Kriti Ranjan*
Technology trust is a good thing, but control is a better one.
Business is growing as fast as the internet and extensive complex networks allows industry to be exploited. Modern Shipping companies facing cyber risks are finding insurance cover inadequate to protect them from cyber-attacks. The cyber risk has increased to an extent lately that a reasonable amount of effort, financial treasure and human capital is put into, to minimise the risk threatening various industries.
Cyber risk management in a company can help understand how much insurance cover is required. In the past half century, the cyber security world and the IT world, as popularly known, have merged to become one. This problem is going to increase every year looking at our dependency on the cyber world. Cyber practices have grown in the trade industry and its high time that the insurers and the industry acknowledged this problem at large.
The Corporate culture of today cannot have fixed set of insurance policies for cyber security, instead the policy making system should be flexible enough to be ready to adapt to new emerging risks in the cyber sector.
Cyber Attack – How?
Nowadays the maritime companies are adapting their operations to a digital world, hence becoming more and more vulnerable to cyber risk and these threats will keep growing if no security is taken up against it. The more cyber security develops, hackers become more and more innovative and creative with time and they expand their areas to operate.
For example: A ship can get delayed due to a virus attack / cyber-attack on its Electronic Chart Display and Information System (ECDIS). This electronic information system which helps in the navigation of a vessel gets disrupted and the source of this attack goes unrecognised. Considering there is a huge variation in the types of vessels, cyber-attacks can also come in different forms.
The increase in dependence on IT is increasing the risk of consequences, and these risk not only are in the ship system but also extend to shipping industry establishments based ashore (such as ports, company management offices, trading houses etc) which are in regular communication with each other and also with the ships sailing out at sea.
Threat can be caused in two ways: either someone is deliberately trying to harm the cyber system of the company or accidently the threat gets downloaded in the form of malware by the insider who lacks training.
Categories of Cyber Attack
Since 90% of the world trade is still being carried out by sea thereare two categories of cyber-attack which may affect the ships and the ship owning companies i.e.
- Firstly, Untargeted Attacks – where a company or a ship’s systems and data are one of many potential targets which includes Malware; Social engineering; Phishing; Scanning etc.
- Secondly, Targeted Attacks – where a company or a ship’s systems and data are the intended target which includes “brute force” a kind of password guessing method and “denial of service” where multiple computers are taken into control.
Another way by which the maritime industry may be affected and is becoming a concern globally is, if a shipping conglomerate is hacked by pirates. The first move is to find the vessel of that particular cargo they plan to seize. The precision of the operation is described in a report on the case by the cyber-security team at telecoms company Verizon that explains that the pirates, after they board the vessel, through barcode they will specifically locate the crate containing valuable and then steal the crate.[1]
Ships becoming increasingly computerised are mostly vulnerable to Malware (software to damage or gain unauthorised access to the computer), which includes ‘NotPetya’ (virus) and many other similar strains designed to spread from computer to computer on a network which means that connected devices on board ships are also potentially vulnerable.[2]
Cyber Safe – At Sea
Cyber safety can be maintained or can be compromised based on two issues: i) Cyber Awareness and ii) Network systems.
Cyber Awareness
Cyber risk is much more than just IT; everyone has a role to play in the cyber security process. While we are creating new ways of protecting the system from online risks, we need to consider other possible ways on how the crew members working on board can invite threat. On board personnel when communicating with other authorities on board can reveal important information which can be used by anybody who wants to get inside the business. Since internet is provided on board, its easily available to all the crew members.
Ship’s crew are trained to protect the ship from physical threats but not cyber threats. Clicking on a unsecured link, keeping similar passwords, not validating old emails, attaching unsafe USB drive to the computer on board etc. are a few examples of human error. The workforce has to be trained and educated as crew are the ones communicating between the ship and the onshore authorities.
Network System
Internet connectivity can also increase vulnerability of ships. Onboard secured networks are required when there is a direct communication between the IT (information technology) and the OT (operational technology). The network should have a good physical layout and should ensure effective privacy. Without the right security barrier, attackers can hack the system and get the inside information and can misuse it with the manoeuvring of the vessel or cause cargo damage or even plan a piracy attack. Such things can impact the business and damage the reputation of the company.
On older ships the network system may not be as strong, as this type of risks were not considered during the ship’s construction. The system may be obsolete or may not have the appropriate antivirus system. Not all ships are updated to the latest technology. Considering this, if the security steps are not taken and the awareness of the crew is not adequate, the crew can use any personal electronic device and malware can spread from one computer to another through the internal networking system and subsequently can penetrate the general communication of the ship in a few hours; hence training is important as the onboard vessel personnel keeps changing every few months. As an example, Danish shipping giant the Maersk experienced a dangerous disruption in the cyber world because of particularly virulent malware affecting the whole company in 2017. Maersk cyber-attack brings us to the IT system applications where a computer virus (NotPetya) caused a big disruption among all the divisions of the Company in different countries and all the shipment operations were struggling to function. The business unit were shut down and the ports were affected. This was an alarm for the complete shipping industry.
Cyber Crime – Underreporting
The insurance market suffers with a handicap because many companies are reluctant to share information in general. In this era of hyper connectivity, companies have more intangible assets which are quite valuable, and it is difficult to provide coverage for each type of risks making it a challenge faced by the insurance sector.
