At the start of 2017 we had an article published on cybersecurity and the present cyber-threats to the marine industry. Now, at the end of the year, we review this again in light of new guidance and current concerns in this area.
Back in August, the Government Office for Science published Future of the Sea: Cyber Security, as commissioned by the "Foresight Future of the Sea" Project. Future of the Sea contextualises the threat to the maritime industry within the UK's National Cyber Security Strategy. Amongst other things it identifies vessels, which contain cyber-physical IT systems, as particularly vulnerable to interference from cyber threats.
Future of the Sea identifies three main areas of attack across the maritime sector:
- increased connectivity and reliance on digital components;
- increased levels of autonomous control; and
- globally accessible navigation systems.
Potential technological developments within the maritime industry merit "special attention", including advances in communication, improved sensing and intelligent and autonomous control systems. These pose challenges within cyber security as they build over existing digital technologies, allowing broader access to ships and vessels. They also make potential software-dependent weaknesses easier to access for those who wish to exploit them.
Recommendations include white collar, "dry" office-based security precautions should be brought better in line with IT systems in other sectors. This is particularly the case with navigation systems, which are so critical to the maritime sector and so have increased vulnerability. Control systems for vessels, offshore units and port systems also need to have attention paid to them. Support from the UK’s National Cyber Security Centre (NCSC) is another specific recommendation.
Overall, Future of the Sea imparts an important lesson that, although the marine sector represents a large part of the economy in itself, it should not consider itself a sector in isolation. The marine sector must work with other sectors to shore up its ability to withstand the cyber-security threats to it which will become even more frequent. This will include:
- knowledge sharing of threats with other industries;
- the introduction and implementation of attack reporting systems;
- coordinated incident response; and
- capability development and assurance and compliance regimes for sector adoption.
Last year, the published Guidance on Cyber Security On Board Ships (from BIMCO, CLIA, ICS, Intercargo and Intertanko) was also met with interest. This demonstrates the increasing emphasis that is now being placed on cyber-security as a high priority across the industry. However, what is clearly of concern to parties in the marine sector (shipowners, charterers, insurers, cargo handlers etc.) is the likelihood of legal claims (as well as counter-claims) that may arise when a cyber-security attack happens.
Take, for example, a situation where a guidance system is hacked by pirates in order to implement criminal or terrorist objectives. Much like current scenarios involving the physical takeover of ships, a great deal will turn on a vessel's preparedness to handle a cyber-attack. The vessel's "seaworthiness" should include whether the vessel has an efficient and competent crew and whether sufficient measures are in place on board to meet these challenges. Inevitably, such measures will be decided by reference to the state of knowledge in the industry at the time.
It therefore stands to reason that those in the industry should familiarise themselves immediately with the aforementioned guidance as well. These parties should not only put procedures in place that will limit or, hopefully, eliminate any intended damage from a targeted cyber-attack. Also, in the regrettable circumstance that an attack should prove successful, the party could then prove that, at least, they had the policies and procedures in place to deal with the attack in order to limit its scope.
Cyber risk management systems and protocols, including adequate training for employees - not only at sea but on shore as well - should be put in place to mitigate and avoid cyber-attacks. This will eventually become part of the definition of seaworthiness, as it has already in some quarters.
With each new year comes new possibilities, as well as new risks. It is important for all parts of the marine sector, from shipowners and other insureds to insurers themselves, to grapple with the size of the threat from cyber-attacks, which are becoming ever more apparent and commonplace.