Maritime Cyber Risk

Cyber attack

The International Maritime Organization (IMO) is requiring Shipowners and Managers to include cyber security management procedures in their Safety Management System (SMS) by 2021.  But what is Maritime Cyber Risk and how does it affect you?  Maritime Cyber Risk refers to the extent which technology information or systems can be corrupted, lost or compromised, resulting in shipping-related operational, safety or security failures, ultimately threatening maritime assets.

An effective cyber risk strategy is necessary in the modern world to prevent a worst-case scenario whereby a ship’s systems are hacked and the vessel is purposely destroyed or directed by terrorists, pirates or criminal gangs to a location of their choosing. Some real life examples of cyber threats include:

Real life cyber threats

  • 2017- Maersk was collateral damage in the NotPetra worldwide malware attack that forced the shipping company to rebuild its network of 4,000 servers and 45,000 PCs.
  • 2018 – Cosco’s US port operations were compromised when a cyber-attack disabled network communication for several days.
  • 2019 – The USCG warned that emails purporting to come from US Port State Control were sent to ships that disseminated malware throughout vessel systems when opened.  The USCG further reported that as a result of these emails a merchant vessel bound for the Port of New York experienced a significant cyber incident that impacted their shipboard network.
  • 2020 – Mediterranean Shipping Company (MSC) experienced a malware attack that affected its website and online booking service, resulting in some of its IT infrastructure to be offline for five days over the Easter weekend.

Cyber technology has become essential to the operation and management of systems critical to the safety and security of shipping including:

Systems critical to the safety and security of shipping

- Ship-to-shore communication systems

- Bridge systems;

- Propulsion machinery and power control systems;

- Cargo handling and management systems;

- Passenger servicing and management systems; and

- Administrative and crew management systems;

Cyber threats can be presented by malicious actions (e.g. hacking or malware) or result from benign actions (e.g. software maintenance or user permissions).  Either way, these actions can expose gaps (e.g. outdated software or ineffective firewalls) leading to vulnerabilities in operational or information technology.  In this new Quarantine Age, employees or customers accessing your system from remote locations such as their homes can increase cyber risk.

Threats to vessels can be introduced to ship systems by accident, often by third party vendors contracted to check or update specific equipment.  Crew introduction (e.g. through USB ports) remains another route.  Further, unknown technology systems can be prevalent on board ships and often crewmembers know nothing about them.  In one case, a main engine monitoring system was discovered without any apparent purpose.  It had been installed by a third party with whom a commercial arrangement had ended several years ago.  Fleet management had no record of its purchase or installation.

The US Coast Guard has recommended the following cyber security practices be adopted by ships including:

US Coast Guard recommended cyber security practices

  • Create network profiles for each employee, require unique login credentials and limit network privileges;
  • Install anti-virus software;
  • Keep software updated;
  • Be wary of external media; and
  • Implement network system segmentation.

In addition, ensure no crew equipment is plugged into shipboard computer systems and blank off USB ports.  Training and refresher courses should be offered to all crewmembers.

The IMO guidelines set out the following principles for an effective cyber risk management strategy:

IMO principles for cyber risk management

  • Identify: Define the persons responsible for cyber risk management and identify the systems, assets, data and capabilities that, if disrupted, would pose a risk to shipping operations.
  • Protect: Implement risk control measures and contingency plans to protect against a cyber-attack and ensure continuity of operations.
  • Detect: Develop and implement processes/defenses necessary to detect a cyber-attack in a timely manner.
  • Respond: Develop and implement plans to provide resilience to critical systems necessary for safe/secure shipping operations in the event of a cyber-attack.
  • Recover: Identify how to back-up/restore critical technology systems necessary for safe/secure shipping operations after a cyber-attack.

The goal of maritime cyber risk management is safe and secure shipping operations resistant to cyber-attack.  Risk management has traditionally been focused on physical assets and operations.  However, greater reliance on technology, automation and network-based systems has created an increased need for cyber risk management in the maritime industry today.  For detailed guidance on maritime cyber risk management, Members should refer to their Flag Administrations’ requirements as well as relevant industry standards and best practices.

Thomas Rittweger

Senior Claims Director