Cover Story: Cyber Security Round Table Debate

In the latest in our series of round table debates, SMI drew together key figures in the maritime security sector to debate business interruption triggered by cyber-attacks and the risk of not investing. Kindly hosted at the offices of Thomas Miller and chaired by SMI Editor Samantha Giltrow, the panellists were: Michael Hawthorne, CEO, CobWeb Cyber; Sharif Gardner, Training Manager – Cyber, Axis Capital; Mark Sutcliffe, Director, CSO Alliance; Robert Hodge, Director, ITIC; George Devereese, Senior Loss Prevention Executive, UK P&I Club; Henry Clack, Associate, HFW; Gideon Lenkey, Technology Director, EPSCO-Ra; Brian Warszona, Divisional Director FINEX Cyber and TMT, Willis Towers Watson; Anu Khurmi, Director, Templar Executives; Nick Taylor, Consultant, Shoreline; Andrew Hill, Product Innovation / Complex Claims Counsel,
Cyber & TMT at Willis Towers Watson.

Samantha Giltrow
Welcome, and thank you for coming to our annual Maritime Cyber Security Round Table. How do you think the space of maritime cyber security has changed over the past year?

Robert Hodge
In the last year the regulatory framework has started to get busy so not just affecting the maritime sector but GDPR. It has been a concern for ship owners because if you are a ship operator with a management company you are not just exposed to the management fees, you are exposed to fines and the global revenues. That has become an increasing concern for them, because they are exposed in other areas where they thought they were protected from regulation. Also from that, NIS has come in, so again fines on global revenues and affecting ports and infrastructure, and finally IMO with bringing down onto the safety management system, owners have to be concerned with cyber and safety management systems.

Anu Khurmi
The regulatory framework is going to be a good driver but the consciousness of the maritime industry is only just now waking up. Before, it was not publicly thought of as a sector under attack but now you are seeing the headlines on organisations like the Maersk and COSCO incidents that are actually being reported. There is also evidence of under-reporting and I think a realisation that things are changing; people are now grappling with the idea of ‘well, what do we do about it?’ which is really good.

George Devereese
It has been very much regulatory led. If I was talking to owners this time last year it really wasn’t too much of a blip on their radar but since US Coast Guard have said if we are going to do a Port State Control inspection we are going to want to see your cyber plan the fact they go ‘ooh, we could be detained on not knowing how we transfer our files from our ChartCo computer to our ECDIS terminal’ suddenly people are starting to wake up. NotPetya and Maersk really did help to solidify that. Had that not been the case, I don’t think we would have seen movement at all.

Andrew Hill
I think the collateral damage we witnessed from NotPetya was an enormous wake-up call for those organisations who do not consider they are a target for cyber attacks.

Michael Hawthorne
For the first time we’ve actually had somebody who has come to us because the NED’s initiated that impetus rather than there being an incident or in direct response to regulations. Those that are familiar with what is happening in the wider sectors and how that might impact on themselves are beginning to challenge the boards and say ‘we have got to do something’.

Gideon Lenkey
At the operational level, we’ve been seeing over the last year a vague awareness of threat or the awareness that someone is telling them there is a threat, whether they believe it or not and some still don’t believe it. But at that level, we are seeing ‘spot’ efforts. I see it in other industries that we work with. The maturity of maritime is still pretty basic.

Anu Khurmi
I think it’s partly to do with the fact that I don’t think a lot of the maritime sector knows how to report cyber-attacks or even easily identify them. It comes down to the real fundamentals and seizing the opportunity to learn from other more mature sectors. But a lot of the issues boil down to a reluctance to share information and best practices across the industry and then how you resolve those issues.

George Devereese
I’ve got a feeling that in the next couple of years everyone is going to be jumping on the ISOs. It really is complete arrogance or misunderstanding of how it’s going to affect their companies.

Samantha Giltrow
Mark, it might be a good time to bring you in on this, as you have experience of the reporting side?

