Cyber Security Round Table Debate

In the latest in our series of round table debates, SMI drew together key figures in the maritime security sector to discuss the increasing cyber threat and what it means for the shipping industry. Kindly hosted at the offices of Thomas Miller and chaired by SMI Editorial Director, Sean Moloney, the panellists were Andrew Jamieson, Claims Director & Legal Adviser, International Transport Intermediaries Management Co Ltd (ITIC); Michael Hawthorne, CEO, CobWeb Cyber; Ian Millen,  Security & Intelligence Advisor, Global Navigation Solutions; George Reilly, Managing Principal Engineer, ABS Europe; William Maclachlan, Senior Associate, HFW; Sharif Gardner, Training Manager – Cyber, Axis Capital; Ken Munro, Partner, Pen Test Partners; Steve Williams, Partner, Moore Stephens; Jordan Wylie, Campaign Founder, Be Cyber Aware at Sea; Mark Sutcliffe, Director, CSO Alliance; Alan Dainty, Cyber Risk Director, Thomas Miller Specialty; Roger Lewis, Cyber Risk Underwriting Director & Deputy Chairman, Thomas Miller Specialty; Kostas Ladas, General Manager, Liberian Registry.

Sean Moloney:
What can the shipping industry do to mitigate the maritime risk and keep vessels safe at sea?

Michael Hawthorne:
There are basically three things. First off is the scope, because in the interventions I’ve had with the shipping companies, it is really to try and establish what part of their enterprise they are trying to secure. There are those who think security is just about their IT and the head office whereas there are others who recognise the need to secure their OT (operational technology ) estate, by which I mean those devices, network and systems which are controlled by computers, which have an impact on physical systems. They also need to be secured. And then trying to identify the balance of investment between those two different parts of your cyber estate is something that needs to be identified right at the get-go. The second area is in terms of leadership. I’ve found that if you talk to the IT departments, if they have a CIO, they are pretty up to speed on the key issues and are quite keen to pursue and implement a robust self-security regime. But if you don’t have the Board onboard, because they are not engaged with the whole process, then you’re wasting time. In fact we, as a company, have decided we are not going to spend any time on a company if the Board is not interested in cyber security. The third area is in terms of competency. My background in the Navy is very up there in the centre in making sure people are trained effectively. So, we now need to ensure that we bring cyber security as a similar sort of discipline with every mariner. When he goes onboard a ship, he/she is very conscious of the watertight integrity for that ship. We don’t want water coming in and we need to adopt a similar sort of approach to cyber security because these could be vectors which could compromise safety so making sure that all crew understand the potential risk is important.

Sean Moloney:
Roger, bringing you in on this and the point about competencies and leadership, is the industry fully aware and onboard with this whole issue?

Roger Lewis:
Michael is right about the leadership and the challenge cyber risk presents for business leaders. There’s almost too much noise in the channel for leaders to decide what they need to listen to. There is also certainly a frequent clash between the Board and the Chief Information Security Officer (CISO) in our experience of engaging them. It will take quite a bit of time for comfort with engagement on cyber risk management and insurance risk transfer to wash through. If you look at the marine industry you’ve got insurance products that have been around for centuries and we haven’t really even had a decade yet from the insurance perspective from cyber risk. The final point to make is it’s a misnomer that it’s all about insurance. It’s not. Insurance is just a fraction of risk management in the cyber field. There are a lot of people around this table who are trying to improve the cyber risk before it gets to us as cyber underwriters. We would encourage you all to please do that as quickly as possible. With some of the more recent cyber business interruption losses that have been reported across industry but particularly in marine, with the Maersk loss, for example, the cyber underwriting appetite could well reduce quite soon, especially with a hardening insurance market now underway post the recent hurricane losses. The marine industry needs to wake up and improve itself quite quickly.

