Op-Ed: A recipe for cyber disasterWritten by Heather Ervin
By Julian Clark, Global Senior Partner, Ince
It’s not a question of if, but rather when the commercial shipping industry will face an operational technology (OT) cyber attack that risks seafarers’ safety and severely disrupts global supply chains. The threat level and sophistication of hackers is increasing every day and many ship owners do not fully appreciate the seriousness of the OT cyber threats they face.
According to the latest data from Check Point Research, in Q4 of 2021 there was an all-time peak in weekly cyber-attacks per organization, reaching an average of over 900 attacks on a typical organization during the period. Indeed, in October of last year, one out of every 61 organizations worldwide was impacted by a ransomware attack every week. In 2021 as a whole, there was a 50% increase in overall attacks per week on corporate networks compared to 2020.
While this data incorporates all sectors, the UK Government’s recent National Strategy for Maritime Security recognized increasing cyber espionage, cyber crime, hacktivism, and ransomware attacks as major threats to shipping’s “physical assets” (OT) and the US-led Global Counterterrorism Forum echoes these concerns.
In light of the changing threat landscape, the UK government will update the 2017 Cyber Security Code of Practice for Ships and work with the International Maritime Organization (IMO) to agree more stringent international standards and agreements.
The current global standard IMO ISM Code, was updated on the 1st of January last year to mandate the continuous identification and mitigation of some cyber risks onboard a vessel, but does not go far enough to protect ship owners. It is in essence providing a ‘Level 1 solution to a Level 4 threat’ and requires an update.
Companies are not sufficiently protected even if they are compliant with the latest IMO regulations, particularly from OT ransomware or spoofing attacks. According to Mission Secure, just 42% of organisations protect their vessels from OT cyber threats, demonstrating the lack of collaboration between IT and OT domains in maritime. Ship owners need to move beyond basic compliance and away from a tick-the-box approach to cyber security towards preventative cybersecurity policies and solutions.
A major insurance gap
Cyber-attacks are also an area where there is a clear gap in insurance coverage. The majority of P&I clubs in the ‘International Group of P&I Clubs’ have adopted individual cyber exclusion policies, while most other market players also have wide cyber exclusion provision. Even where cover is present standard International Group terms would see cover prejudiced by a shipowner acting in an “imprudent, unsafe, unduly hazardous or improper” way in relation to cyber risks.
The Lloyd’s Market Association’s LMA 5403 cyber exclusion clause states that the amount of insurance coverage available at the moment is not sufficient to meet the risk. According to Lloyd’s, 92% of the estimated costs arising from a cyberattack are uninsured leaving an insurance gap of $101bn. Meanwhile, several clubs issued warnings last year that, if a member didn’t have a sufficient cyber resilience program, cover could be compromised.
From a legal perspective, it is key to note that issues arising on vessels that do not have proper cyber protections in place, such fault will be directed against the actual owning entity rather than those directly responsible for the operation of the vessel. This exposes ship owners to the risk of significant damages claims.
It’s not all doom and gloom
Good cyber housekeeping and proper due diligence minimizes exposure to legal and commercial risks. It is critical to thoroughly check the extent and application of cyber insurance coverage, cyber provisions in contracts, and cyber emergency response procedures.
While not all cyber-attacks can be stopped, if your cyber-security solution can hinder a scripted payload reaching its target, damage will be minimized and recovery will be possible. The ability to respond to an attack by demonstrating proactive defense and best practice is in place can also help deter attackers and protect from repeated attack.
The bottom line is, there is sufficient technology available on the market today to mitigate cyber risk. Therefore, with profits increasing in many shipping sectors, we urge ship owners to invest in cyber security at their next budget review. When expanding the OPEX equation to include the high costs of a cyber attack, the return on investment is clear.