The maritime and broader logistics industries have, until recently, been viewed as relatively “low risk” from a cyber threat perspective in comparison to finance, insurance and manufacturing industries due, in part, to their cautious adoption of technology. Like in many other industries, however, organisations within the maritime sector are increasingly becoming “digitised” as technological solutions improve efficiencies.
Integrated digital systems are now revolutionising the way in which mobile assets (vessels, containers and offshore platforms) operate and interact while at sea, but also the way they interact with fixed assets (port infrastructure and fixed pipelines) on land. The culmination of this revolution is embodied by the plan to launch fully autonomous vessels in the next 12 months. Today’s reality is that maritime industries now use vast quantities of electronically-stored and transmitted data and, because of this, cyber criminals will increasingly view the sector as a lucrative target.
There have been a number of high-profile attacks that demonstrate the potential for disruption to the maritime sector as a result of cyber attacks. In June this year, a container ship operator was subjected to a malware attack that forced the company to suspend its online platform from taking orders for six days. The company’s port operator was also subjected to a ransomware attack which encrypted the hard drives of computers at more than 15 terminals across the US, Asia and Europe. This forced the company to re-route a number of their ships from their original destination ports. The company estimated that the attack likely cost it US$300 million in lost revenue.
Similarly, in 2011 hackers remotely accessed the Port of Antwerp’s network by sending “Trojan Horse” viruses, malicious programmes disguised as legitimate software, to the port’s staff. This resulted in the port’s IT system being infected, as well as key-logging devices being installed to capture the passwords of port employees. The criminal enterprise then used the port network to identify containers in which they had hidden illegal goods so that they could remove them before they were found by the authorities. This compromise to the port’s systems remained undetected for two years.
Although the two examples above demonstrate the current “reality” of the cyber threat, they by no means capture the full potential of the disruption that cyber risk could inflict on the industry at large. Increasingly the implications of any cyber attack extend well beyond the single asset that may be subject to operational compromise. There is growing concern over what “could” happen if hackers were able to compromise the automatic identification system or GPS system of a vessel, as the resulting collisions and/or wreckage could lead to devastating financial, environmental and operational consequences. These risks would be particularly pronounced in areas of strategic importance to the industry, such as the Panama and Suez canals, or along other congested shipping routes such as the Strait of Malacca or the English Channel. These areas of operation also happen to be the most vulnerable to (or desirable for) politically motivated cyber attacks.
Given that roughly 90 per cent of world trade is transported by sea, shipping and container operators are particularly vulnerable to ransomware attacks that encrypt key operational systems both onshore and offshore and impacts on their ability to deliver goods on time, or unload goods at the destination port. The recent attacks noted above should serve as a warning.
What both the real-life examples and the scenarios outlined above demonstrate is the co-dependency of organisations across maritime industries. A cyber vulnerability in one vessel, or across the operating system of one port service provider, could expose many others in the industry to significant operational risk. As such, risk can only truly be minimised by a concerted effort of the industry on the whole to raise cyber security standards.
Defining the cost
As maritime assets increase in size and adopt the latest technologies, the scale of the risk and liabilities arising from an adverse cyber incident is ever-larger; ranging from the payment of contractual penalties for late delivery of goods to the full capital cost of one, if not multiple, vessel(s) and their contents if a “worst case scenario” materialised. In addition to the losses caused by operational impairment or damage to physical assets, considerable costs may also be incurred in responding to an adverse cyber incident. These costs extend beyond the obvious costs of investing in IT infrastructure, cyber security and cyber risk education in the aftermath of an incident.
From a regulatory perspective, there has been an increased emphasis on the need for business to protect “personal data”. Although businesses in the maritime industry generally hold smaller quantities of personal data than those in other industries, such as financial institutions, they are likely to hold personal data relating to employees and (in the case of the cruise industry) passengers. The business cost of non-compliance with regulatory obligations is set to increase in Europe when the EU General Data Protection Regulation (GDPR) comes into force next year. The GDPR is set to oblige organisations to report certain adverse cyber incidents to relevant data privacy regulators in the event that personal data of employees and/or customers is compromised. As a result, businesses could face significant legal fees relating to notifying the data protection regulator and the data subjects themselves as a result of an adverse cyber incident, in addition to the potential costs of defending legal proceedings if the breach suffered is deemed to have been avoidable. The GDPR also empowers regulators to levy a fine of up to 4 per cent of a company’s global turnover against businesses that do not implement sufficient policies and procedures to protect personal data.
Class-action law suits relating to data privacy are already commonplace in the US. Increasingly, shareholder derivative claims are being brought by shareholders against the boards of companies that suffer adverse cyber incidents; with allegations that directors in these cases have breached their fiduciary duties to the company by not preventing the incident in the first place. In the UK, there is an expectation that claims of this nature are also set to rise as shareholders look to attribute accountability for cyber risk. From a contractual perspective, the loss of commercially confidential data would also likely involve a breach of standard form service provider agreements. The subsequent enforcement of contractual damages arising from such breaches could be material.
Although the mass adoption of technology is largely responsible for the maritime industries’ vulnerability to cyber attack, human error and a lack of human oversight remain key contributors to the realisation of adverse cyber incidents. Key factors that increase the vulnerability of an organisation to cyber threats include:
- basic human error, such as accidental loss of passwords or USB drives containing data;
- poor “cyber hygiene”, such as a lack of encryption devices or outdated firewalls which, for example, may allow a crew member’s personal computer to transmit a virus to the ship’s network; and
- poor risk awareness, such as insufficient IT training, which, for example, could leave crew members and management vulnerable to “phishing” emails.
Given that the industry is broadly classed as a “slow adopter” of technology, the need to “educate” employees at all levels of the business is even more pronounced. It is also essential that organisations prepare and implement a detailed cyber incident response plan, and that this plan is subjected to regular review, to ensure that it remains robust in a continually developing threat landscape. An effective plan should be comprehensive, covering every aspect of the incident from detection and containment through to evaluating the implications, notifying the relevant parties to the extent necessary and finally taking remedial steps to ensure further incidents do not occur in future.
Increasingly, regulatory responsibility for the cyber health of an organisation rests with the board and directors will ultimately be forced to make the tough choices that arise out of a cyber incident, such as when, or if, to notify the regulator or when to pay a ransom. These decisions should be planned for at board level and not responded to at first instance when faced with an attack.
Cyber risk management can also be strengthened by the effective procurement of cyber insurance. While a number of traditional insurance products do provide cover over some of the losses associated with cyber risk in the maritime sector, for example general liability policies providing cover for bodily injury, such products are unlikely to provide comprehensive cover over all of an organisation’s cyber liabilities. Indeed, a number of standard form industry policies, for example marine hull insurance, may contain exclusions for loss arising from a cyber breach. The resulting coverage position in respect of cyber risk from traditional insurance offerings alone is, therefore, often less than comprehensive. Bespoke cyber insurance policies not only provide cover for those risks that would have otherwise fallen between the gaps of traditional insurance offerings, but also help to contain the costs associated with responding to an adverse cyber incident, such as the cost implications of appointing lawyers, forensic experts and PR consultants. Certain policies even provide cover for asset rectification costs and business interruption.
Cyber risk within the maritime sector can be effectively managed, but the most effective solution will only be realised if the risk is properly recognised and the potential scale of the cyber threat is appreciated across the industry. Organisations looking to mitigate risk should look to invest in their cyber health and insurance policies to face the financial and operational risks as effectively as possible.
2017 Informa plc. This article first appeared in Maritime Risk International, October 2017, http://www.maritime-risk-intl.com/security/time-to-take-stock-of-cyber-risks-126719.htm