Cyber risks and the maritime industries: risk identification, mitigation and response

Maritime industries are becoming increasingly reliant on technology and the use of data. On the one hand, this represents a shift towards industries that are safer, more efficient and more profitable – prime examples being the increasing use of e-bills of lading and automated systems for the operation of container ports. However, this greater reliance on technology also brings with it a range of increased risks.

This article explores the scope of those risks, the potential exposures and the means by which those risks can be mitigated by maritime industries.

The scope of cyber risks

The threat is a real one, as demonstrated by a prominent example of a criminal hacking of a port, which occurred at the Port of Antwerp in 2011. In this case, hackers remotely accessed the Port’s network to identify containers in which they had hidden illegal goods, and removed the goods before they were searched by authorities. This was done by sending Trojans to the port’s staff, resulting in the port’s IT system being infected, as well as key logging devices being installed to capture the passwords of port employees. The criminal enterprise is thought to have continued for two years.

The maritime industries are also vulnerable to more generic types of cyber risk, such as economic cyber-crime. A recent example of this was the interception and redirection (through email infiltration and impersonation) of a multi-million dollar funds transfer from an owner to a shipbuilder. Other incidents involving the theft, misuse, loss or destruction of personal data (such as data belonging to employees or customers) can also lead to significant losses being incurred.

However, there are very few such examples and, to date, the maritime industries have not suffered many high-profile adverse cyber incidents. IBM’s 2015 Cyber Security Intelligence Index suggests that the majority of adverse cyber incidents happen within the finance and insurance, manufacturing, and information and communication industries, rather than in the shipping or logistics sector. This may be partly explained by the fact that maritime industries have been slower to embrace the use of technology and also that the business is rather ‘invisible’ to the general public - insufficient information is known about how the industry works for many hackers or criminals to invest their time. There are simpler and more rewarding targets.

Nevertheless, today’s reality is that the maritime industries now use vast quantities of electronically-stored and transmitted data and criminals will increasingly look to the sector. This leaves the industry vulnerable to a range of cyber risks. An obvious example is the threat posed by potential cyber-attacks on shipping or port infrastructure, such as an attack on an automated navigation or logistics system. This could involve the manipulation or destruction of data which could cause automated systems to malfunction or fail entirely - or expensive and valuable cargoes to be stolen. An attack of this nature can come about in a variety of ways – access to data can be gained by phishing attacks or by the opportunistic use of networks with inadequate security, as well as by more sophisticated hacking techniques.

The consequences of such an attack could be broad-ranging. For example, ship collisions could occur due to hacking of e-navigation and other systems, resulting in physical loss of or damage to ships, bodily injury to crew, loss of cargo, pollution and business interruption. Disruption to the port’s activities could also arise, leading to considerable business interruption losses for the port and those doing business in it.

An adverse cyber incident of this nature could affect all of the organisations that use a port’s infrastructure, including those who are not in a position to influence the port’s cyber-security or have a role in responding to the incident.

The many and varied costs of an adverse cyber incident

The costs and liabilities arising from an adverse cyber incident could be surprisingly broad and the scale of losses might be considerable, particularly if an incident were to cause damage to ships, port infrastructure or other physical assets.

In addition to losses caused by damage to, or destruction of, physical assets, considerable costs may need to be incurred in responding to an adverse cyber incident. For example, if the personal data of employees or customers is compromised, significant legal fees may need to be incurred in notifying the data protection regulator and the data subjects themselves as well as in defending legal proceedings. These costs are likely to increase in Europe due to the forthcoming reform of EU law in the shape of the new General Data Protection Regulation. This regulation is set to implement mandatory reporting of certain adverse cyber incidents to the relevant data privacy regulators. This is a particular issue for the cruise and ferry sectors. For example, claims may be brought by individuals under data privacy legislation or, depending on the jurisdiction, in tort for breach of a duty of care. In the UK, there is an expectation that claims of this nature are set to become more common due to recent legal developments. In the US, class-action law suits relating to data privacy are already commonplace. Claims against the boards of companies that suffer adverse cyber incidents, often brought by shareholders, are also on the rise – directors in these cases are often alleged to have breached their fiduciary duties by not preventing the incident in the first place.

The loss of commercially confidential data would involve a breach of typical service provider agreements. IT consultancy services are likely to be necessary to mitigate the effects of a breach, remediate IT systems and restore the confidence of customers and counterparties. Investment in IT infrastructure, cyber security and cyber risk education in the aftermath of an incident, could be expensive and time-consuming.

Preparation for and mitigation of cyber risk

There are a number of ways in which organisations in the maritime industries can prepare for adverse cyber incidents and mitigate the cyber risks that they are facing.

The first step is often to address the lack of understanding of cyber risks. Indeed, most adverse incidents come about because of:

• human error (e.g. an accidental loss of data),
• poor cyber-hygiene (e.g. a lack of encryption of devices), or
• poor risk awareness (e.g. an inability to spot a phishing scam).

This can be a particular issue in industries where a knowledge of cyber risks has not traditionally been required, which would include many maritime industries. Thorough training of boards and employees can make a considerable difference to the number of adverse cyber incidents that an organisation suffers.

An organisation’s cyber-security should also be thoroughly tested and constantly reviewed to ensure it is appropriate to the evolving nature of cyber risk that an organisation is facing.

Co-dependency of organisations in the maritime industries is a key issue. If an organisation manages its own cyber risks well, it still remains at risk if its counterparties or service providers do not. This type of risk was evident in the recent high-profile data breaches affecting retailers in the US, where the source of the issue was found to be poor cyber-security on the part of third party suppliers, which eventually allowed hackers to infiltrate the retailers’ networks. Detailed cyber due diligence should therefore be carried out on all counterparties and service providers. Port community user groups could also be used as a vehicle to improve all organisations’ commitment to cyber risk management.

1. Cyber incident report plan
   
   Organisations should also prepare and implement a detailed cyber incident response plan, in order to ensure that an adverse cyber incident can be dealt with swiftly and effectively. This can significantly mitigate the impact of an incident. An effective plan should be comprehensive, covering every aspect of the incident; from detection and containment through to evaluating the implications, notifying the relevant parties to the extent necessary and finally taking remedial steps to ensure further incidents do not occur in future.
   
   
2. Cyber insurance
   
   Cyber risk management can also be aided by the effective use of cyber insurance. Traditional insurance products taken out by organisations that are active in the maritime industries may cover some losses arising out of cyber risks – for example, some cover may be provided under general liability policies for bodily injury and property damage policies may cover damage to physical property – but these products are unlikely to cover all of the cyber risks that an organisation is facing. In addition, other traditional insurance products are likely specifically to exclude cover for loss arising out of cyber risk – marine hull insurance policies are a good example of this. Cyber insurance can, therefore, be used to “plug the gaps” in cover which traditional insurance products leave behind, providing cover for a range of first-party and third-party losses that might arise as a result of an adverse cyber incident. These policies usually also provide the insured with a suite of services to mitigate the impact of adverse cyber incidents, including cover for the costs of legal advice, PR, crisis management, forensics and security specialists as well as asset rectification costs, cyber business interruption costs and cyber extortion cover. The cyber insurance market is growing in a number of regions, not least in Europe.

Conclusion

Cyber risk is increasing in all sectors and the maritime industries are not immune to this trend. While the risk can be mitigated, the extent of an organisation’s ultimate exposure will very much depend on the readiness and determination of an organisation’s management to deal with this threat. Readiness includes investment in security and precautions, training, comprehensive incident response procedures and insurance.