Mark Sutcliffe
I think the industry has made a massive leap forward this year. Some companies are absolutely fantastic – bombproof, thoroughly professional, and well-resourced but as you go through the industry we still have owners who are risk takers. We are a risk-taking industry. I think we have to better define what the threats are, and instantly and quickly, and quantify it, and that has to be shared, and I think what Templar are doing with the MCERT is a great example of that, as well as ourselves. We’ve got an anonymous cyber-crime reporting portal to encourage that which we then share, so we all learn together. I think as an industry we are working better together.  We will be punished as an industry until we start sharing.  Ports and ship owners are now ready to do this.

Sharif Gardner
The reality is we are starting to get more data and there are tons of other industries that we are learning from that have data as well in terms of the scale of phishing attacks and the problems that arise there. We’ve got feedback groups that are starting to feed into things like the Be Cyber Aware at Sea Campaign and if we start feeding into that, that starts to produce data that everybody can use. One of the other big areas in this is splitting it down per classification. The two major attacks we’ve seen on shipping that were the big wake-up calls were both from the container vessel side. We have seen a large spike in the quest for cyber insurance specific to that. There’s still 95% of other classifications that are still probably burying their heads in the sand and thinking it won’t happen to us. It’s correlating that data and making it useful, but it’s the data, insight, information triangle. It only becomes insightful when you start to feed it into the cyber-crime reporting loops. I believe the industry is becoming more and more alive and more in tune but unfortunately you are still going to get the real risk takers so let’s not focus on the real risk takers yet because they are probably not going to be the first adopters of security and risk management practices.

Nick Taylor
Having been out on the road for the last nine months, I have seen a complete failure to recognise that this is an emerging risk area.  It took a long time to get people to put armed guards on ships going through the Gulf of Aden and I think we are seeing this in the same way.  People blank out the Maersk incident, maybe not COSCO. There’s not enough medium-size data to be able to say, well actually, if  you suffer a cyber-attack how much is it actually going to cost you to bring people in to investigate the extent of the damage that has been caused to your network, and how much is it going to actually cost in the form of restitution?  Nobody is coming forward with that data.

Sharif Gardner
It’s certainly learning from other sectors. The large classifications – the sophisticated markets – will only get burnt once and then they will only want to make sure that their tier one and possibly tier two suppliers are not going to introduce any risks into their organisation. Risk management guidelines are there, the problem in terms of the threat is there, however the regulation is lacking.

Nick Taylor
Ironically, in this market, there is no impulsion coming from the financiers. The financiers lend against a ship. They don’t lend against a business.

Mark Sutcliffe
I can come against that. I had dealings with hedge funds who hold significant investments in several transport assets. A year ago they were horrified at the approach of both the management and their IT team to cyber risk. They were absolutely passionate about changing this understanding and mitigating the cyber risk. Ultimately, it is the shareholders who bear the ultimate risk and in this case took responsibility, in general I don’t think that message is communicated clearly enough.

Michael Hawthorne
The challenge we are facing is the stories of Maersk and Cosco are not widespread enough.

Anu Khurmi
The IMO did a report a while back and said 47% of crew members have sailed on a vessel that has been the target of a cyber-attack. That is a big percentage and at odds with the small number of incidents we hear about.

Nick Taylor
The same survey also said that only one in six crewmen recognised he’d been given any formal training.

Samantha Giltrow
I suppose that could mirror what goes in any office really.

George Devereese
BIMCO’s cyber survey came out last month and they were saying that 72% of respondents said their company had been the victim of a cyber-attack so the awareness is there.

Robert Hodge
ITIC insures ship brokers, agents and ship managers and we are regularly seeing payment of fraudulent invoices. Our members are now putting in training to avoid that but one of our member’s employees had the training and got 97% in the test but nonetheless that employee paid a fraudulent invoice only a few days later causing loss to the owner.

