THE London P&I Club says the physical risk to ships from cyber-attack may not be as well understood by shipowners as those threats posed to traditional back-office functions such as accounting, payments and banking.
In an article in the club’s latest StopLoss Bulletin, Philip Roche, a partner with Norton Rose Fulbright, notes that good cyber hygiene, up-to-date firewalls, penetration testing and staff training are routinely deployed in the shipping industry to counter the back-office threat. But he warns that the physical risk to ships themselves is less well-understood by owners.
“Although it might be said that the risk is currently low”, says Roche, “cyber-attacks potentially pose a serious risk to the overall operability of a ship because of the increasing use of onboard IT, even where there is no single network controlling numerous systems and where internet connectivity is low. Examples of such technologies in common use are the Automated Identification System (AIS), Electronic Chart Display & Information System (ECDIS), Global Navigation Satellite System (GNSS) and E-Navigation Systems (E-Nav).
“Although cyber-attacks can occur deliberately, it seems that currently the risk is principally from the inadvertent introduction of viruses and the like into key systems. For example, a crewman charging a mobile phone from a USB port in the ECDIS system causing a virus to render the system entirely inoperable. The ship’s maintenance and propulsion systems are exposed to the same hacking/malware risks and the consequences of cyber-attacks might be potentially severe if key systems are lost at crucial times.”
Roche acknowledges that cyber-attacks causing physical damage are still thankfully rare, not least because of the comparative invisibility of shipping to the general public, and the existence of a number of far easier targets for cyber criminals. But he warns that, because ships’ systems are centrally controlled, because connectivity with the shore is continuous, and because maintenance and diagnostics are increasingly carried out via USB ports in equipment, the risk will only increase.
Roche concludes, “It is time for shipping to consider these issues proactively. It is a matter of applying tried and trusted risk assessment methodology. Consider the risks, weigh the consequences and put proportionate steps in place to reduce that risk. IT and cyber-attacks are outside most marine professionals’ experience, and so help has to be sought from experienced IT consultants.”