Cyberthreat Is Here to Stay!
Although the maritime industry has long been understood as a traditional industry, it is being transformed by digitalization and connectivity. This has created opportunities for growth as maritime operations can be improved by sharing information and involving all parties in the transport chain.
However, digitalization comes at a cost as everyone is exposed to the threat of a cyberattack. The shipping industry has emerged as an easy target because such attacks can affect navigation systems of vessels, cargo loading operations, services, ports and terminals, having far-reaching and damaging consequences.
World Maritime News spoke with Julian Clark, Global Head of Shipping at Hill Dickinson, a commercial international law firm headquartered in Liverpool, UK, in the wake of the cyberattackthat shut down IT systems of Danish shipping giant Maersk, costing the company up to USD 300 million.
We wanted to find out whether the recent attack is being seen as a wake-up call for shipping companies, and whether they are aware of the existing threat.
“If a company as sophisticated as Maersk could be affected in such a dramatic way, requiring them to take two weeks to get all their systems back online, anyone and everyone is exposed. One of the largest issues that we have faced is the underreporting of cyber attacks. This has to change,” Clark said.
WMN: As vessels have started to increasingly depend on information technology, do you think that shipping companies take cybersecurity seriously? Are they ready to invest in counterstrategies?
Clark: I am sure if you asked them they would say yes, especially following the recent high-profile case involving Maersk, but the reality paints a different picture. A recent survey showed that 67% of cybersecurity officers said that cybersecurity was not a serious threat to them or their vessels, 91% of ships’ security officers said that they did not have the training, knowledge or skills to deal with cyber threats and 100% of IT heads of leading companies said that they provided no cyber training for their crews. Cost is a significant factor but the time has come where there needs to be a significant investment.
WMN: How does the maritime sector compare to other sectors in terms of cybersecurity? Is there any market segment (container shipping, LNG, offshore) particularly vulnerable to cyberattacks?
Clark: Other industry sectors are certainly further down the line and the maritime industry generally is behind the curve, although that is changing. I think sometimes there has been an attitude of, “it can’t happen to us” not least due to a false belief that it was hard to infiltrate vessel systems and that access points were limited.
However, the list of access points is pretty endless with exposure to communication systems, bridge systems, AIS, ECDIS, proportion and machinery management, emissions and ballast controls, smart containers and crew welfare systems. There is no particular sector of the industry that is more exposed than any other. It’s the systems and access points that create the issues.
WMN: Who should play a key role in recognizing and combating cyber threats in the sector, industry bodies or?
Clark: It is a risk faced by the whole sector universally and a strategic and coordinated response is what is required. This risk is a real game changer and neither standard insurance coverage nor legal precedent has developed to assess and deal with the risks involved. Sooner or later there will be an incident which will eclipse the Maersk case. I only hope that far in advance of that, all of those involved in the sector will have actively cooperated to be ready for and know how to address both the risk and consequences.
WMN: How do you comment on the IMO’s recently adopted Resolution on Maritime Cyber Risk Management in Safety Management Systems as well as Guidelines on Maritime Cyber Risk Management?
Clark: Both this and the recent BIMCO guidelines are welcome developments. It is essential that we develop systems and drills to attend to the risk. Companies need to buy in at board level and top management leadership while at the same time ensuring that the entire personnel chain is aware of the issues. The guidelines and upcoming implementation into ISM will help to create real focus and attention as well as a true risk-based approach to the issues.
WMN: Do you see the necessity to include a cyber clause as “force majeure” in marine insurance contracts? Is it possible to do so, taking into account that nobody knows the extent and the consequences of a potential attack?
Clark: An incredible amount of work needs to be done on all forms of maritime contracts. While insurance coverage generally excludes cyber risk, issues arise as to whether the standard exclusions address the modern risk.
For example, several exclusions require an intent to harm and the effect of a computer virus and yet we have seen significant incidents where there has not been a clear intent to harm but an infiltration which would be better described as a “prank” -albeit one with serious consequences.
Also, the use of ransom and malware does not properly fall within the definition of a computer virus. It certainly doesn’t cover the risk and loss attached to phishing, sms fishing and social media attacks. Very recently a senior insurance executive commented that the coverage available needed to be raised by 10 times the current levels available.
Returning to the legal sector, there is a real risk that deficiencies in anti-viral software and security systems could render a ship unseaworthy. Currently, maritime contracts simply do not address the myriad of issues with any real degree of clarity or certainty.
WMN: Could cyberattacks become a new trend adopted by pirates – hackers getting access to a vessel’s itinerary, choosing vessels with the most valuable cargo when planning the attack? Could we see more collisions or even ships being sunk as a result of cyberattacks especially with the imminent introduction of autonomous ships?
Clark: Absolutely. We have already seen incidents of pirates accessing manifests in order to target high-value cargo. There has also been commentary suggesting that pirates were able to access the schematics of citadel construction in order to defeat this form of antipiracy measure.
The possibility to imitate AIS and GPS data is real and examples have been provided to show how an ECDIS system can be hacked which could easily result in a significant collision, grounding or another major incident.
The potential for cyberterrorism at sea is simply terrifying. The risk will increase with the introduction of autonomous shipping, albeit one hopes that such ships will have the most sophisticated and up-to-date protections in place. However, the risk also exists at a much more down-to-earth level – imagine how a disgruntled seafarer may now seek to take action against an ex-employer before he leaves his final ship?
WMN: How do we resolve the issue of accountability seeing that it is very difficult to trace the culprits for such attacks?
Clark: In the same way that we saw a coordinated international response to the issues and danger to shipping as a result of the increase in piracy activity in the Gulf of Aden, we need a similar coordinated international response to cyber risk. Only with a legal framework that is internationally recognized and enforced will we properly be able to police this particular risk. It will be essential to bring on board those industry sectors which are at the forefront of IT and AI technology and development.
WMN: In conclusion, which direction do you see this issue taking when it comes to the maritime sector?
Clark: Greater focus, increased risk, further high-profile incidents, industry reaction. It is inconceivable that this issue will go away. The development of technology and particularly AI is now occurring at such a rate that it is constantly outpacing the hitherto protections which would have been put in place and tested well in advance. The sector, including the operators, traders, legal and insurance professionals, are all playing catch up. The engagement of expert maritime cyber professionals is an excellent development but the pool of talent is extremely restricted.
The excellent progress made by the IMO and BIMCO is a welcome start but what is now required is across the board industry buy-in, together with the development and implementation of maritime documentation (both legal and insurance) which properly addresses cyber risk. We can expect to see experts in the field being retained on a regular basis in order to carry out proper emergency drills and risk assessments across all aspects of the operation both sea and shore-based.