Sharif Gardner
That comes down to the difference between compliance tick box training and awareness. The three main barriers to adopting any form of cyber security is not that these companies aren’t feeling the threat, it’s not that they don’t even understand the threat – they are receiving the phishing emails every day – the challenge is if you don’t understand the product or the service you’re buying and how that integrates with everything else. The other challenge is not understanding the value at risk and sadly, it comes down to reputations being damaged and ruined which, when you look at classic data breach, ie personal data being lost, that has a far more damaging effect on businesses because it is human data. The other thing is, how do you assign a budget for something you don’t understand?

Samantha Giltrow
How can you help people understand?

George Devereese
Last year at Thomas Miller we released a joint publication that went out to all our membership about Cyber to really try and debunk a few myths and that was the best received information the Club had sent out in the last decade.

Nick Taylor
But it’s not having an impact in the market. You’ve got people who do not understand how to budget for this, what their exposure is and what the potential is, and in fairness we are not able to give it to them yet because we haven’t got the information ourselves to be able to quantify some of the middle range risks.  To me, that is the biggest hurdle we are facing.

Henry Clack
We held an event together with Axis and what the owners were worried about was physical loss and damage, not business interruption.  I think that comes from the fact that as an industry, shipping deals with business interruption from poor weather, problems with port facilities and equipment – it’s part of doing business in shipping.

Brian Warszona
It’s the supply chain too that we are just not looking at closely enough. With the technological advances we are making in the shipping industry, we are saying this is all great, we can all communicate quicker and better but now what happens when we cannot communicate because of that technology failing due to an attack or human error. It comes down to communicating internally within the organisation.

Andrew Hill
One aspect of our role is to breach the chasm in terms of identifying and understanding the risk that sometimes exists between IT and risk management and then up to the board. This isn’t intended to be a criticism of the cyber market but something I’ve observed is there is a tendency for the cyber insurance market to overreach itself in terms of what a cyber insurance policy is trying to achieve. The tendency is to promote in the ‘all-singing all-dancing’ coverages that sit within a cyber policy rather than emphasise and explain in clear terms the key coverages that are most relevant to the client.

Brian Warszona
It’s interesting that people are talking about autonomy but they are not talking about security that is needed to go along with it.

Anu Khurmi
The message that is going out now is you can’t do digital and you can’t do autonomous without cyber. It’s not just an investment, it’s all about your reputation and your efficiencies, your productivity and safety at sea and the thing is we don’t yet equate cyber to safety at sea.

Samantha Giltrow
Ports are said to be particularly vulnerable. How can you see this vulnerability developing and what needs to be done to safeguard ports further?

Gideon Lenkey
I don’t think ports are more or less vulnerable than anything else. They have to take it seriously and the ones that do will survive the attacks and the ones that don’t won’t.

Henry Clack
I think they are quite vulnerable. The Port of Felixstowe decided to change its terminal operating system in July and suffered a large loss of productivity including potentially losing track of containers. That was a managed process. So, because of the way these systems are designed – with a terminal operating system all these other systems are bolted on to it – I think this makes ports quite vulnerable.

Andrew Hill
What Henry’s example illustrates is that cyber risk is a much wider issue than just malicious attacks.

Michael Hawthorne
This question about vulnerability and whether it is increasing or not really depends on how the maritime sector embraces, or not, digitalisation. If we are able to build on security from the beginning then we can take advantage of increased digitalisation but not increase risk. If we embrace digitalisation and don’t think about the Cyber aspect then the vulnerabilities will increase.

Robert Hodge
I think that ports have seen an increase in vulnerability because they have been automated for many more years and have been at the forefront of digitalisation. That might be why we have seen more incidents.

Nick Taylor
I sense there’s more awareness and openness to the threat and they are waiting to be led by the insurance industry into a decent solution.

Sharif Gardner
Why target a specific port when, as we’ve seen with NotPetya, you can actually hit multiple ports or multiple operations?

