The maritime sector has become more connected than ever before. There is an ongoing race to connect, digitalise and deliver smarter vessel systems that enable more remote access and support. However, this increased connectivity has also made vessels and their crews vulnerable.
It is becoming increasingly evident that human factors play a major role in managing the cyber risks of onboard systems. The majority of cybersecurity incidents can be traced back to human error intentionally or unintentionally creating cyber vulnerabilities. We encourage ship owners and operators to raise awareness of cyber risks with both the crew and shore-based teams. Better awareness significantly changes the cyber risk profile of fleet operations.
CyberOwl, a DNV company, provides cybersecurity protection, monitoring and 24/7 incident response support for maritime and offshore assets.
Risk Focus: Vessel Cyber Security - Guidance for Crew
In collaboration with CyberOwl, we have released a new edition of Risk Focus: Vessel Cyber Security, designed specifically as Guidance for Crew. This edition provides easy-to-understand and easy-to-follow guidance for crew on how to prevent and minimise cyber risks to onboard systems. It also briefly looks at how cyberattacks have grown over the years, the key risks the industry is facing and how industry standards are helping to deal with these risks.
"7 deadly sins of cyber insecure behaviour" posters and stickers
Ensuring that basic cyber hygiene is maintained can go a long way towards keeping shipboard systems cyber safe. The crew have an important role to play in this. In order to ensure good hygiene, there are rules for each of the “7 deadly sins” of cyber insecure behaviour that crew can follow to significantly reduce cyber risk to shipboard systems. Each deadly sin is represented by a “cyber monster” that serves as a scary reminder.
Download the “7 deadly sins” of cyber insecure behaviour posters below.
FREE PRINTS
If you would like to receive printed copies of the "cyber monster" posters, along with additional stickers, please fill in a request form which will be sent to CyberOwl to fulfill.
Ask an Expert: Cyber Risk Management
Cyber risks in shipping have come a long way since 2021, since the IMO introduced the requirement to include these in the Safety Management Systems. As the maritime industry continues to embrace digital tools and increased connectivity, new vulnerabilities have emerged. In this episode of Ask an Expert, Capt. Akshat Arora engages in a compelling conversation with Daniel Ng of CyberOwl to discuss how cyber threats have evolved and how well the industry is prepared to manage them.
FAQ's
What are “cyber risks”?
Cyber risks are the risks of loss, damage, or disruption resulting from failures or attacks on electronic systems and networks. These include hacker attacks, viruses, cyber extortion, network downtime, and data breaches. In maritime contexts, cyber risks can lead to operational, safety, or security failures if information or systems are corrupted, lost, or compromised.
How can cyber risks occur in the shipping industry?
Cyber risks can occur when ships rely on computers and software for navigation, propulsion, and communication. Systems such as ECDIS, AIS, and GPS are vulnerable to cyber-attacks, which can happen through network breaches or even by connecting infected devices. Attacks may compromise navigation, stability, cargo operations, and safety, potentially causing collisions, injuries, property damage, pollution, or shipwrecks.
Are cyber risks excluded from P&I cover?
No, cyber risks are generally not excluded from P&I cover under UK Club Rules or the International Group Pooling Agreement. However, exclusions may apply if the cyber-attack is considered an act of terrorism or war, or if it involves non-approved electronic trading systems.
Are there any exceptions to cyber risk cover under P&I insurance?
Yes, some claims may be excluded due to specific rules on paperless trading or war risks. For example, liabilities from non-approved electronic trading systems or losses caused by computer viruses as a means of harm under war risks cover may not be included.
What happens if a cyber-attack is classified as an excluded risk under war risks?
If a cyber-attack is deemed an act of war or terrorism, it is excluded from standard P&I cover and may also be excluded from primary war risks insurance, especially if caused by a computer virus.
Are cyber risks included in Excess War Risks P&I Cover?
The UK Club provides $500 million of Excess War Risks P&I Cover, but this is subject to a combined Cyber Risk and Bio-Chem exclusion, which bars recovery for losses caused by computer viruses or certain weapons.
Useful resources
- IMO Resolution MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems:
- IMO Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3/Rev.3)
- Guidelines on Cyber Security On Board Ships, version 5
- IACS Unified Requirements E26 “Cyber Resilience of Ships
- IACS Unified Requirements E27 “Cyber Resilience of On-Board Systems and Equipment
- Report on The Lifecycle Dilemma: Navigating cybersecurity risks across designing, constructing and operating a vessel
- USCG Cybersecurity Rule for US-flagged vessels
- BIMCO Cyber Security Clause