Sharif Gardner:
To follow up on the insurance side, cyber insurance policies have traditionally been focused on data breaches, so loss of data and therefore the liability side that comes with that. When you look at what happened with Maersk and the resultant business interruption (BI). That is of a major concern within the shipping industry, which is obviously then going to be, from an underwriting perspective, a concern for us too. In terms of pricing this, you’ve got 300 years of history and of data that supplies the shipping industry with information and therefore pricing has become refined over time. Cyber BI it’s priced in a similar vein of loss of hire of vessels – it’s effectively what’s the threat or expected frequency of loss for however long it is out of action. From a threat perspective, and in terms of mitigating cyber risk it’s the rule of threes – people, processes and technology. All three are very important, but if you do not have senior managers and you can’t get your senior managers buying into this and to understand who’s the threat to them, you won’t progress. Different organisations have different views. If you ask a healthcare organisation cyber risk is about data breach, if you look at the shipping industry it is about loss of hire, loss of access to vessels and potentially safety at sea so it’s channelling in on those. What Jordan is doing with the campaign is absolutely fantastic. It’s awareness at end user level. But that end user level training must be validated as Michael says. And there’s also another area which I think needs to be emphasised and that’s a link between the CIO and the Board – a Cyber Security Officer who reports directly into the CSO. If you get that person looking at and understanding the threat, at either a vessel level but probably a wider business level, you’re then going to start to get that integration both upwards and downwards and you’ve got the creation of a process that will be responsible for the development of cyber security plans.

Sean Moloney:
Ken, let me bring you in on this. As far as the underwriting side is concerned – is it finger in the air or is it fingers crossed?

Ken Munro:
I spent about five years working with various underwriters helping them understand broader cyber liability risks and I was quite shocked at the beginning to find how certain risks were being underwritten without really understanding the nature of cyber liability issues. The potential for risk to become systemic is very broad given the common technologies out there. A good example in maritime might be a ship’s satcom box. If a vulnerability is found in it, all ships that use it are vulnerable. The other issue I have with general cyber liability insurance is there was a lot of misunderstanding in the early days relating to the type of breaches and type of losses. Broadly, when a risk manager comes to the market and says ‘I’d like cyber’, they are probably buying it because they’ve seen data breaches in the press – third party losses. By far the most common type of loss for cyber liability insurance is actually a first party loss whether it is invoice fraud, or by far the most significant I’ve seen, business interruption. First party losses are far more relevant to the maritime industry. The second point I wanted to make is that I don’t think we understand the risks right now. We’re exposing new types of risk and vulnerability in maritime systems through automation and smart systems every week and the opportunity to disrupt business is enormous.

Sean Moloney:
Bringing in George, this whole issue of really understanding the risk and what we are dealing with must be a concern to the class societies?

George Reilly: 
Everyone across the industry has a part to play, and they must be active in those parts.  Class is examining its part of the systems and cyber security picture, and Class takes the view that no matter how many layers you put on top, the fundamentals of construction, design and reliability and safety of systems remain the most critical components of the ship needs.  It really boils down to the functions you have, the interconnections between the functions, and the identities of the people and machines allowed to touch the functions and interconnections.  Typically, the industry discusses cyber as a commercial risk.  Their experience and context is cost – costs of operations, cost of data breaches, cost of compliance and fines, cost of insurance.  But the confidentiality, integrity and availability factors we usually consider for information technology (IT) are reversed for operational technology (OT) with impacts on costs.  Control systems, incorporating OT, have availability as their most important factor, followed by integrity and then confidentiality.  This means an owner’s or ship crew’s or insurer’s risk considerations must change, based on keeping the systems operating and safe for people, ships and the environment.

Sean Moloney:
New ships are very much more geared up for smart shipping and there’s a lot more connectivity going on. What are the class societies and the owners and the insurers doing, who are all working together, and what are you aiming to put into place now to futureproof ships moving forward?

George Reilly:
I think there is a lot of commonality in what Class societies, owners and insurers are doing, especially through the IACS.  We emphasise that owners and crews must understand the inventory of their systems and related operating characteristics or functions, if they are to understand how the systems work, and how they can suffer malfunctions and faults.  Vulnerabilities in cyber-enabled systems can be software flaws or human error-related operating problems just as they can be purely cybersecurity-related.  You can’t really begin to do what’s needed unless you understand the systems and how they connect, and who or what can touch them.  This is a major point many in the marine community still do not fully grasp, and it comes down to understanding the relative risks a crew has in their systems.  If they know those risks, then insurers can have better basis for writing policies that share those risks.   For the new ships coming out of yards and integrators, there is definitely a bigger awareness that you can’t just hand over or buy a ship without understanding what you’ve bought.  If the yard provides the necessary documentation and background that the crew needs to understand their systems, then we’re all safer and better able to handle our ships and systems.

