The threat to global shipping in the future may not be pirates or terrorists, but hackers – people accessing shipboard systems via computers, either on the ship or thousands of miles away on dry land.
That was the message that came out of an afternoon seminar aboard the HQS Wellington, a former convoy escort moored on the banks of the Thames which now serves as the headquarters ship of the Honourable Company of Master Mariners.
Organised by the Security Association for the Maritime Industry (SAMI), the event was entitled “Seaworthiness and cyber security – the hidden threat to shipping”. It featured six speakers from the world of shipping, insurance and cyber security and was attended by about 100 delegates from the shipping and insurance industries.
The first speaker was Sadie Creese, professor of cyber security at the University of Oxford and director of its Cyber Security Centre.
She said that an understanding of cyber security must start with the recognition that everyone handles information, so everyone has a stake in managing the threats.
There is a temptation to try to divide threats into categories, which isn’t very helpful because there needs to be a joined up approach to security across all aspects of the IT system. She emphasised that the internal threat is the one that needs the most management. “The cyber weapons we need to be concerned about are internal – anyone who can gain access to the physical system,” she said.
Devices which can be attached to on-board systems can be very small and difficult to detect and can be planted by people with a wide range of motives and abilities, making it difficult to predict where the threat will come from or how it will be executed.
Ships in port interface with a wide range of systems as well, having to do with ship management and cargo handling, which further complicates the scene.
However, in the final analysis, the biggest threat to IT systems come from people, she said – not just hackers, but staff who run the ship who, over time, may become complacent and adopt lax procedures around IT security.
The best response to the threat? Always assume you’ve been compromised. Develop the concept of defence in depth as it relates to IT systems. And acknowledge insider attacks so your organisation can learn from them.
Finally, she urged delegates to develop a culture of IT security within their organisations. She pointed out that the job of maintaining safety within an organisation used to be the sole domain of the Safety Officer, which wasn’t very effective compared to the modern approach of making everyone responsible for health and safety. A similar approach to IT security would create a culture of shared responsibility and increase the number of people paying attention to the issue, ultimately leading to a more secure cyber environment.
Cyber seaworthiness
From management of cyber security, the seminar turned its attention to industry concerns over cyber security.
According to Steven Jones, Maritime Director of SAMI, there is a dawning realisation in the maritime industry that cybercrime might be an issue for them. This is because the industry is becoming increasingly dependent on electronic systems, from environmental controls and communications to cargo management and navigation.
One of the key issues for Jones is the adoption of electronic charts. The Safety of Life at Sea Convention from the International Maritime Organisation has set out a requirement that all ships must have ECDIS electronic charts by 2018. However, if these systems are not installed properly – for instance, they are not isolated from the rest of the ship’s IT systems by a firewall – they could be subject to hacking, potentially diverting the ship off course.
This threat has been ignored by the shipping industry for a number of reasons, including a lack of publicly available case studies, a feeling that shipping is a hidden industry and a belief that hackers don’t understand shipping.
“There are anecdotal stories that vessels have had their signals jammed, and there are anecdotal stories that people have noticed the vessel wasn’t going the way it should do, and why? I don’t know if there is the education, skills and knowledge on board to fully know if that is a problem on board, or a problem with the GPS signal or someone maliciously hacking,” he said. “There are lots of companies that can remotely access shipboard systems now, legitimately, as part of remote monitoring and management. They can control a vessel remotely. So it would be naïve to suggest that someone couldn’t do it maliciously.”
The industry has to ask itself, are cyber security issues affecting the seaworthiness of ships? “At this point it’s just a question, but at some point there’s going to be a ship that goes aground, the cargo gets lost or whatever, and the question is, why was that chart doing that? Oh, there was a virus. But that was there before you sailed, so you weren’t seaworthy before the start of the voyage,” he said.
The connected ship
David Patraiko is Director of Projects at the Nautical Institute, and he spoke about the issue of exploiting weaknesses in the ECDIS chart system and the connected ship in general.
There are already standards for the installation of equipment aboard ships but the question is whether or not they are observed. “Whether the standard is complied with on board the ship is dependent not necessarily on the company that built the system but on the company that did the installation. We have seen issues there,” he said. “It is something we will have to look at as ships become more technically integrated and developed.”
He added: “There are companies who use electronic systems where the technology is good, they have procedures in place on how to use them, and what to do when they are not working, and then they train their people in not only how to do that but how to use the equipment and also how to use the procedures. So when you address all three of these legs, you have a robust system.”
Andrew Fitzmaurice, the CEO of Templar Executives, brought his experience of working with government agencies to bear on the issue of shipping security.
The increasing use of automated systems in ports for cargo handling is turning out to be a hackers dream. He said there was an example of criminals using the port cargo system to erase all records of two containers which contained illegal drugs, later picked up and driven out of the port by the gang.
This is a significant problem, considering that 90% of international imports travel by sea, he said.
It is critical that people in the shipping industry talk more openly about cyber attacks, something that his company has succeeded in doing in other industries. “If we can get to the stage where people will talk about their problems, there would be a step change in cyber security in the shipping industry,” he said.
There isn’t much case law on cyber threats at sea, or at least not much yet, cautioned William Maclachlan from law firm Holman Fenwick Willan.
He said that unseaworthiness will not be a significant issue for the industry until the first big case of its kind, something that hasn’t happened yet. He observed that companies are probably protected from legal liability for now so long as they comply with the existing cyber security standards.
The greater danger is to companies’ reputations, he said.
Stephen Wares from specialist insurance broker Marsh – sponsors of the day’s seminar – spoke last.
His company offers insurance that covers the gap between what is covered by most insurance policies and the potential risk and consequences of a cyber-attack on a ship. This is because many insurance policies exclude damage caused as a result of a cyber attack.
He said that it might be argued the low profile of the shipping industry makes it an unlikely target for attack as compared to financial institutions or companies in other high profile industry sectors.
However, the threat is real and the results potentially catastrophic. For instance, the lack of inbuilt encryption or authentication codes in critical navigation systems would make them an easy target.
He outlined six types of cyber insurance available in the market, highlighting three in particular: third-party liability caused by data breaches, data breach incident response costs and network business interruption. However, none of these include the loss of a ship due to a cyber attack.
Marsh, working with Guy Carpenter, has developed a new facility for cyber gap insurance that will kick in if a claim is denied on the basis that the loss was caused by a cyber attack. They will also use specific technology expertise to assess cyber-related risks to enable the underwriting of this type of risk.
There were many questions from the audience at the conclusion of the presentations, several of which focused on gap insurance for cyber claims. It would appear that SAMI has hit a nerve with this seminar topic and has promised to carry on the work that it has begun, to help ensure that our bits and bytes remain secure on the high seas.
