4 min

The maritime industry and cyber risk (by Brice Ducoum, Groupe EYSSAUTIER)

90% of world trade depends upon maritime transport. From the transportation of raw materials to that of manufactured goods, this industry is the basis of our globalised contemporary economy.

In a just-in-time economy, merchant ships must be adapted and automated to increase productivity.

The “body of computer and electronic systems used in the management and automation of maritime operations”, referred to as “marétique” (maritime IT) in French[1], is an emerging concept, which has brought to light a new kind of risk.

Last December, Naval Dome, an Israeli cyber defence solutions supplier, presented the results of an experiment conducted on the Zim Genevoa, a 260-metre container ship.

After infecting the captain’s computer via email, a team of engineers managed to compromise the ship’s navigation system, radar and engine room management system. This intrusion into the onboard systems allowed them to:

  • divert the ship from its original route,
  • modify the radar displays on the bridge without triggering the alert system or attracting the attention of the crew, and
  • disable the ship’s engines, bilge gauges, ballast management systems and steering gear controls.[2]

While the risk of a ship being lost due to a cyberattack would not appear to be an immediate threat[3], the fact remains that the maritime industry has already been the victim of numerous cyberattacks. The examples are stacking up: the Australian Customs case; Icefog; the Port of Antwerp; Zombie Zero;[4] or indeed Maersk in June 2017, with the disruption from Notpetya causing an operating loss of nearly 300 million dollars.

Faced with this threat, the maritime industry is preparing a response to coordinate its resilience.

The ISPS (International Ship & Port Facility Security) Code is the reference text when it comes to protecting sensitive maritime and port infrastructure. This code, adopted in 2004 by the IMO (International Maritime Organisation) in response to the attacks of 11 September 2001, provides for an obligatory evaluation of the security of ship and port computer systems and networks. The ISPS Code nevertheless only sets out generic measures for these security controls for ships and ports. This text, incorporating the provisions of the 1974 SOLAS Convention, thus has certain shortcomings.

The IMO, a specialised agency of the United Nations, has placed cyber issues among its priorities for several years now. In 2016, the IMO thus announced the introduction of cyber risk management guidelines. These propose a series of recommendations for managing cyber risk more effectively. This document provides a non-exhaustive list of onboard systems vulnerable to cyberattacks, along with key elements to be considered in any risk prevention and management plan, in terms of identification, protection, detection, response and recovery. It also makes reference to the Guidelines on Cyber Security Onboard Ships presented by the BIMCO (Baltic & International Maritime Council), the ISO/IEC 27001 standard and the US Government’s NIST Framework.

Through resolution MSC.428(98) of June 2017, and in line with the ISM Code, the IMO “encourages Administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the Document of Compliance after 1st January 2021”. 2021 is therefore a goal for standardising cyber risk management in merchant ship fleets.

The guidelines referred to above constitute the main “regulatory” basis for cybersecurity in the maritime industry. They provide companies with practical and organisational advice, including the importance of involving multiple stakeholders within the organisation in cybersecurity management protocols, at all levels of management. They also underline the importance of establishing crisis management procedures or emergency plans. These guidelines remain limited, however, given the fact that they are not binding. They “should be considered as advice to be employed by users at their own risk”.[5]

The relationship between the maritime industry and cyber risk is also influenced by Insurance Markets. Though currently not entirely explicit when it comes to this kind of risk and claim, the insurance sector is gradually moving towards an appropriate response. In order to contain the impact of a major cyberattack, cyber insurance products are segmented.

Insurers offer cyber risk products covering loss of hire resulting from a cyberattack, ransom payments, compensation for loss of data, third parties liability due to the loss of data, or damage to a company’s reputation.

They also offer cover for damage to the vessel following a cyberattack. This is a recent development in insurance offerings. Traditionally, damage resulting from a cyberattack had been excluded from hull insurance policies through the insertion of an exclusion clause (clause CL380). However, the absence of such an exclusion from the insurance policy does not necessarily mean that the risk is covered. In order to secure contractual relations between the insurer and the insured, certain insurers have recently started to offer exclusion buy-back clauses, covering property damage to the vessel following a cyberattack.

When it comes to cybersecurity, in addition to its compensatory role, the insurance market is promoting the implementation of measures for healthy computer networks among its policyholders, thus developing their resilience. Insurers also play a role in providing assistance in the event of a claim through their networks of experts, allowing crises to be contained and costs controlled.

Cyber risk is a major challenge for this ever-changing maritime industry – an industry that is considering the possibility of full automation of vessels in the medium term and already envisaging unmanned operations.

[1] French Maritime Cluster, Le livre bleu de la Marétique (The Blue Book of Maritime IT), Seagital, September 2013, [Online] <www.seagital.com>, p. 6.

[2] “Nightmare Scenario: Ship Critical System Easy Target for Hacker”, 21 December 2017, [Online] <www.worldmaritimenews.com>

[3] Stephenson HARWOOD and Joint Hull Committee, Cyber Risk, September 2015, [Online] <www.comitemaritime.org>, p.1.

[4] CyberKeel, Maritime Cyber-Risks, 2014, [Online] <www.cyberkeel.com>, pp. 15-18.

[5] BIMCO, The Guidelines on Cyber Security Onboard Ships, version 2.0., July 2017, [Online] <www.bimco.org>.

Send this to a friend