Andrew Jamieson:
At a time when the shipping markets have been rather poor, it is obviously difficult to try and persuade people to spend more and that is a fundamental problem. Most people in shipping will tell you, Maersk had a problem. Ask and probably not too many of them will give an accurate description of what Maersk’s IT problem was. Another point I would make is that shipping is fascinating because it is both a high-tech industry and an incredibly old-fashioned one at times, We, as an insurer of ship managers and ship agents and ship brokers, had a lot of the invoice type frauds and were staggered how much cash was moved round in terms of ‘cash to Master’. Going back to the question, what can they do to mitigate? I think people do need to realise the seriousness of the problem but until someone has a major casualty, it’s difficult to get them to concentrate.

Sean Moloney:
I know of two companies that offer a digitised cash to Master service because it is ridiculous that they are putting millions of dollars in notes onboard ship but are you saying that shipping is reluctant to embrace new thinking or is slow to embrace?

Andrew Jamieson:
Whether shipping has a monopoly on that I wouldn’t like to say but I think there is a tendency not to see it as ‘my problem’ – yet. The IMO has given until 2021 to incorporate cyber risk management – well, in shipping terms that’s a long way down the road. So, I think there needs to be a little bit of a wake-up call.

Sean Moloney:
Ian, let me bring you in – do you think shipping is still bolting that stable door as it waves goodbye to the horse down the road?

Ian Millen:
Yes, I think there’s more awareness now and that’s encouraging. Is it enough? Probably not yet. The first point is, if you are going to keep the ship safe at sea, it requires a holistic approach. I like to think of it as a spectrum from the Boardroom to the Bridge and then, by extension, to the Bunk. Within the Boardroom and head office function, I believe that cyber security needs to be implemented just like any other risk to be managed. If you treat it like everything else, like finance and ops, and build that into the system, then that’s going to be one of the keys to success. As far as the Bridge is concerned, cyber security needs to be implemented. The IMO ruling will go some way to ensuring that. It needs to be as much a part of the security plan as any physical security of the ship and staff need to be trained to ensure success. The reason I extend it to the Bunk, is because with ever-increasingly connected ships, the single greatest asset is the people. The single greatest vulnerability is also the people. And now we’ve got these highly connected ships, we need to make sure that we encourage strong cyber hygiene from everyone. One final point is we have seen encouraging signs, not least because of how many guides are out there. Whilst this is good, I do believe that the trick lies in making the subject less scary by making that more understandable and memorable for everybody to be able to tackle.

Sean Moloney:
Jordan, what are your thoughts?

Jordan Wylie:
Although it’s a positive that we are putting lots of guidance out there, I see it as a bit of a negative as well because actually it means we are doing a lot more talking and still not enough action. I think there’s an element of information overload now in the industry and a lot of it is quite technical and in a language that a lot of people don’t understand. It needs to be simplified and the way we’ve tried to help industry is by deciphering the jargon that’s out there. Ultimately, awareness is the first step if we are going to change people’s attitude. Everyone is connected in every aspect of their life now and you speak to the connectivity providers and one of the biggest forms of retention is ‘what kind of connectivity do I get as a seafarer onboard?’ So, they have to be educated if we are going to expect the seafarers to manage those risks. A lot of people don’t know what those risks are.

Sean Moloney:
Are you concerned about the lack of awareness?

Jordan Wylie:
I think we have come a long way because having asked the industry three years ago what they understand, people wouldn’t even open the door to talk about cyber. Now, they will welcome you and the fact that we are all sat here shows that we’ve come a long way. There is still massive room for improvement. The Maersk incident put the flag on the map and people have started to wake up but I think we are going to see a few more incidents before we see some real movement in people’s approach. It’s a very reactive industry by nature.

Steve Williams:
We need to do something. We’re asking people to manage a threat they don’t understand. I don’t fully understand the threat and I’ve been doing this for 20 years. We need to agree a standard and not buy off anyone who doesn’t apply that standard, don’t invest in anyone who doesn’t apply that standard or do business with anyone who doesn’t apply it.  That would be the solution. In reality I think the industry needs to prepare and practise failure modes. Whatever we do won’t be enough.

Sean Moloney:
Are guidelines enough and if not what needs to happen? Do we need international law here?

Steve Williams:
There’s plenty of international standards that relate to security. Just pick one that exists and has been tried and tested. It won’t be right, it won’t solve all problems but it will start to drive that cultural change.