Samantha Giltrow
How are legal, insurance and regulatory regimes keeping pace with the advancing developments in technology, and do you think industry guidelines on cyber security such as those from the IMO will be enough?

Gideon Lenkey
I think what the IMO did was brilliant. They didn’t get too specific – they said here’s a guideline, you can use these standards if you want, you can use this framework if you want and just manage. I think if we get too specific on regulatory guidelines it’s going to lead to this checklist mentality on compliance and not a management process – it’s all about putting ticks in the boxes and not really managing it.

Nick Taylor
The IMO regulation is a step in the right direction but it is self-regulation. It is ship owning regulation it is not the enterprise as a whole and the enterprise as a whole is what creates the culture. I think BIMCO’s Cyber Security onboard Ships has limitations in that it is confined to the operation of vessels but as a document that they pulled together, it reads well and provides a sound starting point for further consideration.

Mark Sutcliffe
Currently in shipping I think the IT guys are listened to in an organisation. They hold the relationship with the owners and fleet managers. So, at the shop floor level, the IT managers are calling all the shots and if they don’t see a problem then nothing changes.

Sharif Gardner
We are focusing on every single area whether it’s ports, at sea or onshore – we are trying to focus on it all when in reality 10 minutes at the end of every board meeting to try and hammer that home is where it’s going to start.

Samantha Giltrow
Do you foresee ship owners being called on more to prove the cyber element in their vessels’ sea worthiness and how will this develop?

Henry Clack
BIMCO are currently drafting their cyber clause and there is likely to be an express requirement for due diligence in the clause, so absolutely. There are also parallels between Cyber and Somali piracy in that with a new and emerging threat leads to a new type of due diligence exercise. Claims are going to come out of it.

Gideon Lenkey
It’s a good example of a Somali pirate because if you see a cyber-attack where something pretty serious is effective such as loss of navigation or propulsion, the seriousness is going to go up quick because you are putting lives at risk. Then I think you’ll see ship owners being required to demonstrate that they have this covered.

George Devereese
There was a very quick knee-jerk reaction when BMP4 came out such as with razor wire, which has not been proven to work. I really do hope that cyber doesn’t migrate to the quick easy fix option.

Henry Clack
It’s going to be interesting to see. With piracy, BMP4 came in and there was one standard that you had to hit, and you don’t have that with cyber at the moment because currently there are multiple guidelines out there.

Nick Taylor
I see TMSA 3 as the first step towards this – the oil customers are going to be the ones who want immunity from this risk. We might well see someone rejected for not having adequate cyber security onboard and if your vessel suffers a cyber breach that vessel and others in your fleet will be suspended for future approvals. So I think this is going to be driven by the shipping industry’s client base.

Brian Warszona
In the insurance industry we predict that cyber business interruption is going to happen when we look at attacks or simple human error. However, we can utilise the experience in property insurance’s business interruption losses to help quanify what the potential loss might be from a Cyber event.

Robert Hodge
When we go around seeing members there is a slight uncertainty of which cover picks up which loss and there’s a certain amount of education needed to explain that and what I see at the moment is the only real way to do it is scenario testing.
Nick Taylor
The trouble is they cannot get their head around what the problem is.

Mark Sutcliffe
It’s not all doom and gloom. We have got members who are absolutely point of the sword and are inspiring in about they have looked at the risks and communicated to their captains and crew. But I think you are right – there is still a lot of work to be done.

Andrew Hill
I haven’t found it to be the case that the risk managers do not understand their organisation’s cyber risk. Yes, the more nuanced aspects of cyber risk often do require careful explanation but, returning to my earlier point, cyber insurance policies don’t do themselves any favours; for example, there is a lack of consistency in the terminology used across different forms. I think when you are able to engage a client by explaining in clear terms the solutions provided in a cyber policy which then prompts a sensible discussion, a clearer picture begins to emerge of exactly what a cyber policy is trying to achieve and how it can help with cyber risk transfer.

