Shipowners, operators and managers, regulators and the supply chain need to collaborate to reduce the risk of cyber attacks
There are more and more cyber security-related regulations shipping companies have to comply with. But there is guidance for them to follow that reduces the risk of having an attack in the first place and being hit with heavy fines by regulators afterwards.
Some of this guidance was provided to delegates at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, held in London on 15 June in association with Norton Rose Fulbright.
At that summit, Templar Executives director Chris Gibson said shipping companies need to be proactive and learn from the way other organisations have responded to cyber attacks. He specifically mentioned the 2017 cyber attack of Maersk Group and its impact on container shipping and terminals.
“There is no such thing as too much collaboration, but it is not something that can be mandated,” said Mr Gibson. It is about building relationships and trust “and the wider those relationships are the better”.
He also highlighted the importance of cyber security within a shipping company’s supply chain and supporting players as there are ship-to-ship, ship-to-port, and owner-to-supplier relationships. “It is not just vessels as ports and third-parties can be hacked,” said Mr Gibson. “Supply chain is important as there are many levels of interaction.”
“It is not just vessels as ports and third parties can be hacked”
In response to these potential attack vectors, shipping companies need to decide what the risks are and what they need to do to mitigate them. “They need to have overarching support and advice, a central one with corporate response and crisis management,” said Mr Gibson.
Templar Executives is working with Wärtsilä to build a maritime cyber centre of excellence in Singapore. This would respond within the first 24 hours of any incident that impacts a shipping company.
Regulations with teeth
Norton Rose Fulbright partner Philip Roche summarised how some of the new regulations and requirements may impact shipping companies and port state control. His colleague, head of operations and cyber security Steven Hadwin, explained regulators are already more active in cyber security, whether it is the EU general data protection regulation (GDPR) or the EU directive on the security of networks and information systems (NIS) directive.
“Data protection and cyber security needs to be taken seriously from a legal point of view,” said Mr Hadwin. Courts will focus on the importance of personal data and cyber security. Data could then “become a considerable liability for an organisation, such as a cruise ship operator,” he said. These shipowners can hold vast amounts of data about passengers and could be liable if a loss of this data led to personal distress and a collective legal action.
If this data loss affected a European entity, then GDPR could come into play. Under GDPR if an organisation loses data, “it will need to speak to a regulator within 72 hours,” said Mr Hadwin. “It could impose a fine of up to 4% of that organisation’s global annual turnover.”
“Regulations have teeth – EU could impose a fine of up to 4% of that organisation’s global annual turnover”
PwC UK cyber security director Niko Kalfigkopoulos explained the legislation and reasoning behind the NIS Directive, which went into full effect in May this year. These “regulations have teeth” he said because of the potential size of fines and damage to company reputation from being a victim of a cyber attack. This is one of the reasons why boardroom executives should be aware and understand what is required for compliance.
Class societies provided their guidance to delegates. LR cyber security product manager Elisa Cassi said shipping companies should have a third party monitor their IT network, the operational technology and people to “stop people sharing data or compromising procedures”.
Shipowners “need to identify any compromise before an attacker tries to penetrate”. Ms Cassi explained technology can support the early detection of cyber incidents on ships, ports or offices, and intercept and prevent a cyber attack. She added shipping companies need to “investigate the vulnerabilities through analytics and machine learning”, understand the behaviour of potential threats and use predictive analysis.
LR conducts surveys of cyber security of on board systems and can determine whether a ship is safe to navigate. Ms Cassi said LR is also working with other class societies to define cyber secure ship notations.
Also during the summit, Anchoredge chief commercial officer Herbert Soanes explained how blockchain technology can be used for secure transactions because the “proof of work prevents double payment of crypto currency, which prevents fraud. The block has a cryptographic hash that is unique to that information.
“A change of character would generate a new hash, so tampering with the document means that hash will not match any more,” said Capt Soanes.
There is no reliance on a single central entity, “the blocks of information are held in a chronological chain and blocks cannot be changed without consensus” he said. “A block is visible to everyone in real-time, which creates high levels of transparency.” This means a block data cannot be changed without 51% consensus from the minors.
“Cryptography makes the possibility of fraud very low, it makes counterfeiting very low and that is highly conducive to distributed trust as many people can visualise changes.”
Partners and sponsors of the European Maritime Cyber Risk Management Summit
- Darktrace Industrial
- Lloyd’s Register
- Naval Dome
- DNV GL
- Marshall Islands Registry
Cyber regulations and guidance for shipping
- EU general data protection regulation (GDPR) came into effect 25 May 2018.
- IMO – Resolution MSC.428(98) – from January 2021 cyber security will be included in the ISM Code.
- TMSA 3 – cyber security was added to tanker management and assessment in January 2018; EU directive on the security of networks and information systems (NIS Directive) from May 2018.
- EU privacy rule (PECR) of individuals traffic and location data.
- Rightship added cyber security to inspection checklist.
- BIMCO – guidelines based on International Association of Classification Societies.
What is the role of port state control in enforcing cyber security?
Norton Rose Fulbright partner Philip Roche believes port state control will play a limited role in enforcing cyber security, writes Jamey Bergman.
Mr Roche, the global co-head of the firm’s shipping group, told attendees at the European Maritime Cyber Risk Management Summit in London the shipping industry was likely to continue to rely on classification societies and P&I clubs to understand regulatory compliance.
“It is hard to see a port state control officer – a guy who’s been at sea, who understands engines and fuels and lifeboats – suddenly becoming armed with the ability to check a ship’s cyber security,” Mr Roche said.
“It seems to me a lot of reliance is going to be, as it is now, put on classification societies certifying whether a ship is safe to go to sea.”
In addition to class notations Mr Roche said the industry could also see something akin to an international oil pollution prevention certificate which ships would carry around to prove they are compliant.
“What I can see is port state control doing basic checks. I cannot see them doing penetration testing, I cannot see them going into great depth, but I can see them doing a check that there is a policy in place.”
However, he said there was still room for both P&I clubs and classification societies to collaborate to develop and unify compliance guidelines.
“I understand there is a P&I working group, that the classification societies have gotten together to get a working group and to have a think about these things and deal with how compliance may well look,” he said.
Mr Roche said he did not expect port state control in many countries to be quick to create an enforcement regime. He cited the UK Maritime and Coast Guard Agency’s yet to be defined methods of enforcing the IMO 2020 sulphur cap, saying port state response tends to follow “rather slowly” after the enactment of regulations.