Sean Moloney:
Alan, let me bring you in on this. Surely when you set standards they have to be across the board?

Alan Dainty:
I don’t think the shipping industry is that different to any other. I think in common with a lot of other industries,  cyber risk is seen as an IT risk rather than a business risk. So, you need to have good coordinated business continuity and incident response plans that have been tested. Recent incidents have highlighted the fact that incidents will occur at some point.

Sean Moloney:
How aware are the flags to their responsibility in all this?

Kostas Ladas:
There is no doubt that the flags do play an important role in the shipping industry and, as far as we are concerned, we believe we do have an obligation to assist as much as we can which is what we are doing. Cyber security is something which has become an issue and there has been much talk lately, but there are still a lot of questions. The shipping industry is like any other industry and we shouldn’t say the shipping industry doesn’t do enough. We are doing exactly the same thing as every other industry. The question here is whether this can prevent the risk going to the ship. The Maersk incident luckily only affected the office and not the ship as such. The Flag does take measures but we do not believe as such that imposing a regulation all the time is the right solution.

Sean Moloney:
There are so many ships out there and a lot of ship owners have small fleets which are going to be the last to embrace something like this and would be the ones that could be affected. Don’t they need to be controlled?

Kostas Ladas:
There is that element and there is now scope to really educate them as much as we can. In fact we as a flag – perhaps we are the first one – have issued cyber security training which is not too complicated. Awareness is the most important thing we try to give to the industry.

Sean Moloney:
Mark, what are your thoughts on all of this?

Mark Sutcliffe:
When you look at the financial services industry, if they have a cyber incident, in real time they are reporting immediately the impact and what they are doing about it. If you look at the aviation industry if a plane goes down, the whole industry is impacted by that. Shipping has a completely different culture, so we have to completely rethink our culture and I think that is a fundamental point. We’ve also got to start reporting crime. The criminals have a field day. Maritime criminals, since we started stacking crime in January 2013, are active in 63 countries. For example, we are boarding about 120 stowaways a month on average, it’s costing $42,000 a day and we’ve been spending that money for 10 years. That’s $150 million on stowaways with no risk mitigation and literally no reporting. The good news is that we’ve been focusing on the Company Security Officer and messaging through the CSO is already in place. What’s important for us is to work as a collective, work as a team to give these guys good information. We’ve partnered with Airbus Defence and Space who bring all of their aviation experience. If we don’t begin, as a maritime supply chain, to share ideas, share crime and change our culture we could lose jobs and revenue. We are about to launch the Anonymous Cyber Crime Reporting Portal which is designed to make it easy for people to report crime and we can then share back in real time what is going on throughout the world.

Sean Moloney:
William, can you put a legal perspective on all of this?

William Maclachlan:
It is potentially a legal minefield and I don’t think the industry has necessarily grappled with the legal end of this. Many are yet to fully establish what the cyber threat is and how it might affect their business. I think it’s incumbent on ship owners to understand the risk as it relates to them but many don’t know where the risk is internally. Sadly, while most owners have well-developed procedures and policies in place when dealing with a physical crisis, very few of them have got the same sort of procedures in place covering their response to a cyber event. The key to a successful response by any organisation is genuine C-suite engagement. The CSO and CIO or whoever is tasked with responsibility for an organisation’s cyber response can only succeed if their board supports them, provides them with sufficient resources to deal with the task and otherwise encourages an institutional buy-in.

Sean Moloney:
Where do you see a lot of the legal issues coming from?

William Maclachlan:
A lot of owners don’t understand what insurance cover, if any, they have for losses arising out of a cyber event. They might have 40 or 50 insurance policies across the whole business, each to a different approach to cyber. Many think they have adequate cover, where they potentially do not.There’s the risk of contractual liability, such as unseaworthiness claims from charterers, arising out of a cyber event. Also, something else we have discussed a lot lately, is the payment of ransom. In terms of physical security, ship owners understand how the payment of ransom works but a ship owner who is suddenly denied access to his systems and is given the opportunity to pay a ransom to get them back may just do so without really thinking about the legality of doing so or otherwise involving his insurers.

Michael Hawthorne:
We are in some way trying to make maritime a special case when in fact it’s just experiencing what other sectors are experiencing which is there are cyber resilience issues in all those sectors. The maritime sector could be more proactive by demanding a minimum based standard in order to become more resilient. Let’s not wait until 2021 to be resilient.