Anu Khurmi
We have an international maritime law firm on the advisory board of the MCERT and one of the interesting conversations they are having at the moment is looking at accountability in this space.  It may be the charterers will insist that your vessel is ‘cyber ready’ if you want their business in the future.

Andrew Hill
I think a significant issue has become increasingly prominent in the wider insurance market in recent years is silent cyber. Silent cyber is problematic because it gives rise to uncertainty and it is an issue in many classes of insurance including marine. The CL380 malicious attack exclusion, for example, which is widely used in the marine market – where used will the policy pick up non-malicious cyber incidents? There is a whole spectrum of views on the issue. Thankfully, a number of key players in the insurance and reinsurance market are now addressing the issue of silent cyber head on. I suspect that over the next year we should get more clarity on what the insurance and reinsurance markets’ positions are on whether they will cover silent cyber.

Anu Khurmi
I think another complication to that is understanding how does consequential loss fit into all of this?

Mark Sutcliffe
We talked to one risk manager who had some 50 different insurance policies covering the whole range of his business and there was a cyber clause in each policy. I think this will get refined and defined.

George Devereese
There’s still a lot of learning to be done in P&I Clubs as to where coverage lies.

Samantha Giltrow
Could the introduction of initiatives such as Templar Executives’ MCERT help lower –premiums for cyber insurance and what else could be done to encourage the lowering of premiums?

Sharif Gardner
For starters when you have shipping companies not wanting to pay an additional premium for the extra cyber coverage I don’t think we are really in the space where we can start to think about bringing it down. Naturally, the more information from a CERT gives us a true picture of what is happening from a threat and risk perspective.

Brian Warszona
Compared to the overall Cyber risk an organisation faces, the mitigation provided by a Cyber security firm to an organisation would not have a significant impact on the premium at this time.

Mark Sutcliffe
We support it. We have seen them create it and I think when you look at what’s going on in the world not all countries can put an effective CERT together.

Samantha Giltrow
Maritime training is said to have increased during the last year – is this your experience?

Gideon Lenkey
The type of training that is really needed I’m not seeing.

Anu Khurmi
We run a world-class cyber training academy, and have GCHQ-certified courses. We do cultural transformation programmes for all organisations across different sectors. The academy isn’t just about simulating environments, it’s about your people and making the e-learning and awareness relevant to them because you can’t just give them phishing exercises.

George Devereese
You look at a 5,000teu ship, alongside at best for 12 hours and you’ve got try to slot this in to the work rest hours of people who are dying on their feet. Culture is great but we can’t just give them another e-learning package because it just won’t do it.

Sharif Gardner
If you can make it engaging enough that they are interested. This is not reinventing the wheel.

Samantha Giltrow
Experts are warning the ‘Big One’ is coming –the worst-case cyber-attack on the shipping industry. What are your thoughts on this?

Gideon Lenkey
You don’t know what an attack will look like. It’s going to be that someone finally figures out that they can monetise maritime – they can shut down a port or vessel operations, and they can extract money for that. Or it will be an inadvertent thing where there’s some vulnerability in some piece of equipment and it has a negative reaction with some piece of malware that maybe wasn’t even targeted.

Henry Clack
In terms of specifically targeting the maritime sector, we’ve seen that already in terms of the mandate fraud. We received an IT report tracing back to the individual who had sent an amended invoice – he had set up 40 websites which mimicked all of the major shipping lines’ email addresses with one letter changes.

George Devereese
GPS is insanely vulnerable. Ships can’t navigate any more without GPS and that would grind the industry to a halt.

Sharif Gardner
My thoughts are, if Maersk hasn’t woken you up, it couldn’t get much worse.

Mark Sutcliffe
We are dealing with organised criminals, and the whole idea of an organised criminal is to go in, secure your crime, collect the money and not get caught. We need to do what we are doing quietly, getting our act together and I see a bit of a sea-change in our attitude that we are more willing to work share and learn together.

Samantha Giltrow
Ladies and gentlemen, thank you very much for your time today.