Rough waters ahead when it comes to cyber risks
17 May 2018 https://www.ship-technology.com/features/rough-waters-ahead-when-it-come...
As the maritime industry is going through transformational change, it faces different risk exposures and a raft of new challenges. Sarah Stephens, partner and head of cyber at JLT Specialty, considers the issue of cyber incidents in the shipping industry.
In 2017, awareness of cyber incidents in the shipping and maritime industry became a mainstream, and no longer a minority, issue. 2018 is a year where these issues will clearly be at the forefront for members of the industry, as well as regulators, policy makers and insurers. We can see this rapidly evolving issue steadily becoming more visible.
A watershed moment
Two incidents last year made it quite clear that the shipping industry does not have special dispensation from the risks of cyber incidents. Indeed, given the pace of change and modernisation within the sector, it may actually be uniquely exposed. The industry has made significant advances in navigation systems and introduced pilot programmes around crewless ships in the last ten years. Despite the rapid change of pace within the industry, many risk managers still think of shipping as essentially ‘low tech’. While that is beginning to change, true understanding of the evolving risks in the sector is still lagging behind.
When the world’s largest container shipping company Maersk – which has 88,000 employees across operations in 130 countries – reported that it had been subject to the NotPetya ransomware attack in June 2017, awareness of cyber risk issues lurched to the forefront. Its operations across many areas of the business came to a shuddering stop. Among the affected areas were drilling services, oil tankers, oil and gas production, and, significantly, its port operations. With the financial impact reportedly nearing $300m, and operations being impacted for more than a week, the company was significantly hit.
Whilst this was the first major cyber incident on this scale, it was not to be the last, as it was followed shortly by a data breach at Clarkson plc, described in Lloyd’s List as the “undisputed heavyweight of the shipbroking market”. The research arm of the company – focused on the collection and analysis of data related to merchant shipping and offshore markets – was particularly hit. Shares in the company dived by 6% on the day the news was announced, although the final estimated cost has not been made public.
With multiple connections between shore and ship systems, there is now an inextricable link between the two. The risk exposures faced go far beyond merely directing the boat, as with inter-connected systems focused on, for example, safety or even internet and entertainment systems adding to the intricacy. It is not a case of simply worrying about one system on its own any more, but rather it is where these systems are inter-connected that the greatest risks lie. This mirrors the overall transformation of industrial operations worldwide, which now have extremely complex systems at their core, and therefore have a multitude of risks associated with their connectivity.
Full speed ahead
Companies of all sizes in the maritime industry will need to work extremely hard to put themselves in a position to tackle these threats, which are likely to outstrip the development of technology to combat them. Investment will clearly have to be increased, and existing insurance policies and protections reviewed and scrutinised in order to keep up to date with current threats.
The evolving risks in the maritime sector have rightly been identified as part of the UK Government’s cyber strategy review, showing that awareness of the issue is picking up. At the end of 2017, the government released an initial review that outlined key areas of attacks observed to date – among which are enterprise and information assets, GPS and navigation systems, and critical control systems – and detailed the fact that threat motivation, technical competence of attackers and complexity of employed attacks are all increasing. In the near future, from three to five years, advances in communication, improved sensing, and intelligent and autonomous control systems will be of particular focus. They are likely to make “potential software-dependent weaknesses easier to exploit for malicious gain”, according to the review.
The International Maritime Organization, the industry’s primary regulatory body, has also issued its cyber security guidelines. Although they aren’t currently mandatory, they are ‘encouraged’, and it’s not hard to envision a day when compliance with these guidelines will instead be required and subject to audit and compliance testing. It is highly likely that at some point, proving the implementation of such standards will be important, and possibly vital, with direct implications for contract bids and other standard industry practices.
In case of a successful attack, adequate protection is necessary. Because an insurance policy has the word ‘cyber’ involved, this does not mean that it will automatically cover gaps that are in a standard insurance portfolio. Cyber policies will generally exclude physical damage to ships and cargo which come as a result of cyber incidents, therefore it will be vital to review the insurance already purchased by a company and collaborate across the business in order to adequately protect a company. A standard cyber policy, or negotiations to delete exclusions within non-cyber policies, are unlikely to give risk managers the overall cover they will need in a rapidly changing environment.
As well as innovation in terms of products and solutions, it is vital that a much greater degree of collaboration across different areas of risk management becomes the norm and not the exception. The insurance industry is evolving with these risks to meet these changing needs, with solutions and programmes via P&I Clubs now starting to emerge. Marine specialists and cyber underwriters must collaborate to ensure all areas of exposure have been addressed, and that maritime industry players have the best possible opportunity to avoid, or at the very least minimise, the impact of potentially dangerous and certainly costly cyber-related incidents.