Kostas Ladas:
Although IMO has made a guideline with an enforcement date in the future, a lot of ship owners have already starting using it.

Sean Moloney:
What will the bad guys be looking for?

Ken Munro:
It’s not necessarily bad guys targeting shipping; the most damaging attacks are often not targeted. Maersk wasn’t hacked – they were collateral damage during a wider campaign against the Ukraine. If the industry is not dealing with collateral damage now, how will it deal with genuine, targeted attacks? What happens when a ship capsizes or when it crashes into another? Was it a hack? The only reason I think it’s not happening currently is because hackers and criminals haven’t yet realised how much money there is to make in this market through extortion and wider cyber crime.

Ian Millen:
If you take fundamental steps to protect yourself in a layered defence way, it’s much easier for the malicious hacker to break into someone else’s system who doesn’t have those things. Yes, the most technologically advanced may get through your system, however, it’s all about the risk/reward ratio. If I have a burglar alarm on the outside of my house, the criminal may just move on to my neighbour instead.

Michael Hawthorne:
If you are hacking for criminal purposes, you are obviously trying to make money and therefore you’ve got to look at the sector that is most likely to give you that money.

Steve Williams:
I’m seeing small businesses where they are having payments stolen or diverted. Why wouldn’t people target a vessel?

Kostas Ladas:
We have seen smaller companies that are resisting putting the internet onboard the ship.

Mark Sutcliffe:
We know that the maritime supply chain, be it ship owners, ports, agents, hauliers, are being hit with cyber incidents pretty much every day.

Alan Dainty:
It will be interesting to see the data in 12 months’ time and see where the incidents are actually occurring. I suspect most of them will be occurring in the shoreside operation or being introduced via the ship from employees bringing USB sticks in or downloading material full of viruses rather than direct attacks on the vessels.

Andrew Jamieson:
We do, as an insurer, circulate claims examples to our members for loss prevention purposes. We saw lots of invoice frauds and sent circulars warning ITIC members. We have seen a reduction in claims as members became more educated.

Jordan Wylie:
I had the pleasure, along with some of the other people here, quite recently, to be involved in writing the BIMCO survey that we did for industry last month and one of the interesting key findings for us was the disparity between what happens at the top level and what they are saying is happening and what is actually happening with the crews. They were telling us that they were investing in cyber and investing in training awareness education and the crews told us the opposite. I think people want to be seen to be doing something but they are not necessarily doing anything.

Sean Moloney:
When we sit round this table in a year’s time, what do you think you are going to be telling me and what would you like to be telling me?

Mark Sutcliffe:
What I’d like to see is that we’ve taken anecdotal information into true grounded fact, so we can see the impact on our industry in real time around the world and make better business driven decisions.

Ian Millen:
I would like tell you that the industry at large has taken onboard the need to educate and train their people, that it had put in place the processes and procedures and implemented all of those to give the foundation for people to operate safely, that it had embraced the technological solutions and expertise that are out there and integrated them. And as a whole, cyber security is as much a part of the way we do our business as watertight integrity. My fear is that may be the general trend but along the way, either through negligence or bad luck, there will be some who have fallen foul.

George Reilly:
I see the IMO document as talking to me personally. It has a direct impact on class. I think maybe by next year it will have had the desired effect on other industry stakeholders and that they will understand and be acting on their responsibilities.

Roger Lewis:
I suspect that in a year’s time the number of incidents occurring will be higher, but hopefully there will be more openness about reporting those. I also hope to see more staff awareness and better training.

Ken Munro:
I think over the following year things will appear to get worse before they get better for several reasons. First, it’s the very fact the industry is paying attention to maritime cyber, so incidents will be more widely shared. This gives everyone a much better picture of the threat landscape but also makes it appear to look worse. Second, by everyone drawing attention to the maritime cyber sector, and criminals will also pay further attention to it. Ironically, as an industry, we are victim of our own efforts to secure the sector. However, that’s no excuse to bury our heads in the sand and hope hackers will ignore the sector – they won’t. I think we will see new risks emerging as more existing shipping technology is shown to be insecure. We will see more concerning cyber incident report from shipping and we will see more breaches make the press. It will take another few years of effort from the industry for the threat landscape to start to improve, just as we  saw with piracy.

Sean Moloney:
I’d like to thank everybody for their time and comments today.