Posted: 01/07/2019
The ever-increasing use of technology has become an integral part of business operations within the shipping sector resulting in systems of greater efficiency. Unsurprisingly, however, it has also provided a breeding ground for a variety of different cyber risks now facing shipping related companies.
While cyber-attacks on high profile corporations and banks frequently hit the headlines, they have not been heavily reported in the marine world. This could be attributed to lower public profiles. However, the shipping industry should not be lulled into a false sense of security. In fact, the very nature of the shipping industry – with IT systems now used more than ever in the operation of vessels namely, in the communication, navigation, loading and unloading of vessels, in container tracking and cargo handling, shipyard inventories, and the computer systems used mainland and at major ports – make it more susceptible to cyber-attacks. Smooth running of these systems is essential to the successful operation of the vessel and therefore economically important not only to the vessel/cargo owner but also to other vessels. A cyber-attack disabling a vessel which is in transit through the Panama Canal, for example, would result in a blockage of the Canal affecting the operation of nearby vessels with the potential for huge losses.
Recent studies have found the technological systems used on tankers, containerships, superyachts and cruise ships easily penetrable. Researchers were able to remotely deactivate machinery on-board the vessel, overriding the vessel’s fuel signals and steering gear control. Amongst other things, they found they could also apprehend a vessel’s navigation system, radar, engines and pumps. In light of this, it was concluded that 'the maritime industry appears still to be ill—equipped to deal with…the cybersecurity of autonomous vessels'.¹
Recent cases have highlighted such problems. One of these is the Clarkson cyber hack in 2017.
This case was one of cyber extortion, which illustrated that the theft of data has become an increasingly common phenomenon. The UK’s largest shipbroker, Clarkson Plc suffered a cyber-attack in November 2017 which stemmed from a 'single and isolated user account' whereby employee information was stolen for the purposes of blackmail. Worryingly, the breach went unnoticed for five months.
One of the most imminent issues facing companies experiencing such breaches is the question of whether paying the demanded ransom sum is even a legally viable option. Although recent case law suggests that it may be, the Terrorist Act 2000 precludes companies from making such payments if there is reasonable cause to suspect that the money may be used for the purposes of terrorism. It is worth noting that this act is far reaching, with insurers also caught in its remit, and its objective reasonableness test can prove difficult to circumvent.
The importance of safeguarding against cyber risks in the maritime industry has been widely recognised. In 2017, the International Maritime Organisation (IMO) published concise guidelines for maritime cyber risk management which are suitable for a variety of different organisations.
Further to, and in support of, their guidelines, the IMO has also given ship owners a deadline of 1 January 2021 to incorporate cyber risk management into a vessel’s SMS code safety management. This should provide information on how cyber security management is implemented. Failure to adopt such measures may result in detention of the vessels in default. The IMO’s aim is to raise awareness to the fact that cyber risks are a specific type of risk and should therefore be treated as such by making assessment of them distinguishable from the general security risk assessment already performed by marine businesses (as in accordance with Part 2, s 8 of the Maritime (ISPS Code) Regulations 2014).
Supplementary to this, certain types of cyber risks can be combatted by deploying maritime cyber risk management training for employees. Presently, security training for personnel on-board vessels is a requirement of the RMI Seafarer’s Certification and the same for shore-based employees which is covered by the Guidelines on Training and Certification for Company Security Officers. Fostering these requirements may minimise the risk of a breach occurring from untargeted attacks such as phishing.
Moreover, the Baltic and International Maritime Council (BIMCO) Guidelines on Cyber Security Onboard Ships have been widely accepted by the IMO, shipowners and classification societies. Much like the IMO’s guidelines, these focus primarily on the prevention of cyber-attacks through identifying threats and vulnerabilities, assessing the risk exposure attached to these and developing both protectionary measures and contingency plans to neutralise these risks as far as possible. It is only the last section of the guidelines which refers to recovery from a cyber-attack depicting how crucial pre-emptive measures are in the fight against cyber-attacks. Of course, such measures must not be too stringent as this would obstruct the normal course of business, but they should be effectively implemented from top management – in the risk assessment and consequential development of cyber security policies – all the way down to personnel onboard – through training and awareness programmes.
To conclude, cyber risks pose a real and present threat to the maritime world and whilst the industry endeavours to protect against them, it is ultimately in the hands of individual companies themselves to take heed of the recent cyber-attacks and actively take preventative steps to reduce these risks – after all, prevention is intrinsically better than a cure.
This article was prepared by Iris Bajraktari, trainee solicitor at Penningtons Manches Cooper.