• ARI Media

Cyberthreat Is Here to Stay!

Although the maritime industry has long been understood as a traditional industry, it is being transformed by digitalization and connectivity. This has created opportunities for growth as maritime operations can be improved by sharing information and involving all parties in the transport chain.

However, digitalization comes at a cost as everyone is exposed to the threat of a cyberattack. The shipping industry has emerged as an easy target because such attacks can affect navigation systems of vessels, cargo loading operations, services, ports and terminals, having far-reaching and damaging consequences.

World Maritime News spoke with Julian Clark, Global Head of Shipping at Hill Dickinson, a commercial international law firm headquartered in Liverpool, UK, in the wake of the cyberattackthat shut down IT systems of Danish shipping giant Maersk, costing the company up to USD 300 million.

We wanted to find out whether the recent attack is being seen as a wake-up call for shipping companies, and whether they are aware of the existing threat.

“If a company as sophisticated as Maersk could be affected in such a dramatic way, requiring them to take two weeks to get all their systems back online, anyone and everyone is exposed. One of the largest issues that we have faced is the underreporting of cyber attacks. This has to change,” Clark said.

WMN: As vessels have started to increasingly depend on information technology, do you think that shipping companies take cybersecurity seriously? Are they ready to invest in counterstrategies?

Clark: I am sure if you asked them they would say yes, especially following the recent high-profile case involving Maersk, but the reality paints a different picture. A recent survey showed that 67% of cybersecurity officers said that cybersecurity was not a serious threat to them or their vessels, 91% of ships’ security officers said that they did not have the training, knowledge or skills to deal with cyber threats and 100% of IT heads of leading companies said that they provided no cyber training for their crews. Cost is a significant factor but the time has come where there needs to be a significant investment.

WMN: How does the maritime sector compare to other sectors in terms of cybersecurity? Is there any market segment (container shipping, LNG, offshore) particularly vulnerable to cyberattacks?

Clark: Other industry sectors are certainly further down the line and the maritime industry generally is behind the curve, although that is changing. I think sometimes there has been an attitude of, “it can’t happen to us” not least due to a false belief that it was hard to infiltrate vessel systems and that access points were limited.

However, the list of access points is pretty endless with exposure to communication systems, bridge systems, AIS, ECDIS, proportion and machinery management, emissions and ballast controls, smart containers and crew welfare systems. There is no particular sector of the industry that is more exposed than any other. It’s the systems and access points that create the issues.

WMN: Who should play a key role in recognizing and combating cyber threats in the sector, industry bodies or?

Clark: It is a risk faced by the whole sector universally and a strategic and coordinated response is what is required. This risk is a real game changer and neither standard insurance coverage nor legal precedent has developed to assess and deal with the risks involved. Sooner or later there will be an incident which will eclipse the Maersk case. I only hope that far in advance of that, all of those involved in the sector will have actively cooperated to be ready for and know how to address both the risk and consequences.

WMN: How do you comment on the IMO’s recently adopted Resolution on Maritime Cyber Risk Management in Safety Management Systems as well as Guidelines on Maritime Cyber Risk Management?

Clark: Both this and the recent BIMCO guidelines are welcome developments. It is essential that we develop systems and drills to attend to the risk. Companies need to buy in at board level and top management leadership while at the same time ensuring that the entire personnel chain is aware of the issues. The guidelines and upcoming implementation into ISM will help to create real focus and attention as well as a true risk-based approach to the issues.

WMN: Do you see the necessity to include a cyber clause as “force majeure” in marine insurance contracts? Is it possible to do so, taking into account that nobody knows the extent and the consequences of a potential attack?

Clark: An incredible amount of work needs to be done on all forms of maritime contracts. While insurance coverage generally excludes cyber risk, issues arise as to whether the standard exclusions address the mod