Cyber Security: The time for thinking has gone

“People still aren’t listening” was the resounding message when industry experts gathered for a round table debate to discuss ‘The year of action’ on cyber security.

Moderating, Jordan Wylie, Founder and CEO of the campaign Be Cyber Aware at Sea, told the Immediasea event: “I think we are definitely going to see more casualties before we see more response.”

Panellist Adrian Durkin, Director (Claims) at North P&I Club stated that ship owners would be called on more to prove the cyber element in their sea worthiness, saying: “Owners should be doing things now. The time for thinking about things has gone.”

Though P&I doesn’t exclude cyber risks, unlike hull & machinery insurance, he said this causes problems internally because there isn’t currently a benchmark to which the Club can hold anybody to account.

Speaking about the Maersk NotPetya cyber-attack last year, which cost the company a reported $300 million, Mr Durkin said: “We used to think about oil tankers hitting New York Harbour and things like that but here we had paralysis of a whole fleet with nothing happening onboard a ship as it was shore generated.  You can see how situations like this expose us to liabilities without the disaster-type situation that we traditionally thought about. That is something we are getting to grips with.”

He said the cyber risk was probably priced in at the moment, in view of the claims experience so far “but we need to look ahead and see how these kinds of situations might impact upon us”.

The International Maritime Organization (IMO) has given ship owners and managers until 2021 to incorporate cyber risk management into ship safety with owners risking having their ships detained if they have not included cyber security in the ISM Code safety management by 1st January 2021.

But all the experts agreed that ship owners should not be waiting for that date and implementing more training and awareness, processes and procedures and technology now to deal with possible attacks.

“I think training and awareness is still the biggest vulnerability and the human element is by far the most vulnerable factor,” said Mr Wylie, a former British military serviceman who has spent the past 10 years in the maritime security sector, more recently focusing on cyber.

“You can’t mitigate the risk that you don’t understand.”

He said there were significant gaps in investment and planning at executive level.

“A lot of management stakeholders would tell us that everyone is cyber aware and everybody is getting trained but actually when you speak to the seafarers, the Captain and the crew onboard, it’s a very different story.”

This point was echoed by Mark Sutcliffe, Director, CSO Alliance, an online portal which enables information sharing and reporting of maritime security incidents by company security officers.

The Alliance recently entered into an official partnership with Airbus to launch a portal specifically focusing on maritime cyber events – maritimecyberalliance.com

“The key thing here is that security is the poor cousin to safety,” he said, adding that half of ship owners have less than five ships so probably only have a part-time CSO, who has other jobs.

“The message is ‘security through community’. Organised criminals would love us to stay disorganised,” he said.

However, he did say that the ship owners he was talking to were really beginning to prepare.

The new cyber security reporting portal will allow anonymous reporting and the dashboard will show all the latest incidents taking place.

“If a company is involved in something like CSO Alliance and sharing information they are more likely to be aware of the risks,” said North P&I’s Mr Durkin.

However, he does not think premiums will be reduced by belonging to such an initiative. “The point is that we are providing that cover effectively for free at the moment.”

He said owners should now be doing something to mitigate the risk.

 “We are pragmatists in the marine insurance world and we are used to dealing with problems. We are not expecting perfection by any means but what we do expect is a level
of preparedness and a level of diligence, starting to be exercised by ship owners.

“What I would like to see is Class taking the lead in this situation so that ship owners can have their systems tested by something that is internationally regulated because that then gives us the benchmark to which everybody has to operate.”

Fellow panellist Jan Hinnerk Haul, Principle Consultant, Shipping advisory, DNV GL said: “People are more likely to ship with you when they are reasonably secure that you will not stall their supply chains by getting a problem with cyber security.”

He said one step which could be taken to mitigate the risk was to consider replacing IT at every five-year docking. He said DNV GL also had a recommended practice and offered in-depth assessment and advisory services as well as penetration testing and training and certification.

Mr Wylie posed the question “are we soon going to see the first vessel classed as unseaworthy as a result of a cyber incident?”

“I do see this happening for ships in the higher risk picture, such as cruise ships,” said Mr Haul, and Mr Durkin said once ISM comes into force, P&I Clubs would be asking claimants what they did to protect the ship.

Mr Haul said ship owners should not rely on technology alone for protection – processes and procedures and training and awareness were vital and training needed to work at all level, from those onboard vessels to top management.

“We have to innovate, we have to share, and we have to learn because this is our maritime supply chain and we all have to make our living from the carriage of goods by sea,” concluded Mark Sutcliffe.