By Joanne Waters
|Published 11 March 2024
The maritime industry is unique in many ways, but its reliance on IT infrastructure and telecommunications make it as vulnerable as any other industry to cyber attack. In this article, which is our first in a series of three focussing on maritime cyber security, we outline the threats to the industry and the guidance currently available to help companies respond to those threats.
According to the latest risk barometer from Allianz, cyber risk was the number one business risk cited across all industries globally for 2024. The second was supply chain disruption. As the maritime sector plays a pivotal role in global supply chains, it is easy to see just how critical cyber resilience is for both shipowners and their customers.
In 2023 the maritime industry fell victim to several cyber attacks with ports in Australia and Japan suspending operations following cyber security breaches. Software providers were not immune, with DNV's ShipManager platform temporarily disabled by a cyber attack, and several shipyards and ferry lines in Europe were also reportedly hit by ransomware and DDoS [1] attacks.
With greater levels of automated information exchange, greater connectivity at sea through adoption of LEO [2] satellite communications technology, and greater use of IoT, the attack surface [3] increasing as the industry becomes more digitalised. Digitalisation can bring significant benefits in terms of efficiency, safety and visibility, but also has the potential to increase the number of vulnerabilities in the IT and OT infrastructure of a ship and its operating company, giving threat actors greater opportunities to gain unauthorised access. That is likely to accelerate as autonomous vessels continue to develop.
Whilst intentional cyber attacks from external, malicious actors are the focus of this article, it is important to note that shipping also faces unintentional, internal threats from the use of legacy systems, obsolescence, and poor cyber hygiene. For example, many OT systems run on software for which patches and updates for vulnerabilities or improvements are not available. Further, software can fail due to bugs and user error, or software providers can go out of business leaving systems unsupported. These threats also need to be considered when designing an effective cyber security risk management system.
The results of various surveys from 2023 indicate that the average cost to shipping industry participants of a cyber breach is many hundreds of thousands of dollars, with the average ransom paid to cyber criminals in the multiple million dollars.
On top of those significant primary costs are business interruption costs, the costs of defending claims for physical loss to perishable cargoes delayed by the attack, possible physical loss or damage to vessels or their equipment, claims arising from pollution or collisions caused by compromised onboard systems, potential fines from regulators if sensitive personal data is lost or leaked, and costs arising from breaches of contractual warranties for cybersecurity.
Last but by no means least are the non-financial costs of a cyberbreach which can include reputational damage and loss of commercially sensitive information or trade secrets.
The IMO has yet to tackle maritime cyber risks with a comprehensive mandatory code. Instead, in 2017 it issued high level recommendations [4] . These recommendations define a maritime cyber risk as:
“a measure of the extent to which a technology asset is threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised .”
The recommendations set out the five core functional elements of cyber risk management, being: identify, protect, detect, respond and recover.
In 2017 the IMO also agreed that maritime cyber risk management ought to be included in safety management systems, and that cyber risk was to be managed in compliance with the requirements of the ISM Code [5]. Consequently, cyber risk is to be assessed and managed with the same degree of attention as physical risks to vessels, including scheduling of regular maintenance of software and OT assets in the same way as for vessel's physical equipment.
The IMO continues to promote greater digitalisation across the industry through initiatives like permitting the use of e-BDNs and the latest amendments to the FAL Convention which from 1 January 2024 mandate the use of maritime single windows for the electronic exchange of data between ships and ports. This is alongside its ongoing workstream regarding the development of a code for Maritime Autonomous Surface Ships (MASS). Whether that will go hand in hand with a new mandatory code for maritime cybersecurity remains to be seen, although cybersecurity has been identified as one of the potential gaps in the existing regulations.
Within the UK, large ship operators may come within the ambit of the NIS Regulations 2018 if they meet the threshold to qualify as an operator of essential services. This would mean that a shipowner then has to comply with minimum standards of cybersecurity and reporting requirements for incidents with significant impact.
