Maritime industry must open up about cyber crime
While it may be easy for shipmanagers to bury their heads in the sand regarding the likelihood of a cyber attack, they should approach cyber security as an integral part of overall safety management
Organisations within the maritime industry are often reluctant to report cyber attacks for fear of reputational damage
CYBER attacks affect large and small firms alike in the maritime industry, and anonymised reporting of cyber events — such as ransom-driven distributed denial of service attacks — would be a big step forward in dealing with the problem.
While it is the mega-attacks that get the most attention, cyber attacks are occurring at an even greater rate than the public is led to believe. This issue — the under-reporting of cyber attacks — is a serious challenge for insurers and reinsurance as it skews the perception of the risk. This problem is particularly pertinent to the maritime industry, which many believe is already behind in its awareness of and preparedness for cyber risks.
While it may be easy for shipmanagers to bury their heads in the sand regarding the likelihood of a cyber attack, they should approach cyber security as an integral part of overall safety management. In instances in which customer data has been compromised, organisations in many geographies are required by law to report such incidents to local and national authorities and regulators, as well as notify affected customers and individuals.
When organisations are the target of other types of attacks, however, such as ransomware or phishing, they may not be required to or even want to disclose the attack, as many fear reputational damage from doing so. It is this lack of reporting that is providing a false sense of security within the maritime industry.
In an attempt to discourage businesses and shipowners from burying their heads in the sand and thinking a cyber attack will not affect their firm, the CSO Alliance, a UK-based maritime-focused membership organisation, has created an anonymous reporting system to help maritime companies report cyber incidents, ensuring absolute anonymity and confidentiality. The very existence of this organisation emphasises the scale of the issue and the lack of organisations willing to disclose cyber incidents.
While this may help alleviate the problem of under-reporting of cyber attacks in the maritime industry, it also shines a light on the outdated perception that cyber security is a costly endeavour rather than a protector. In fact, cyber security programmes enable maritime businesses to be prepared, whatever the circumstance. Accurate reporting of cyber security incidents is a first, critical step. Equally important is the need for the maritime industry to understand the nature and volume of these attacks. This will help raise awareness, increase industry preparedness and mitigate the risks of subsequent attacks.
If companies only hear about occasional cyber attacks within the maritime industry that have come to light because they affected large companies, such as the $300m Maersk incident in 2017 or the ransomware attack on Norsk Hydro earlier this year, they may believe cyber criminals target big businesses only. This can perpetuate a sense of denial.
This denial extends to companies optimistically believing they will not be targeted because they are too small to be on the radar of a cyber criminal. While this may or may not be true, a factor that is equally important and often overlooked is the risk of an untargeted attack. An untargeted attack may be a virus entering the system or the repercussion of something much larger, such as the Maersk incident, whereby the company is merely collateral damage and just one of the victims of a much larger cyber attack.
In 2017 the International Maritime Organization issued a set of guidelines on maritime cyber risk management to safeguard shipping from existing and emerging cyber threats and vulnerabilities. They also adopted the maritime cyber risk management in safety management systems guidelines to ensure cyber risks are appropriately addressed in existing safety management systems, as defined in the International Safety Management Code, by no later than January 1, 2021.
To help shipowners put this into practice, the Baltic and International Maritime Council published its guidelines on cyber security to provide practical recommendations on cyber security and safety. The efforts of the IMO and Bimco have considerably increased awareness within the industry; however, as there are limited public instances of cyber-related attacks within the shipping industry, there is still a level of complacency.
As the number of reported cyber attacks affecting the shipping industry continues to rise, more conversations are taking place. The more businesses are willing to identify or report these attacks, anonymous or otherwise, the more others will be able to understand the scale of the problem and act to protect themselves.
Attacks of this nature are by no means limited to land. Opportunities for cyber criminals to cause chaos are expanding as vessels become increasingly connected. In May, the US Coast Guard released a bulletin instructing shipowners to verify their email addresses after several phishing emails were used to obtain sensitive information from commercial vessels posing as official Port State Control authorities. The Coast Guard also received reports of “malicious software designed to disrupt shipboard computer systems”. This attack highlights the need for maritime companies to pay as much attention to their onshore business networks, which have been the focus of the reported attacks to date, as they do to their offshore assets.
To help prepare for the likelihood of a cyber attack in the imminent future, shipmanagers should be aware of the Lloyd’s market bulletin, released last month, which says from January 1, 2020 all first-party property damage policies must either affirm or exclude cyber cover. This will enable owners to know with certainty whether a physical damage loss to their vessel caused by a cyber event will be covered or not, removing the doubt that exists at present.
While it may seem frightening to consider a cyber criminal taking control of a vessel or disrupting a shipping company’s computer system by inserting malicious software resulting in business interruption, a ransom demand or critical data loss, imagine if events like these were happening regularly but had not been reported. Anonymous reporting is a vital for the shipping community to effectively mitigate the risk of cyber attacks within the industry.
Georgie Furness-Smith is cyber insurance underwriter at Axis Capital