Increased vessel automation, integration and digitisation are the inevitable future of shipping, adding cyber-attacks to the usual concerns of ship-owners and insurers.
While boosting the efficiency of the shipping industry, automation is enlarging the pool of risks faced. On top of natural disaster, the threat of piracy and human error as covered by standard marine insurance policies, ship owners may now find themselves under attack from the likes of a Trojan worm, GPS interference, ransomware and ”ratting” (remote administration tool software).
In the light of these risks, many ship owners are forced to take out cyber-risk gap cover, over and above protection and indemnity (P&I) and hull insurance. In fact, some hull insurers expressly exclude cyber-risks. These “gap cover policies” usually include a risk management service employed to lessen the adverse effects of cyber incidents, including business interruption costs and cyber ransom cover.
However, it is clear that the coverage lines between each insurance policy may easily become blurred. For example, if a ship runs aground and causes pollution due to a navigation hack, will that claim be covered by P&I pollution cover? These questions are not easily answered.
The shipping industry is not alone in contending with cyber-attacks. The threat is real for all industries. Even large multinational companies are struggling to keep up with the rate at which these attacks are developing and evolving in nature. Companies cannot quantify and develop risk management strategies fast enough to cope with the ever-escalating threat of attacks, which are often highly visible breaches of networks that many companies thought were impregnable.
According to IBM’s 2016 Cyber Security Intelligence Index, transportation was the fifth most cyber-attacked industry in 2015. High-value goods are frequently transported by sea, making shipping an attractive target for hackers.
Most notably, in June 2017 one of the world’s best-known shipping companies, AP Moller Maersk A/S, suffered a global system shutdown as a result of a global cyber-attack. The company’s operations were brought to an abrupt halt for days, with hackers demanding untraceable cryptocurrency as ransom.
All it takes for malware to spread within hours or minutes is for one computer to be affected within a network. This is a daunting reality on board a highly automated vessel. Should a crew member open a malicious mail purporting to be from a maritime authority, insurer, regulatory authority or family member, the malware could infect the vessel’s entire operating system and jeopardise the vessel’s engine room operation or cargo temperature control or navigation systems – the so-called “critical infrastructure” on a vessel. In these circumstances, the point of departure for vessel security is crew education and vigilance.
Although insurers are now offering separate cyber-security policies and cover, these cyber-risks are not static and may by their very nature be undetectable. Fueled by the high rate of technology development, new risks of potential cyber-invasion arise constantly and at a rate that cannot be continually updated within a written policy. Moreover, underwriters face great difficulty in quantifying their potential liability where the consequences of a cyber-attack may be far-reaching. Gaps in cyber insurance cover are therefore inevitable. As owners and insurers work to better understand and address these risks, operational staff and crew may have very little guidance as to the gravity of the consequences of cyber-attacks.
In conducting a Crew Connectivity 2015 survey of crew members in 2015, Futurenautics found that a mere 12% of crew members had received any form of cyber-security training. Only 43% were aware of any cyber-safe policy or cyber-hygiene guidelines provided by their company for personal web-browsing or the use of external devices.
The consequences of failing to educate crew members about cyber security may be significant, both in terms of operations and safety.
Ship owners, operators, managers and insurers must take a holistic and collaborative approach to cyber-security. This includes taking steps to protect software and hardware, and to develop and implement policies and risk assessment and management programmes. However, the most immediate and cost-effective steps are to educate crew members and shore-side operational staff about the threat of cyber-attacks, how these attacks are perpetrated and the serious consequences that may result.
Cyber security is no longer a concern only for the IT department, but rather one for all employees.