In the absence of any mandatory code, several voluntary industry frameworks have been developed which provide guidance on how to use cyber risk management to reduce both the likelihood and the impact of an attack.
BIMCO, ICS and several other industry bodies have jointly produced "Guidelines on Cybersecurity Onboard Ships", now in its 4th edition. This provides for a risk-based approach to cyber security, consistent with the ISM Code, and includes recommendations on technical and procedural measures that shipowners can take to manage cyber risk.
The BIMCO Guidelines were developed by reference to the US National Institute of Standards and Technology (NIST) Cybersecurity Framework which provides an outcome-based methodology for understanding, assessing, prioritising and communicating cybersecurity risks. The NIST Framework has just been updated, with version 2 released at the end of February 2024. Version 2 includes a new sixth functional category of governance, underlining the need for cyber security to be incorporated into a company's overall enterprise risk management strategy and monitored by senior executives in the same way as financial and other risks.
The focus on cyber governance is echoed in the UK, where the government has just published a call for views on a proposed Cyber Governance Code of Practice. The draft Code has been published against a backdrop of falling board engagement with cyber risk, and an acknowledgment that whilst cyber is a "principal risk" for most organisations, the key decision-makers are often not the C-suite. The draft Code therefore sets out expectations of directors for governing cyber risk, including "ensuring that cyber risks are addressed as part of the organisation’s broader enterprise risk management and internal control activities, and establishing ownership of risks with relevant seniors beyond the CISO". For shipowners and managers, this means ensuring that cyber security is not just a matter for the IT department or CSO, but is owned from the top down, and is embedded as an integral part of the culture of the company, its crew and its fleet.
The UK government has also published its "Cybersecurity Code of Practice for Ships", the latest edition of which was released in July 2023. The purpose of the Code is to assist organisations in producing cyber security assessments and cyber security plans, as annexes to the ship security plan required under the ISPS Code.
The International Standards Organisation (ISO) also has specific standards targeting marine technology and cyber security onboard ships as well as general standards for information management and security that can be applied to shore-based operations.
There is therefore no shortage of frameworks, guidelines and codes available to help shipowners formulate a cyber security strategy. However, establishing a cyber security strategy is just the first step; to be effective, the strategy has to be properly implemented, throughout all levels of the business and supported by necessary crew training and drills. It also has to be reviewed and updated regularly, in the face of new and emerging risks, and whenever new technology (including both software and hardware) is added to the ship or shore.
The BIMCO Guidelines do not call for external vetting of a ship or company's approach to cyber risk management. However, as cyber risk management is now deemed to be part of a vessel's SMS, which will itself have to be vetted for the necessary document of compliance to be issued, at least those elements of risk management that are included in the SMS will be subject to external oversight by the Flag state. Furthermore, for newbuilds, the forthcoming IACS rules (see below) will also likely lead to increased external oversight by class.
A more stringent approach can also be expected from PSC inspections, at least in ports in Europe. At the end of 2023, the European Maritime Safety Agency published "Guidance on how to address cybersecurity onboard ships during…inspections", with a focus on mandatory elements to be included in a ship's security assessment and ship security plan, and a checklist for surveyors regarding cyber hygiene onboard.
At the end of 2023 IACS released revised unified requirements E26 and E27, which must be applied by member class societies to all newbuilds contracted for construction on or after 1 July 2024. They outline the minimum steps that must be taken by various stakeholders throughout the design, build and operation of a ship to ensure its cyber resilience against current and future threats.
These URs recognise that effective cyber risk management onboard vessels requires an integrated approach which ensures that the disparate systems installed onboard, which are likely to come from different OEMs all with different data standards, protocols, and security mechanisms, must be treated as a "collective entity" from the design of the ship onwards.
