Technology shifts risk exposure of ships
From computerised bridge systems to real time remote monitoring offshore, the integration of computer technology into the operating system of vessels, interconnectivity and geo-spacial technology allow the crew and onshore staff to better monitor routes and reduce the risk of collisions or engine failure. But the increasing reliance on computer and software also renders ship operators more vulnerable to cyber incidents such as ransomware attacks or security breaches that can endanger a ship’s crew or passengers.
In recent years, the shipping industry has become increasingly reliant on the interconnectivity between information technology (IT) and operational technology (OT) systems to automate operations on ships.
“Traditional marine insurance policies have not adapted to the risks that the spread of technology on ships represent,” says Peter Erceg, Senior Vice President Global Cyber and Technology at Lockton.
Traditional marine insurance policies have not adapted to the risks that the spread of technology on ships represent.
Instead, it is not unusual for hull and machinery insurance to exclude cyber risk. There are also cyber exclusions in war risk policies that relate to computer viruses. Some insurers have been wary of covering the threat cyber-attacks pose to corporations because it is a relatively new risk, leaving the marine industry exposed to this growing threat.
The newer the ship the more technology it includes, making it more vulnerable to cyber incidents. Bridge systems monitor and control ship functions such as GPS (Global Positioning System), radar, communications, propulsion, steering, machinery management and power control systems. These systems may be isolated to the ship or interact with various onshore systems. Some operators have a direct link between their back offices and the fleet, adding another vulnerability to potential cyber-attacks.
Malware can, for example, enter the system if a crew member introduces an infected USB stick to a computer on a ship to watch a movie or if someone clicks on a link and unwittingly downloads ransomware on a vessel. Not only could this impact the operations of the ship and leave it adrift, but if there is a connection to the onshore facilities, it could spread to the company operating systems, Erceg warns.
Older ships may be less dependent on technology, but at the same time, the risk of cyber-driven outages rises if the ship’s technology is not regularly updated or if the vessel operates outdated and unsupported operating systems.
“Operators usually keep the same software version in place during a ship’s whole lifetime and without patches, vessels become increasingly vulnerable to cyber-attacks,” Erceg says.
Ship operators should implement a robust cyber risk management and response plan to be prepared for a cyber-incident. Because of the rising risk, international maritime organisations such as IUMI (International Union of Marine Insurance) and BIMCO (Baltic and International Maritime Council) have issued “Guidelines on Cyber Security Onboard Ships,” warning of the risk of cyber-attacks affecting the operational technology onboard ships and the loss of or manipulation of external sensor data which is critical for the operation of a ship.
The marine sector is not required to report cases of cyber-attacks and operators try to avoid making any events public to prevent negative publicity, but privately admit that malware infects vessels all the time, Erceg explains. “Unless it causes a ship to have a collision, information about the incident is unlikely to become public,” he adds.
The lack of information about cyber-incidents in the marine sector has created a sense of complacency in the industry. Apart from some of the larger operators, the industry seems to be taking the threat lightly, but an attack can happen any time, Erceg says.
Without a cyber-insurance policy in place, a ship operator is completely exposed to the financial impact for example the cost of towing the ship to a harbour if it is disabled. The operator will also not have automatic access to the cyber-response expertise that cyber policies can offer to re-establish the system’s functionalities, Erceg explains.
Cyber-attacks rarely target a specific company. Shipping giant Maersk, for example, became a random victim of a malware attack in June 2017 which locked the company’s computers, servers, routers and desk phones, resulting in losses exceeding $300 million.
Some organisations are acknowledging the threat cyber-attacks pose to their operations and are taking action. The Maritime and Port Authority of Singapore, for example, has launched a 24/7 Maritime Cybersecurity Operations Centre in May 2019. The centre will monitor and correlate data activities across all maritime critical information infrastructure. It will have the capability to detect and monitor cyber-attacks by analysing activities in the IT environment, detect anomalies and threats and respond to the cybersecurity incidents using available technology solutions, the organisation explained.
“The majority of attacks have been aimed at breaching corporate security, resulting in loss of critical data, financial loss or IT problems, rather than taking control of a vessel itself,” Erceg says.
“Such attacks can happen to anyone, they are not dependant on company or ship size".
“So far the majority of attacks have aimed at breaching corporate security, but it is only a matter of time until a vessel gets hijacked without appropriate protection in place,” Erceg says.
For more information please contact:
SVP, Global Cyber & Technology
+ 44 (0)20 7933 2608