Digitalisation and the Cyber Threat in the Maritime Industry: IUMI prioritises growing risks
By James Brewer
The cyber threat to shipping is racing ahead of efforts by industry bodies and regulators to combat the menace, discussions at the International Union of Marine Insurance have made clear.
Illustrating the high priority accorded by underwriters to such concerns, the President’s Workshop at the 2015 conference in Berlin of IUMI was devoted to the subject Digitalisation and Cyber Threat in the Maritime Industry.
Introducing the session, IUMI president Dieter Berg said that while technological advance was welcome, “the flip side of this development is that critical infrastructure such as ports and maritime operations will be highly vulnerable to outside attack. What happens if someone forces a 300 m vessel to run aground by breaking into the navigation system?”
Mr Berg said: “IT systems on ships are vulnerable remotely or in port. We have to see that ships are not isolated units anymore.”
The latest IUMI political forum round-up of key issues states: “A successful cyber attack can have several implications relevant to insurance: loss of life, personal injury, pollution, loss of property, business interruption, loss of production, loss of data and loss of reputation.”
The report says that IUMI will support the development of voluntary guidelines by BIMCO and others on maritime cyber security practices, and provide input. IUMI will consider co-sponsoring papers to the International Maritime Organization.
Speaking at the conference about the Industry Guidelines on Cyber Security on Board Ships, Aron Frank Sørensen, chief marine technical officer of BIMCO, described the vulnerability of ships.
When ships were chartered to third party operators, the shipowner did not have control over the IT systems required by the charterer. “Historically ships have been offline. Today cyber security cannot be ‘controlled’ through avoidance of connectivity.
“Critical data pertaining to cargo is passed through numerous land-side entities. Penetration of just one entity can result in any data element being compromised.”
He said: “Among shipowners there is a lack of awareness because ships have been remote from the digital world, and to some extent they still are. New ships are not being built with the high-tech systems; they are being built like in the 1980s. A ship is a long-term investment of 25 to 30 years. When they were built, nobody considered cyber security at all, so they put some badly designed hardware into the ship.”
There was a high reliability on IT systems related to safety. ECDIS (the Electronic Chart Display & Information System) and satellite receivers made a ship susceptible to either penetration or jamming.
Mr Sørensen urged a realistic approach, dismissing some of the hype. “The doomsday scenarios we get from the cyber industry, we do not believe that at all. Attacking a ship will not stop world trade. A ship is an independent unit and a cyber attack may compromise safety of that ship, the marine environment and to some extent, the business continuity of the owner.”
To a large extent the crew would use the same contingency plans as for any other emergency if the ship were compromised.
“Cyber attacks develop constantly so mitigating measurers will also have to change accordingly. Regulation by the International Maritime Organization would be too slow to be effective. Type approval of software is not the way forward, as it is a static process.
“We see industry best management practice as the way to cope with cyber security, ” said Mr Sørensen.
Cyber security should be given special attention: when taking over a newbuilding and buying used tonnage – when buying a new or used ship, you may have to clean the systems from scratch in connection with on-board software maintenance and when dealing with an always open on-line connection.”
Precautions should begin during construction of a ship. The producer should have a quality assessment system for software lifecycle activities, which specifies cyber security considerations. Ships’ networks should be configured to have controlled and uncontrolled networks.
Some organisations, ships and systems might be more at risk than others, depending on the type and value of data stored. To manage risks, ships’ personnel and owners should understand the probability that an event will occur and the resulting impact.
At IMO Maritime Safety Committee MSC 94 (November 2014), a proposal was made for guidelines for ports, ships, and other parts of maritime transportation system. BIMCO informed the meeting that it was working on guidance for shipowners and crew on operational aspects of cyber security on board ships. An update paper by BIMCO, the International Chamber of Shipping, Intertanko and Intercargo was submitted to MSC 95 (June 2015). The intention was to present the finalised guidelines to MSC 96 in May 2016.
BIMCO was working with the Comité International Radio-Maritime since 2013 on a draft industry standard maintenance and update of on-board programmable electronic systems. CIRM is the principal international association for marine electronics companies.
“The cyber work and the CIRM work are interrelated and coordination is essential, ” said Mr Sørensen. “IUMI has been helping us with the guidelines. We have a plan to try them out in the industry before we take it to IMO.”
Manufacturers should develop, manage and update computer-based systems in a secure way. Cyber security considerations should start at the software production stage and cyber robustness considerations should be made when the ship is constructed.
Mr Sørensen spoke of a fraud involving a large sum of money committed to a purchase of ship’s bunkers. A false web page had been set up under the name of the bunker supplier. In another instance a bank account had been changed, prompting the suspicious ship operator who was due to pay, to ask his counter-party: “Have you moved to Ukraine?”
Mr Sørensen acknowledged: “I have become more and more paranoid, the more I look into this subject!”
The next speaker was Matthias Kirchner, operations and marine and aviation manager for AXA Corporate Solutions, Cologne, who looked at cyber security from the perspective of the marine insurer.
Mr Kirchner said: “I think underwriters have neglected this risk so far because it is so complex. In non-marine standard property and casualty products, cyber-risk is excluded – “new products generate additional premium.”
In marine, some lines have a cyber exclusion, but in many markets, for instance in Germany, there is no such exclusion clause, at least in cargo, said Mr Kirchner, who is chairman of the cargo committee of the German Insurance Association, he GDV. “Is exclusion a solution? I do not think so. When we give more attention to proper underwriting, we will limit out cyber exposure at the same time.”
A question put to the audience produced a narrow vote in favour of the practice of using the exclusion and buy-back option. Of the audience, 83% were unaware of any claims to their businesses so far for cyber attacks.