Potential cyber-attacks have risen to become the third biggest risk for UK businesses, according to the Allianz Risk Barometer 2015. This is a pattern which is repeated across other nations, and while fear of cyber-attack is rising, many firms are still reportedly underestimating the impacts of cyber risks.
From the maritime perspective it has become increasingly obvious that the interconnectivity of onboard systems can pose a problem. Smart ships are, alas, vulnerable ships – from a cyber threat perspective.
The scale and scope of cyber crimes and threats, and the speed with which they are growing is truly terrifying, and with merchant vessels becoming more reliant on electronic systems the problem is intensifying.
The International Union of Marine Insurance (IUMI) has also expressed grave concerns that the growing reliance on IT – within shipping companies, ports & logistics and offshore hugely increases the exposure to cyber risk.
The issues of IT, information, software and cyber security are coming rapidly to the fore across the industry. It is not just insurers who are concerned; the Classification Societies too are beginning to appreciate the fact that transparency of information is changing the world around us.
Classification Society DNV GL recently stated that new interconnected shipboard cyber challenges are emerging. They are increasingly concerned that all programmable components may be exposed to cyber threats, be they machinery, navigation or communication systems.
They believe this to be a real weak spot for shipping, and stated that in 2014, more than 50 cyber security incidents were detected in the Norwegian energy and oil and gas sector alone.
The recommendation from Class is that “Cybersecurity audits” or “health checks” are a start. With a combination of so-called Hardware In-the-Loop (HIL) and cybersecurity testing, supplemented by self- assessments, third-party assessments, audits, testing and verification.
According to Rod Johnson, of law firm Stephenson Harwood, increasing automation onboard is changing the task that it was intended to support. He calls for considerable attention to be given to the configuration of shipboard systems. Both from a physical perspective, but so too in separating critical onboard systems from the outside world.
The more complex the vessel it seems the more heightened the risk, and this is why SAMI, working with the International Marine Contractors Association (IMCA) is so keen to tackle the issue and raise awareness.
Working together to host an event during London International Shipping Week (LISW) we were able to highlight to our respective members that the risks posed by cyber security failure could be catastrophic.
The risks posed by cyber threats to shipping are probably the widest problem ever tackled by the industry. There has never really been a threat before which can hit the office ashore and onboard at the same time – or can flow from one to the other with potentially devastating consequences.
Historically the shore offices have been isolated from the actual “bad event” – being there to pick up the pieces and manage the effects of whatever can go wrong in the marine adventure. From sinkings, fire, accidents and piracy – the office has always been a protected safe haven from which good decisions can hopefully be taken which assist and support those at sea.
With cyber crime however, chaos can break out without borders, hinterland or foreshore – and that is a worry for corporate officers as it is for those on the ship. It is because of the sheer scale and nature of risk that leading shipping organisations will be publishing guidelines on cyber security on board ships.
The guidelines are expected to be issued by the Shipping Industry Round Table comprising BIMCO, CLIA, ICS, Intercargo and Intertanko. The aim is to adopt and harmonise guidelines that can be followed globally, in a way similar to Best Practices for Protection against Piracy.
These guidelines will be submitted to the next meetings of the IMO’s Facilitation Committee and Maritime Safety Committee in April and May 2016 respectively.
The expectation is that the guidelines will make it unnecessary for individual states to impose their own diverse national regulations which will make compliance difficult. Instead the guidelines will be dynamic and more easily and quickly adapt to changes in technology and threats.
Article from the bridge issue 10 written by SAMI.