Maritime cyber risk awareness ‘barrelling forward at full pelt’

Maritime cyber risk awareness ‘barrelling forward at full pelt’
05 Jan 2018 http://www.maritimejournal.com/news101/security-and-alarm-systems/mariti...

According to Sarah Stephens of cyber security consultancy JLT Specialty, 2017 will perhaps be remembered for, among other things, being the year that awareness of cyber incidents in the shipping and maritime industry started barrelling forward at full pelt.

Innovation clearly abounds across the industry in a number of areas, but consciousness of the extent to which such progress and ever increasing connectivity impact the industry’s risk profile has not kept pace. Fast forward to today, where these issues are clearly on the radar for industry players, regulators, policy makers and insurers alike.

A WAKE-UP CALL
Awareness of cyber risk issues lurched to the forefront in June 2017, when industry giant Maersk – which handles around one in seven containers shipped globally – reported that it had been subject to the NotPetya ransomware attack. As a result, its operations across numerous areas of the business came to a screeching halt. Among the affected areas were oil and gas production, drilling services, oil tankers and, notably, its port operations. Operations were impacted for more than a week, and the company reported its total financial impact to be $250-300 million.

This proved to be only the first major incident, as it was followed shortly by a data breach at Clarkson plc, one of the world’s key shipbrokers. Of particular concern was the company’s research arm, focused on the collection and analysis of data related to merchant shipping and offshore markets. The final estimated cost of that incident has not been made public, but its shares plunged six percent on the day the news was announced.

Taken together, these two scenarios made clear that the shipping industry is in no way immune to the risks of cyber incidents. Quite the contrary, given the pace of innovation within the sector. In the last decade alone, the industry has made significant advances in navigation systems and introduced pilot programmes around crewless ships. Despite this, many risk managers still think of it as a ‘low tech’ industry. That’s starting to change, although true understanding of the scale and scope of the risks is still lagging behind.

Shore and ships systems are now inextricably linked, with robust connectivity between them. The exposure goes far beyond merely navigation, with inter-connected systems focused on health and safety or even on-board internet and entertainment for crews adding to the complexity. Long gone are the days when organisations can worry only about one system or another; it is where these systems are inter-connected where some of the greatest risks lie. In many ways, this mirrors the transformation of traditional manufacturing operations worldwide, which now have multi-dimensional, technology-powered industrial control systems at their core.

ACCELERATING RESPONSE
The pace of awareness and change, however, is picking up. The evolving risks in the maritime sector have rightly been identified as part of the UK government’s cyber strategy review. At the end of 2017, it released an initial evidence review which outlined key areas of attack observed to date - enterprise and information assets, GPS and navigation systems, and critical control systems among them – and detailed the fact that threat motivation, technical competence of attackers and complexity of employed attacks are all increasing. Over the next three to five years, advances in communication, improved sensing, and intelligent and autonomous control systems are of particular concern. According to the review, they are likely to make “potential software-dependent weaknesses easier to exploit for malicious gain.”

Further, the industry’s primary global regulatory body, the International Maritime Organization, has issued its cyber security guidelines. At this stage, they aren’t required but ‘encouraged’. However, it’s not hard to envision a day when these guidelines will instead be required and subject to audit and compliance testing. It is likely that, in the not too distant future, proving the implementation of such standards will be table stakes, with direct implications for contract bids and other standard industry practice.

Companies across the sector, both large and small, need to work feverishly themselves to get ahead of these threats, which are likely to outpace development of technology to combat them. Investment in cyber security clearly will have to be escalated and accelerated, and existing insurance policies and protections reviewed and scrutinised.

Maritime firms need to understand that just because an insurance policy has ‘cyber’ in its name does not mean that it will fill all of the gaps in a standard insurance portfolio. Cyber policies generally exclude physical damage to ships and cargo stemming from cyber incidents, so there is a real need to take a closer look at each organisation’s existing insurance policies and work collaboratively across lines of business to meet a company’s needs. Simply purchasing an ‘off the shelf’ cyber policy or negotiating to delete exclusions within non-cyber policies is unlikely to give risk managers the seamless coverage they desire.

In response, the insurance industry itself is evolving to meet these changing needs, with solutions and programmes via P&I Clubs now starting to emerge. As well as innovation in terms of products and solutions, it is essential that a much greater degree of collaboration across different areas of risk management becomes the norm and not the exception. Marine specialists and cyber underwriters must put their heads together to ensure all areas of exposure have been addressed, and that maritime industry players have the best chance possible of avoiding or minimising the impact of costly – and potentially dangerous – cyber-related incidents.

Sarah Stephens is a partner and head of cyber at JLT Specialty