Date: Wednesday, March 2, 2022
Source: Lloyd's List
THE threat of cyber attack is high on shipping’s risk list; however, a Lloyd’s List survey has cast major doubt over whether the industry is doing enough to combat the online menace.
Lloyd’s List polled its readers to reveal the true extent of cyber attacks across the maritime sector and how companies are dealing with this growing risk, providing some eye-catching results that will undoubtedly ring alarm bells.
Indeed, only one quarter of the industry feels enough is being done to spread awareness, while just two thirds have knowledge of measures in place if online systems are compromised.
The results serve as a wake-up call for shipping that while efforts have improved dramatically in recent years, the industry’s cyber resilience is still falling short of the mark.
Shipping, like other industries, has seen numerous attacks on its businesses, causing major operational disruption and some significant financial losses.
At the time of writing, in just one week there were reports of a cyber attack at India’s Jawaharlal Nehru Port, where operations at the port’s state-run facility, the Jawaharlal Nehru Container Terminal, came to a standstill; while US logistics major Expeditors had also been hit by a further attack, forcing it to close its operating systems globally to limit the impact.
These add to an ever-growing list of shipping companies that have witnessed similar attacks, including shipbroking giant Clarksons, Chinese conglomerate Cosco and French container shipping line CMA CGM, to name just a few.
Even the International Maritime Organization has seen its systems compromised at the hands of online intruders.
Yet arguably the most high-profile attack came in 2017, when AP Moller-Maersk became an unintended victim of the NotPetya malware attack. The outage of Maersk’s systems cost the group hundreds of millions of dollars and unwanted reputational damage.
If not for a power outage in Lagos, Nigeria, where systems were unaffected by the virus, ensuring back-ups could be retrieved, the situation could have been even worse.
Understandably, Maersk has since made cyber security a top priority, having learned the hard way, and is investing millions in online systems and personnel to mitigate further threats.
The industry has also made significant strides in creating awareness and guidelines for best practice.
Last year, the IMO introduced its first comprehensive cyber-security recommendations — and in the container shipping sector, for example, industry body the Digital Container Shipping Association published its cyber-security implementation guide back in 2020.
However, it is evident that efforts still leave much to be desired.
External commentators and cyber experts have suggested that another NotPetya-type attack, similar to the one that took down Maersk, may be required before shipping gives cyber security the attention it deserves.
The likelihood of such a scenario has only increased of late, amid concerns that Russia could use cyber warfare in retaliation to western sanctions enforced due to its invasion of Ukraine.
The fear is that shipping companies — and others — could inadvertently be caught in the cyber crossfire.
Further, the Global Maritime Issues Monitor 2021, a survey in partnership with the Global Maritime Forum and the International Union of Marine Insurance, ranked cyber attacks and data theft second for lack of preparedness on the critical issues facing maritime.
The results of Lloyd’s List’s cyber-security survey further underscores industry concern surrounding an issue that is not going away anytime soon.
With shipping increasingly relying on online applications to keep vessels and cargo moving, and to continue on its digitalisation path, the attack space for cyber crime and its actors is widening — and so too is industry vulnerability.
The Lloyd’s List survey drew responses from across the shipping industry. Shipowners (13%) were the most highly represented in the sample, followed by ship operators and shipmanagers (9%). Other organisations included those in the fields of financial services, consultancy, academia and logistics.
Of those that participated in the survey, one in five said their companies had experienced a cyber attack in the past three years, with phishing and ransomware being the most common forms of attack.
There were also examples of ‘cross-site scripting’, also known as XSS attacks, in which malicious code is injected into otherwise safe websites, and ‘Denial-of-Service’, when systems are in effect shut down, preventing users from accessing certain sites or programs.
While the number of attacks is significant, Vespucci Maritime chief executive Lars Jensen told Lloyd’s List that, in reality, this number could be 100%, as it would be difficult to find a single person that has not been subjected to a cyber attack in recent years.
