Troubled waters: Responding to cyber-attacks in the maritime industry

Shipping is increasingly digitalised and interconnected. As traditional maritime operations are replaced with autonomous and computerised processes, cyber security vulnerabilities become more prevalent.

While this isn't unique to maritime, certain innate challenges face shipping regarding cyber-attacks. These include the hyper-complex nature of ships and global supply chains, as well as the numerous stakeholders involved in operations and chartering.

Certain industry experts are already making waves in addressing these threats, but given the global reach and importance of the sector, there is likely no short-term solution.

An ocean of trouble

Speaking on the Standard Club's Alongside podcast (listen to the podcast here), two professionals in the field of maritime cyber-attacks outlined the nature and scale of the threat facing the industry. 

Daniel Ng, the CEO of CyberOwl, a firm that supports the maritime industry manage cyber risks and compliance, explained that the vast majority of attacks come from small ransomware.

Rather than being large, James Bond-style shutdowns of computer equipment that grind vessels to a halt, Ng explained that the risks facing the maritime industry from cyber-attacks are typically quite small from criminals 'trying to make a quick buck from a shipping company'.

So far, no attack has led to the collision of a vessel or grounding due to loss of control, but that doesn't mean concerns are any less on the radar for shipping owners.

While cyber-attacks don’t tend to lead to tragedy, they can significantly impact income and revenue stream from delays arising from a cyber-attack. A means through which owners, operators, shipowners, charterers and traders can protect themselves through Strike & Delay cyber cover protects.

One example of serious disruption occurred in February when CyberOwl were particularly vigilant due to the increasingly unstable international situation.

'On eight vessels across two different customers, and to eight very different types of vessels, we found evidence of some malware that was designed to get itself on board the vessel and onto a computer,' Ng said.

The virus, designed to give the attacker complete control of the machine, spread its way across the whole network in two vessels. 

Operational Technology (OT) includes navigation systems, engine control systems, or ballast and water treatment systems on board the vessel, and therefore under threat from this particular virus. While attacks on Information Technology (IT) can mean a loss in data and information, third-party gaining access to OT means a potential loss of vessel operations and safety.

'Whether that is replacing the files on the machine shutting it down, stealthily trying to copy information off the back of the machine or simply executing a new command or process on that machine, this particular piece of malware was designed to do that', Ng said.

The malware Ng's team identified is called 'Plug X', mostly infamous for political espionage cases rather than commercial or ransom activity. 

However, given the controls put in place with these customers, there was no evidence of any takeover in the vessel systems. 

'So, what have we learned from that, in terms of typical things on board for cybersecurity for onboard systems? The first is often separation of what is the more traditional IT on board the vessel and the operational technology is happening, and where it's happening, it has a good layer of control,' Ng explained.

Another issue illuminated by the event is that these 'attacks' can often be collateral damage from broader and less targeted programs.

'We call this the 'spray and pray' approach, where the perpetrator just releases it out, hopes it takes hold of some computer,' he said.

This can present a problem for insurers as the origins of cyber-attacks remain shrouded in mystery and their origins unknown.

Aside from ships, cyber-attacks can likewise hit onshore infrastructure, which can in turn lead to vessel delays at a port.

For further infomation, please see Standard Club's Strike & Delay cyber cover.

Safety-first responses

The first phase of cleaning up following an attack, Ng said, takes place roughly within the first 24 hours, depending on how severe the incident is. After that, the primary focus is on stopping the attack's spread and ensuring the vessels' operations are safe. 

'That's your only concern within that first phase. After that, the second phase is all around restoring, rebooting, getting business back on track and continuing to operate,' he added. 

Finally, collecting evidence to understand where the vulnerabilities were in the first place.

While some companies may want to prioritise getting business up and running again, the world of shipping means lives out at sea. 

'The primary focus is always safe vessel operations; then it's business interruption,' Ng said.

For AXIS, 24-hour communication in the event of an attack is part of their coverage capacity.

'With our cyber insurance policies, we have an incident response team. And that has a dedicated 24/7 hotline number, which provides a suite of experts that can help triage the event,' Furness-Smith said.

Loss prevention

The cyber side of the insurance market is newer than the more developed property damage sector. The embryonic nature of cyber-attack coverage involves the process of constant evolution explicitly.

Furness-Smith explains that owners have had to become more aware of the rest of their business and the coverage they need from an insurance perspective. For example, property damage as a result of a cyber-attack will not typically be covered by hull and machinery policies. 

Georgie Furness-Smith, a Senior Cyber Underwriter and Head of Maritime Cyber at AXIS Capital, said: 'In the last sort of five years, the main thing that's changed is the perception and appreciation of the threat.'

AXIS Capital is a leading provider of speciality lines insurance and reinsurance globally. Coverage for cyber-attacks is quickly becoming a major priority in maritime.

'Essentially, they need a separate cyber insurance policy for that. We've seen the severity and frequency of cyber-attacks increasing over the years. So, it's become essential that companies like mine, Axis, can offer a solution to meet that problem,' she said.

Moreover, it's not just vessels that are vulnerable. Increasing numbers and severity of attacks across all industries have signalled that maritime businesses are at risk from cyber events, such as ransomware attacks on corporate networks.

In terms of coverage, Furness-Smith said mitigating the cost of attacks requires certain insurance policies.

'They should have a traditional cyber insurance policy, which covers their balance sheet from risks, such as ransomware and also covers business interruption and various other things,' she suggested.

'The second thing they would need is vessel property damage cover.'

Transparency problems

Companies can be reluctant to reveal the accurate scale of cyber-attacks due to concerns over appearing vulnerable to potential investors. 

Ng suggested that the shipping industry should look at measures used by other industries, such as financial services, in shifting from a secretive to a transparent approach. Reporting and sharing information allow others to be aware of what weaknesses were exploited, which would have industry-wide benefits in the long term.

As part of a partnership with the Singapore Shipping Association - representing 450 shipping firms in the city-state - CyberOwl has been taking inspiration from the Singapore Port Authority to set a standard for Singaporean shipping companies in terms of their cyber maturity. The broader purpose is to develop a precedent for the global industry in how to form a bulwark against attacks.

'Some ability to understand the maturity across the shipping sector in Singapore and benchmark that across the various areas of cyber capabilities becomes very meaningful and very powerful,' Ng said.

Cyber-attacks on the up 

The increasingly digitised and automated nature of the maritime industry means that cyber security is likely another inherent cost that shippers will have to consider. In this respect, shipping is no different to most other sectors.

However, while the arms race may have begun, it's one that the shipping industry is in an excellent position to win, so long as it maintains resiliency in both smart coverage and technological supremacy.

'I think it's inevitable, but we're also getting stronger, we're getting more educated, we're putting more controls in place. So, these things even out over time,' Ng said.

Categories: Cyber Security, Strike & Delay