As with the other frameworks mentioned above, the key requirements for cyber resilience are grouped into the five functional categories of identify, protect, detect, respond, recover. The requirements cover everything from vessel asset inventories (identify), to network segregation (protect) and monitoring (detect), to incident response plans (respond, recover) and the installation of monitoring systems capable of detecting and investigating anomalies (detect, respond, recover).
For shipowners and their managers, the requirements will impact what they must show to pass each annual and special survey, and what contractual terms need to be agreed with suppliers for things such as confirmation that security patches and software updates have been tested [6]. Shipowners and managers will also have to establish a class-approved "ship cyber security and resilience program", documenting how they have complied with the requirements. Whilst much of this might already be included in the SMS, ship security assessment and plan, and cyber security assessment and plan if separately drafted, this will need to be carefully reviewed against the IACS requirements to ensure all aspects have been covered.
Successful shipping operations require interconnectedness between multiple stakeholders, across multiple different digital and physical environments. This interdependence on third parties and fast flow of information introduces another layer of vulnerability into a business' cyber defences. A counterparty with weak cyber controls could provide an access point to an otherwise well-defended ship or owner.
It is therefore important for shipowners to consider the cyber security of the third parties they interact with, in addition to their own cyber security, and where necessary, impose cyber security warranties in the contracts they enter into with third parties.
For example, clauses should be included in charterparties to ensure minimum standards of cyber security and sharing of information regarding incidents. See for example BIMCO's Cyber Security Clause which requires parties to report when an incident has occurred. This sharing of incident information is particularly important as to date there is no unified reporting system via the IMO or other global industry body which could help provide an advance warning of threats to the industry.
The BIMCO guidelines highlight particular risks associated with communications with local agents, where sensitive commercial and financial data is routinely exchanged. For these types of relationships, owners may wish to establish a minimum set of cyber security requirements that all suppliers must sign up to, in the same way as an anti-bribery or sanctions code of conduct.
When implementing a cyber-risk management strategy, shipowners should consider what insurance coverage they already have and whether this is sufficient to respond to all of the possible losses that could flow from a cyber-attack. Many standard marine policies expressly exclude cyber losses or are not designed to cover all of the types of losses that may arise, such as business interruption and data loss.
Owners should also be prepared to explain to any prospective insurers what steps they have implemented to manage cyber-risks responsibly, and in the event of a breach, how those steps helped them to mitigate and manage the loss.
So, what does it take for a ship or ship owning / operating company to be cyber-resilient? This will look different for each business, fleet and ship. However, common elements include:
Maritime cyber risk cannot be eliminated but it can be appropriately managed. There is no universal, mandatory maritime cybersecurity standard, but there are several industry-specific standards on which companies can rely. These standards should be used as a starting point for the development of a bespoke cyber risk management strategy, which takes account of the specific threats, vulnerabilities and risks to your company and fleet.
In the forthcoming articles in this series we will look at cybersecurity for ports, and what seaworthiness means in this new age of smart shipping.
If you are drafting or updating your cyber-security policies, considering whether your fleet is cyber-seaworthy, responding to a cyber-incident, or looking for advice on cyber-insurance, DAC Beachcroft's dedicated cyber team can help. Please contact Joanne or your usual DAC Beachcroft contact for more information .
If you would like to be added to our mailing list to receive future articles on maritime technology, please email Joanne.
[1] "DDoS" stands for "distributed denial of service". This is a method of cyber attack in which the attacker seeks to overload a computer system, by flooding it with traffic from many sources, with the goal to shut down a website or service.
[2] "LEO" stands for "low earth orbit" and is a type of satellite that orbits the earth at a lower altitude than traditional satellites.
[3] The "attack surface" means all of the points in a system through which an attacker could gain unauthorised access or could alter or affect a system.
[4] The latest version of which is found in MSC-FAL.1/Circ.3/Rev.2, 7 June 2022
[5] See Resolution MSC.428(98)
[6] For further information on what shipowners need to consider when entering into software agreements, please see our previous article here .
Joanne Waters
Legal Director
London
