The maritime industry is starting to understand the cyber threat as our conversations with operators, class and maritime insurers reveals
Cyber risk management should be a top priority for shipping company boardrooms as a successful attack can lead to serious financial losses. This was dramatically demonstrated by the recent cyber attack on AP Møller-Maersk, which shutdown IT networks, logistics platforms and terminals.
This was also highlighted by top shipping IT experts at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit*, which took place on 20 June – a week before Maersk’s incident. At this event, Danish Maritime Authority special adviser Erik Tvedt said shipping boardrooms should take cyber security seriously and incorporate it into corporate risk management structures.
In a video interview on the side of the summit he told Riviera head of content Edwin Lampert that cyber risk management will become mandatory for the industry. “It is important for safety and security to understand cyber risk management. It is an important risk factor for modern shipping. Shipowners should take this seriously for business reasons as cyber risk management improves the bottom line.”
He explained that IMO is adopting cyber risk management in the safety management ISM Code from 2021. He warned: “If you do not comply, then port state control can award points and if you have too many, ships can be detained.” Ship operators will be expected to conduct cyber risk assessments, he said. “They will evaluate which risk to do something with and do something about the important risks.”
In another interview during the event, Norton Rose Fulbright partner Philip Roche said it was important that chief executives are involved in cyber security. “If there is a major attack and ships cannot sail, it would be a problem,” he explained. “Chief executives need to be part of the team doing practical drills.” Otherwise, he said, “all the efforts are wasted. We need to spread the message to those that are not engaged.”
He explained that the prevailing view is that small risk cyber issues, such as ransomware, can be dealt with “day-to-day”. But this leads to a large number of organisations not engaging with the problem. And in organisations that do engage, it is not the senior people who get involved because it is seen as “an IT thing,” he said. “But it is a risk important enough to get a decision from the top.”
For the tanker and gas industries, cyber security will become a key risk management requirement from the beginning of next year as it becomes part of Oil Companies International Marine Forum’s Tanker Management and Self Assessment 3 (TMSA 3) best practice programme. For this reason, the subject has travelled up management levels in companies such as K Line and MOL LNG Transport
K Line’s Derek Darwin said cyber risk management messages needed to reach a wider audience to ensure shipping companies were not affected by future cyber attacks. OCIMF was leading the way in this: “TMSA 3 will be enforced, driving us to look at cyber security [and] involve a lot more people that just the IT department,” he said. Mr Darwin thinks shipping will need a number of significant cyber attacks before it learns to deal with the issue as an industry. He sees parallels with how the industry only reacted to physical piracy a decade ago after a number of successful hijackings. “There was a lack of reporting, so no one knew what was going on,” he commented. “This is relevant now with cyber security as we do not know how or why ships have been attacked.”
MOL LNG IT manager Pete Adsett explained how his organisation prevents cyber issues and protects ships from malware. He said his ships had malware on board in the past but this was cleaned off. There are also what he called ‘sheep dip’ computers on board that are used to scan any external memory sticks for malware before seafarers, port inspectors and service engineers can use them on the ships.
Other shipowners also provide computers on vessels purely for seafarers to use for their own media usage. Navios Group IT manager Katerina Raptaki explained at a Riviera- and Speedcast-run seminar in Norway in June that these computers were deployed across the fleet to prevent seafarers from infecting other ship computers with malware.
Malware is prevented from being transferred across satellite links by firewalls. It is thought Maersk Group reacted rapidly to isolate its ships on 27 June when the whole company was attacked by destructive malware. According to a satellite communications provider, Maersk quickly deployed firewalls to the ships, offshore support vessels, tugs and drilling rigs to prevent the malware from infecting their IT networks, enabling marine operations to continue unaffected.
"A bulk carrier’s switchboard was shut down because of ransomware on board and the vessel was rendered inoperable"
But these measures do not always prevent ships from being infected by malware that can sometimes shut them down, said DNV GL maritime cyber security manager Patrick Rossi. He said problems have been found on board container ships, bulk carriers and tankers. In one example, he said: “a bulk carrier’s switchboard was shut down because of ransomware on board and the vessel was rendered inoperable. This could have quickly escalated if the vessel had been involved in critical operations.”
He said shipping could learn lessons from the offshore oil industry where there have been advances in cyber security. “Offshore is more mature in managing cyber threats. There has been a strong push to do FMEA [failure mode effect analysis], much more than in maritime.”
DNV GL is working through IACS to set up a platform for communicating anonymously incidents that happen in maritime. Mr Rossi described it as “a platform for sharing data, the lessons learnt and how to fix issues confidentially.” Satellite operator Inmarsat is also working with IACS on this platform, as its vice president for safety and security, Peter Broadhurst, explained: “As an industry, we are coming together to set a framework that will set principles for moving towards a set of standards. And should regulations be required, we could move towards regulations.”
Delegates at the conference heard from John Boles, a former assistant director of US Federal Bureau of Intelligence’s international operations, about mitigation methods for preventing and dealing with a cyber attack.
He is now director of global legal technology solutions at Navigant and said controlled networks should be separated from unsecure ones, software should be patched and crew trained to prevent unintentional malware infections. He said shipping companies should have layered defences to isolate protected data from the internet, implement multi-factor authentication and retain outside security experts to help plan for a cyber attack.
Speaking to MEC after the Maersk cyber attack, Mr Boles said it could have been avoided by applying Microsoft security updates that addresses ‘server message block’ (SMB) vulnerabilities. “Fixes for the SMB vulnerability were available, Microsoft even released patches for its out-of-service operating systems after WannaCry,” he said, referring to a global ransomware attack in May.
More prevention methods could also have been performed: “Even if a company did not patch, performing regular back-ups of data and isolating those back-ups from the internet would at least make it possible to reload company data and continue business operations, while minimising the data loss.”
Shipping companies should also do cyber risk assessments, but these bring their own challenges. Moore Stephens partner Steve Williams explained that it was difficult to assess the impact on confidentiality, integrity and availability of cyber threats. “It is hard to determine and impossible to quantify the cyber risks, hard to price the risk and difficult to manage,” he said.
"Cyber security is about building up resilience to attack"
North P&I Club deputy director for loss prevention Colin Gillespie said the key to cyber security is to assess the vulnerabilities and take measures to make them less vulnerable. “Cyber security is about building up resilience to attack, making cyber incidents less likely and better enabling companies to respond to, and recover from, an attack,” he explained. Although ship connectivity creates vulnerabilities, some are more human-related.
North P&I Club is part of the ‘be cyber aware at sea campaign’ which seeks to raise awareness of cyber risks amongst shipping companies and seafarers. “The first step in best practice is to develop an easy to follow policy and raise people’s awareness around the common issues,” Mr Gillespie said. “The human factor is the cause of the majority of incidents but it is also a risk that can be reduced relatively quickly and cheaply.” Training can help to tackle that aspect of the problem, he suggested.
Given what was to happen just a few days later, his concluding advice was timely: “The level of disruption a cyber incident can bring can put a business at risk,” Mr Gillespie said. “So the more resilient a business is, the less it runs this risk. The first step is to recognise the potential risk and prioritise cyber security as a board level risk.”
*Riviera Maritime Media’s European Maritime Cyber Risk Management Summit was held in association with Norton Rose Fulbright in London on 20 June. To see all the videos from this event go to Riviera Maritime Media's dedicated Youtube channel here.