Discovered. https://www.maritime-executive.com/article/gps-spoofing-patterns-discovered

4 The Maritime Executive, August 2019. GPS Jamming and Spoofing Reported at Port of Shanghai. https://www.maritime-executive.com/editorials/gps-jamming-and-spoofing-at-port-of-shanghai

5 International Maritime Organisation (IMO). Maritime cyber risk. http://www.imo.org/en/OurWork/Security/Guide_to_Maritime_Security/Pages/Cyber-security.aspx

6 Directive (EU) 2016/1148. Security of network and information systems. http://www.legislation.gov.uk/eudr/2016/1148/annex/ii

7 Regulation (EU) 2016/679. General Data Protection Regulation. http://www.legislation.gov.uk/eur/2016/679/contents

8 Directive (EU) 2016/1148 of the European Parliament and of the Council. Recital 64 of the Directive. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC

9 The Network and Information Systems Regulations 2018. http://www.legislation.gov.uk/uksi/2018/506/made

Authors


Associate Director - Product Innovation/Complex Claims Counsel