Rising cyber exposure in maritime calls for urgent action
Cyber-attacks targeting the marine sector, and critical infrastructure more broadly, are growing rapidly across the world and in Asia. As the maritime industry undergoes rapid digitalisation, ransomware attacks continue to escalate. In fact, hackers are narrowing their focus on organisations in the sector which are seen as tempting targets due to a perceived lack of cyber security investment and potential for significant operational disruption.
The marine industry being an attractive target for hackers is not new. Since Maersk suffered a devastating US$300 million ransomware attack in 2017, the maritime industry has earned the unfortunate distinction of being the only sector to have all four of the world’s largest shipping companies being hit by cyber-attacks in the last four years, namely – Maersk, Mediterranean Shipping Company, CMA CGM and COSCO.
As an international shipping centre with global influence, it is crucial that Hong Kong’s maritime industry is well-prepared against cyber attacks which are rising in frequency and sophistication.
Rising threat levels
Compliance requirements around cyber risk for shipowners and operators have increased since the start of 2021, amid growing anxiety over the financial impact and operational ramifications of cyber-attacks. Shipowners and operators globally, including here in Asia, are now obliged to comply with the International Maritime Organisation (IMO)’s resolutions pertaining to cyber risk management and guidelines. Every Safety Management System must be documented as having factored in cyber risk management and processes for cyber risk assessment, in line with the International Safety Management Code.
Since the start of the pandemic, cyber security specialist Naval Dome found that there has been a 400 per cent increase in attempted hacks on the marine industry globally. There are threats in the field of information technology, like IT networks, e-mail, electronic manuals and certificates, planned maintenance, permits to work, spares management and requisitioning, administration, accounts, crew lists and so on, where mainly finance and reputation are at risk.
Much worse are threats to operation technology such as Global Positioning System, engine and cargo where there is danger to life, property and the environment, plus all the risks that are associated with IT. And as highlighted by marine cyber security experts, Ocean Shield, the limitations in cyber response capabilities are exacerbated by the lack of visibility around onboard digital asset inventories and network infrastructure which are not as well mapped out as IT assets.
Marine cyber risk in Asia
Asia Pacific appears to be the most targeted area in the world for ransomware and state-sponsored advanced persistent threat groups, with the region experiencing a 168% increase in cyberattacks between May 2020 and May 2021. The recent cyber breaches of Singapore-based marine services provider Swire Pacific Offshore in November and South Korean shopping company HMM in June this year highlighted this threat.
Imagine the disruption to the global economy should a major port such as Hong Kong be crippled by cyber attacks. And what would be the scale of devastation if several ports across Asia were forced to shut because of a cyber-attack? According to a scenario analysis done by the Singapore-based Cyber Risk Management (CyRiM) project in 2019, damage to the world’s economy from a concerted global cyber attack on 15 Asian ports could cost up to $110 billion in an extreme scenario.
If such an event were to happen, claims paid by the insurance industry would be in the region of $8.3 billion which reflects the current high level of underinsurance for such cyber-attacks. Insurance payout would include coverage for Business Interruption, Contingent Business Interruption, Incident Responses Cost and Data and Software Loss.
Despite the data on insured losses and the real possibility of claims, there are still major misconceptions around cyber risk and insurance.
Dispelling misconceptions
Myth 1: We have invested significantly in network security controls and have therefore eradicated cyber risk
Putting the right controls in place is a crucial element of cyber risk mitigation. Such controls, however, can only ever minimise the vulnerabilities in the network and/or decrease the likelihood of the threat.
It is impossible to eradicate the risk altogether as no security can be 100% effective. Moreover, insider threats remain an issue. Employees make mistakes and, on occasions, seek to deliberately cause their employers harm.
Myth 2: Losses arising from cyber risk are covered under traditional marine insurance policies
This, of course, could be correct depending on the terms of the insurance contract. Hull and machinery policies, however, typically exclude loss or damage caused by a cyber-attack. In some cases, policies may be silent on whether loss arising from cyber risk is covered or excluded, which potentially gives rise to uncertainty and litigation.
Myth 3: Hull and machinery insurance policies include a cyber-attack exclusion, but a cyber-attack can’t lead to property damage
This is incorrect. For example, in 2008 a pipeline in Turkey exploded after cyber-criminals hacked into the pipeline’s control systems. Similarly, in 2014, hackers accessed the control systems of a steel mill in Germany causing significant physical damage.
While there have been no reported cases of physical damage to vessels caused by a cyber-attack (which is not to say there haven’t been any cases), the increased reliance upon operational technologies such as GPS, AIS and ECDIS on board vessels, undoubtedly increases the threat of physical damage.
Potential for physical damage
As ship operations become more interconnected with shore side computer systems, partly driven by the digitalisation wave in the wake of COVID-19, the potential for a cyber event leading to physical damage is high. The reputational implications, if an attack took place on such a critical industry, would be severe.
Maritime operators can also easily become collateral damage of attacks not targeted at them – just look at Maersk and many others who were collateral damage for a cyber- attack targeted at Ukraine a few years ago.
Our work with companies shows that cyber insurance with a physical damage extension would provide protection for financial losses, although insurance buyers would first need to demonstrate robust controls and cyber response capabilities.
Bridging the Security Gap
While digitalisation of the industry brings exciting possibilities, due care must be taken to ensure cyber threats are managed.
Cyber security remains of critical importance for maritime operators, yet it is perhaps not receiving the funding, focus and risk management approach it deserves and needs. With cyber-attacks on ship owners and operators being reported with ever-increasing frequency across Asia, the time for open collaboration, risk discussions and knowledge sharing is now.
-- Contact us at [email protected]
-
Integration of GIS and BIM can drive development of smart city Dr. Winnie Tang
The China Association for Geospatial Industry and Sciences (“the CAGIS”) released the Top Ten Highlights of China's Geographic Information Industry in 2023, which provides much inspiration. The
-
Equip young people for the future Dr. Winnie Tang
In late February, the inaugural flight of an air taxi from Shenzhen Shekou Cruise Homeport to Zhuhai Jiuzhou Port took only 20 minutes with an estimated one-way ticket price of 200 to 300 yuan per
-
Are we raising a generation of leaders, or of followers? Brian YS Wong
The essence of education is defined not by the facts it imparts, but the potential knowledge it inspires students to individually pursue on their own. Put it this way – the ideal form of education
-
The urgent need for reforms to sex education in Hong Kong Sharon Chau
Nearly one in every four university students (23%) in Hong Kong has been sexually harassed, according to a 2019 report published by the Equal Opportunities Commission (EOC). A 2019 study found that
-
STEAM should be linked to real life Dr. Winnie Tang
In the 2017 Policy Address, STEM (science, technology, engineering and mathematics) education was proposed as one of the eight major directions to promote I&T development. Since then, funding has