This, he explained, highlights the issue of what constitutes a ‘cyber attack’, with a lack of a common vocabulary surrounding the subject.
“If we include everything, it is 100%, but if you exclude some of the minor things, such as automatic emails from the ‘Prince of Nigeria’ as part of a phishing scam, then numbers will go down considerably,” said Mr Jensen.
Nevertheless, he also noted that while a regular employee would certainly notice a major cyber attack that impacts all systems, one that compromises a small portion of servers will only be acknowledged by the IT department.
There is also the issue that companies will often not report cyber attacks for fear of reputational damage — a factor not solely restricted to the shipping industry. This, too, would suggest that the number of attacks could be substantially higher than the level reported in our survey.
In terms of the severity of cyber attacks reported by survey respondents, around half of them only had a minor impact on operations, while two fifths were seen to be more damaging to the organisation.
As stated earlier, one of the more alarming conclusions of the Lloyd's List survey was how an overwhelming majority feel industry action leaves much to be desired.
Only one quarter of respondents (26%) feel the shipping industry is doing enough to combat or spread awareness of the threat of cyber attacks, with as many as one fifth stressing that “a lot more still needs to be done”.
Bill Egerton, chief cyber officer at cyber insurer Astaara, said the majority of the larger shipping companies are taking appropriate action. They have capabilities in place to mitigate for attacks and are only too aware that you cannot “nickel and dime” when it comes to cyber security.
The concern, he said, lies with some of the smaller players: “There is a belief that they are too small to be noticed, which is a failure to appreciate that this is not size-dependent. If you’re on the internet, you’re a target.”
CyberOwl chief executive of Daniel Ng felt that despite the obvious concerns, there has still been significant progress in cyber awareness, particularly over the past 18 months.
“We were having discussions back then as to why we even need to protect vessels, but the conversation has moved on. Now there is acceptance; now we’re discussing how best to make smart decisions around protecting systems,” he said.
“Can we do more? Absolutely. There is a lot of noise around maritime cyber security at the moment, and we need to take sensible steps to build up the sector and rise the tide, which requires smarter choices.”
Of further concern was how just under half of all respondents said they were not offered cyber-security training — and only three quarters of these had undertaken training in the past year.
Mr Egerton stressed that companies that are not training staff could be at risk of breaching the IMO’s 2021 guidelines, resulting in regulatory sanctions — but also disproportionately large financial losses if hit.
“Training is a fundamental element of seaworthiness. When talking about safety of life and environmental protection on board vessels, if training is not undertaken in the cyber dimension, there is a serious issue. You cannot ignore the need to have people trained,” he said.
Yet another damning reflection on the shipping industry was how one third of those polled were either unaware of company processes or believe their company is not prepared for a cyber attack.
Mr Ng said this comes as little surprise, echoing his own experience on the ground. Although he said the industry has done a very good job in getting to the stage of putting IMO requirements in place, implementation is another thing.
“As a sector, we need to go further and get to a point where we’re actually doing the things, we say we’re doing. If we do, we’ll have come a long way from a security standpoint,” said Mr Ng.
Finally, the survey also garnered response on the level of satisfaction regarding cyber-liability insurance products offered by the industry.
Almost two thirds of respondents noted they were happy with the products on offer. Those that were not satisfied, however, reiterated complaints familiar to cyber underwriters: that products on offer do not adequately cover the true cost of cyber attacks, including recovery and loss of business. And they are increasingly expensive, too.
Lorenzo Spoerry, deputy editor of Lloyd’s List’s sister publication Insurance Day, noted how on current trends, market-wide cyber premiums are set to double every three years.
“The problem for underwriters is that, in contrast with other lines of business, cyber peril is ever-changing, making assessing the true scale of the threat uniquely difficult,” he said.
“Some cyber specialists believe that cyber will be one of the most important lines of business within two decades. Yet many of the largest underwriters still take a very measured approach to providing coverage.”