International law firm Ince & Co has advised shipping and transportation companies to prepare for more cyber-attacks in the wake of recent high-profile incidents.
Following the widespread impact and disruption caused by the WannaCry and NotPetya attacks earlier this year, a spate of incidents in the recent weeks has highlighted the evolving threat to not only shipping companies, but other parts of the supply chain.
Shipping company BW Group revealed last month that it was hacked in July, causing its computer systems to go offline. In addition, so-called ethical hackers claimed to identify security flaws in the onboard satcom boxes of satellite communications company KVH, whilst a cyber-security specialist reported on vulnerabilities in Inmarsat’s shipboard communications platform. Both KVH and Inmarsat have since responded to these claims.
According to Ince & Co, the root cause of this challenge is that increasing digitalisation, advances in satellite communications, and a drive towards greater technological efficiencies all increase the risks for owners and operators rushing for the benefits, without considering the side effects.
Rory Macfarlane (pictured), Partner, Ince & Co Hong Kong, commented: “Throughout 2017, we have seen headline-worthy cyber-attacks occur with growing frequency and severity. A number of high-profile companies have already fallen foul of the risks posed by the increasing digitalisation of our industry. As new technologies emerge to streamline operations, cut costs and increase efficiencies, evolving and expanding cyber-threats also emerge. It is imperative that shipping companies act to mitigate their cyber-risk now, before they become the next victim of a major breach.”
He pointed to the WannaCry and NotPetya ransomware attacks as examples of the type of threat facing the shipping industry:
“The effects of the NotPetya and WannaCry ransomware attacks proved a potent example of how costly a large scale, sophisticated cyber-attack can be, but for those working within cyber-security, these attacks did not come as a surprise.
“With operations impacted, there was an obvious financial cost to these incidents. But the reputational damage could prove more serious. We have seen hard-earned track records for compliance and operational excellence all but evaporate in the event of a public breach. While the costs of this type of damage are hard to quantify, it adds yet another reason to invest in appropriate cyber-security systems and employee education.”
Mr Macfarlane also highlighted the difference between ‘cyber-attack’ and ‘cyber-breach’:
“Businesses must recognise a simple fact: there will be – or has already been – a cyber-attack on your business. But a cyber-attack being inevitable does not mean a ‘company-ending’ cyber-breach will be. Companies that make honest assessments of their businesses and get on the front foot will be able to mitigate their cyber-risk dramatically. Those who decide to ‘wait and see’ will have a rude awakening as these kinds of risks continue to develop.
“What we see now is the tip of the iceberg. The size of the threat is underplayed due to a reluctance within the industry for victims of a breach to share their experiences for the collective good. Moreover, as it is common for cyber-criminals to remain in a company’s system for up to six months after an initial breach, waiting for the most appropriate moment to strike, there will be businesses that are about to suffer a loss and do not realise it.
“To be sure in the security of their systems, companies must begin to develop comprehensive security and response plans as soon as they can. The response plans should outline the steps to take in the minutes, hours, days and weeks after a breach. We also recommend that companies engage with a multi-disciplinary team that is ready to step into action, including IT teams, compliance experts, fleet managers and shoreside staff.”
Mr Macfarlane advocates a proactive approach for concerned owners and operators: “In the world of cyber-prevention, by far the best form of defence against cyber-crime lies in a concerted, top-down effort to planning and prevention. Indeed, board members should be aware that an unprevented cyber-breach could constitute an abdication of fiduciary duty, if mitigating measures were ignored or not put in place.
“Ince & Co is working with the leading cyber-security team at Navigant to offer a cyber ‘health-check’. In this health-check, we work with companies to create a written assessment of IT policies and procedures, employee protocols, regulatory and contractual obligations, insurance cover against losses following a cyber-attack, and evaluate cyber-response plans. This is not a ‘one-size-fits-all process’ – a bespoke approach is needed for each company as they continue to digitalise their operations.
“The message is simple: improving your cyber protection need not be costly. Significant improvements can be made for a modest investment. But prevention is always better than a cure, and the creation of a culture of cyber-security is essential.
“Shipping is on the cusp of dramatic evolutions in how business is conducted, goods are moved and deals are sealed. But as we embrace all of the benefits new technology has to offer, it is only right that we also examine the risks, lest we fall foul of them ourselves.”
He added: “It may be time for the focus of the debate to shift from cyber-security to cyber-preparedness. As the amount and sophistication of attacks increase, and the digital and human attack surface expands, the chances of permanently keeping threat actors out of our businesses is diminishing month on month. Even a cursory glance at the list of blue-chip businesses, both within and outside shipping, who have suffered huge losses from significant cyber-events should dispel the myth that seems to remain in the boardroom that “this could not happen to us”. Implementing measures that will minimise the harm that can be done once your systems are hacked is crucial.”