The safety and security of the maritime industry is becoming increasingly important and a challenge for us all. That is why the Rotterdam Maritime Services Community, together with the Shipbrokers community recently organized our second seminar on Maritime Cyber Security. With a multi-disciplinary view on the subject, the five speakers explained their main area of cyber security expertise, their view on the future and their thoughts on the way forward.
Shortly said, in every new market sector you get first movers who invent new technology. When these new technologies become more widely accepted, the possibilities for exploitation of vulnerabilities emerge. Jeremy Jethro of CipherTechs calls this the ‘assassination era’. When exploits increase, the creation of ‘best practices for defense’ will evolve which will then eventually be slowly adopted by industry. Lastly, the regulatory and compliance framework is introduced. In the Maritime Industry, we are obviously still at the starting stage, where new technologies on board our vessels and on shore are being widely implemented. But what next?
“The future is now! Start with low hanging fruit: train people, education! Minimize the risk by making guidelines, so all personnel of a shipping company are aware of the risks. This is low-hanging fruit for most companies.”
Erik Torr Klopper of Armada Group explained what he thought to be the biggest risk in the industry – Risk between aging infrastructure on board and ultra-modern technology. This makes it easy for hackers to enter the systems on board a ship.
Erik gave an example of “extreme targeting” of pirates who will track vessels in the area and know exactly which ship is carrying the most valuable cargo. This is only for their own self-interest, but it can be more damaging if they infiltrate the ships infrastructure. Then an unsecured vessel could be programmed to open her ballast water system right at the entrance of the river Maas or Hudson or Thames, and therewith close off the entire Port area.
According to Armada Group, assessments and audits will help to make sure the systems security both on board and on shore are safe. These assessments are critical: know what you have at the moment, then update your defenses, put controls in place and make sure to protect your assets and protect your brand. Our industry needs to be in a position to have technology on board with predefined standards to protect the vessel.
“It is of too much importance to not have your own backup and recovery experts, Make sure you have the experts in house, not only backup from vendors.”
Even if all your security is in place, something might happen. DNV-GL took us on a journey of what happened after a WannaCry ransomware virus entered a ships system. It affected navigation systems and the machinery systems. The satellite connection had to be disconnected – to prevent others communicating with the ship – while all other systems were down. According to the captain a very scary situation with chaos on board ensued. DNV-GL was asked to conduct a survey and the results clearly showed the necessity for segmentation between critical systems and other systems.Mirnes also noted that Cyber Security updates should get more attention than only during the drydock period of a ship.
“Risks are increasing because there is a growing dependency on network connectivity as it becomes critical infrastructure. Use ethical hackers to check your systems.”
Coming back to the eye-opening presentation of Jeremy Jethro, who showed that there has been a long period of cyber peace for the maritime industry, where relatively nothing happened or was published. He urged our industry to learn from other industries who are more advanced, like the medical and energy industries, where patient security and power stability is vital.. Now our maritime sector is changing, and our technology is advancing, but without the right knowledge, more connected means, more risks.
This was also the line of the presentation of Christopher South of West of England P&I, who asked the question if senior management of maritime companies are cyber (in)competent. Because of a lack of knowledge, the risks are not well defined. Insurance companies don’t like uncertainties, and for cyber risks there is no historical data to be found. He also mentions that Cyber Security is a safety issue with vulnerabilities in ECDIS and the positioning systems which are of “particular interest” when talking about ships. This connected directly with the presentation of Mirnes of DNV-GL again.
Christopher gave an extensive overview of the different clauses in P&I cover, where “Inflicting Harm” in clause CL380 means there is no cover. CL380 is very much in favor of the insurers.
Therefore, some government intervention is emerging (like Jeremy Jethro stated – lastly rules and regulation come into place), where governments state “You have got to be clear in your policies”. For shipowners and operators, also on the insurance side, there is work to do to make sure their own ships are safe. With the closing words of Christopher; “The ship is Unseaworthy when you are not covered, so as a shipowner you better have your cyber security in order”.
This led us nicely to our next speaker Professor Frank Stevens who said:
“Standard is not perfection, but reasonably fit: how fit are you?”
Professor Stevens elaborated on the seaworthiness of ships. As ships become more digital, seaworthiness also encompasses cyber resilience. Frank gave the audience an overview of what Seaworthiness is and explained that the standard is not perfection, but reasonably fit. When ships become more digital – seaworthiness will also mean cyber resilient. This means that you have to have cyber-worthiness related to digitals systems, like the threat analysis of older systems. In addition, a necessity is crew awareness training, on how to try and prevent attacks, but also how to deal with the consequences of a cyber-attack. The remaining question is then, how are courts or arbitrators going to deal with this – is a company ‘reasonably fit’ or not.
To spice up the last bit of a lengthy but interesting afternoon, DNV-GL showed their audit measures, and also showed the example of the Viking Sky cruise ship which had a black-out off the coast of Norway in March 2019. The incident report showed the Viking Sky’s diesel generators shut down as a result of low lubricating oil pressure. This took the whole system down, causing a complete black-out and loss of propulsion. Mirnes urged to state this was not a cyber-attack, but when the systems are not well secured, a small electronic indicator like this might be targeted by hackers and might cause detrimental effects.
In conclusion, when you have heard all the speakers, what stays front of mind is that there is a high risk in this industry, with so far very little awareness. The first steps should be awareness training and at the same time company rules and government regulations need to be established. Education for all levels of personnel, showing the multiple angles of implications both from the legal and insurance perspective as well as from an operational perspective.
This interesting afternoon shows that this topic is of upmost interest to the maritime industry and therefore for the maritime services and shipbroking communities as well. For RMSC we see increasing interest as well, and we have added a service sector to RMSC – maritime IT and security. Two new companies have joined RMSC – W.T. Group and Threatspan.
We will organize more events in the near future on this subject and make sure to mark your agenda for September 24 – during the Project Cargo Summit, for another event together.
Thanks again for the Erasmus University for their Hospitality, the speakers for their presentations and the members of RMSC, ICS and NZS for their attendance.