Not reporting a crime harms more than helps. The main fear of not disclosing a cyber-attack is the negative publicity of the business. Many other reasons companies do not share is because they do not want to give an edge to the other competitors or their ships might be considered unseaworthy or there can be operative delays etc. The real data of incidents still remains unknown creating a false sense of security in the industry. BIMCO cyber security clause 2019[3] was drafted for parties to implement it so that the risk is mitigated, but it seems not many incidents have been reported so far.
The Maersk incident in 2017 or the Norsk Hydro incident in 2019 makes everyone believe that only the big and the strong are being targeted. Not reporting also extends to a mindset that small businesses may not be the target. In an instance where due to a breach of network, the vessel’s system is being taken over by cyber criminals causes loss to the data having an impact physically and economically. But what if a crime like this is never reported? A small incident report can help others in the industry get more educated and aware to protect themselves from bigger high financial losses.[4]
Reporting cyber-crime is a kind of a mitigation measure which increases security in terms of awareness. Sharing information will not eradicate the crimes but shall diminish its effect. It is like educating the maritime industry on what loopholes still exists and send alerts to the industry to upgrade their systems from what the major risks are.
Mark Sutcliffe of CSO Alliance with credible cyber sector experts and existing maritime industry supporters has created a collaborative crime reporting tool at the disposal of the shipping and port community.[5] This reporting tool is a Maritime Digital Platform where if there are any cyber incidents that has impacted the marine industry, enables the community operations at sea and on-shore to report it. Therefore with the help of this tool one can better understand the impacts of the attack on how the evolution of cyber-attack is taking place and with that, the effective prevention and responses to these incidents can be thought about since the attackers try to manipulate the victims by enticing them with offers of jobs or wealth, or even threats and access to illicit content.
Managing Cyber Risk
In the Maritime ecosystem this is a serious and dangerous matter which can lead to huge enterprise loss. The awareness regarding the IT sector among people has tremendously improved.Those who are responsible to manage cyber risk, all along they should also ensure companies IT policies comply with the national and international regulations.
Where technology helps the industry run more efficiently, the risk runs parallel. For the on-board operational technology (OT) and the information technology (IT), there are various types of cyber protection that is available in the market e.g.: firewall protection, Intrusion detection, physical division of networks etc., in spite of these protections there exists a strong connection between on board OT and the IT systems for companies growth in a faster, cheaper and in a more efficient way. Therefore the vulnerabilities that come with this can only be managed when people are aware of how this connection is established.
To manage the cyber field in a company, we need a good team of efficient professionals who would carry out different responsibilities such as efficient governance, regular audits to update the system and carry out risks assessment on continuous basis to manage the security. This will help (i) evaluate your own IT system; (ii) the risk that are associated with the third party; (iii) assessment to know what damage might occur due to the risk and (iv) analysing on how this risk can be managed in order to mitigate it.
Focus on the response is major to managing cyber risk. It cannot be possible to detect an event before it has happened or to be aware on how the attack will hit, but planning steps to mitigate further damage is the key. The longer we leave the attack unattended the more adverse effect it will have on our system. A concrete plan has to be in place by which we can recover the lost data faster. Whether the plan is effective or not depends on regular testing on different scenarios of such plans. The plans need to be evaluated and re-evaluated to check the effectiveness and should be monitored and modified with the changing technology.
Conclusion
IMO (International Maritime Organisation) has recommended that by 2021 all shipping companies / managers / owners should incorporate cyber risk management and securities into their safety management system & ISPS (International ship and Port Facility Services) code.[6] This will make it much easier for the shipowners as well as the crew working on board to implement to manage the adequate cyber security process.
If the shipping companies do not amend/update their ISM (International Safety Management) code structure as per the recommendations of IMO (International Maritime Organisation) then they run the risk of their ships being detained because they may be declared unseaworthy by the authorities.
This may cause huge commercial losses to the shipping companies and their financial pressure will probably force the shipping companies to amend their ISM (International Safety Management) code system.
It takes 20 years to build a reputation and a few minutes of cyber – incident to ruin it.
*Kriti Ranjan has completed her LLM in International Maritime Law from Swansea University, UK in 2017. She is a graduate from Chanakya National Law University in 2016. Kriti was previously associated with HP Law, Mumbai, one of premier Maritime law firm. She can be reached at kriti24ranjan@hotmail.com.
[1] Chris Baraniuk How Hackers Are Targeting The Shipping Industry, BBC News (Aug. 18, 2017), https://www.bbc.com/news/technology-40685821.
[2] Ibid.
[3] New Cyber Security Clause from Bimco, BIMCO (May 22, 2019), https://www.bimco.org/news/priority-news/20190522-new-cyber-security-clause-from-bimco.
[4] Be Cyber Aware AT SEA, Phish & Ships Issue 32, Safety4Sea (July 2019), https://safety4sea.com/wp-content/uploads/2019/07/Be-Cyber-Aware-at-Sea-Phish-and-Ships-2019_07.pdf.
[5] Georgie Furness-Smith, Maritime industry must open up about cyber-crime, Lloyd’s List (Aug. 12, 2019), https://lloydslist.maritimeintelligence.informa.com/LL1128745/Maritime-industry-must-open-up-about-cyber-crime.
[6] CSO Alliance Maritime, ‘Be Cyber Aware AT SEA’ phish & ships Issue 8 (July 2017).
Centre for Maritime Law 