Shipping should prepare for more cyber attacks, warns lawyer

There are unique risks to 'cyber-securing' ships. Credit: Getty Images
There are unique risks to 'cyber-securing' ships. Credit: Getty Images

A leading maritime lawyer has warned the maritime sector it must brace itself for more cyber attacks as the industry struggles to implement protection.

Rory Macfarlane, partner at Ince & Co in Hong Kong, told IHS Markit that in many ways the shipping and logistics sector finds itself more exposed to the cyber threat than any other industry.

“I believe there are several reasons for this,” he said. “First and foremost, the digital attack surface that most shipping and logistics companies have is extensive. The nature of international transportation is such that for even a single shipment of goods it can require a myriad of entities in multiple jurisdictions, including the carrier, charterer, shipper, load and discharge port authorities and agents, road or rail hauliers, receivers, and so on.

“This matrix of operational connections generates multiple points of entry for threat actors to exploit. This supply chain, just like any chain, is only as strong as its weakest link. While your business may have a proactive and robust cyber-security culture in place, the same may not be the case for some of your counterparts. Once one system is compromised it will make it easier for a threat actor to infiltrate the others.

“Further risk comes from some of the unique challenges that arise in cyber-securing ships. A lot of cyber-security software is designed for enterprise IT systems. However, on ships, many of the systems that are now digitalised are industrial control systems and OT [operational technology] systems. Enterprise IT security systems may not be suitable for some of these systems.

“Generally, there are two approaches to monitoring networks for cyber breach: the host-based approach and the network-based approach. The trouble with a network-based approach is that the communications bandwidth required when seeking to monitor digital traffic patterns between a fleet of ships and the shore is prohibitively expensive. The challenge with host-based alternative is that ship safety equipment often requires type approval. Once a system has type approval, there are constraints that can prevent retrofitting of the type of software necessary to run a host-based cyber-security approach.

“In addition, the potential gains to be made by cyber criminals in shipping are large. Ship operators frequently make big payments in the form of freight, charter hire, and MOU [memorandum of understanding] deposits. This fact, when combined with the large attack surface and industry-specific security challenges, will make shipping an increasingly attractive target.

“If it has not been before, shipping and logistics will soon be firmly in the cyber crime cross-hairs.”

Ince & Co has said that firms remain reluctant to share information that would help the wider industry. They also face new rules from regulators who want to see more transparency after any incident.

“The cyber-related regulatory and legislative forerunners have not generally targeted transparency and reporting on the part of the cyber victim,” Macfarlane said. “Regulatory efforts have instead focused, thus far, on establishing a baseline of best practice for the industry to carry forward.

“However, this is beginning to change. Both the GDPR [the EU General Data Protection Regulation] and NIS [EU Network and Information Security] Directive will have mandatory reporting requirements when they come into effect. Similar legislation has been enacted in China. Moreover, the US has requirements on owners calling into its territorial waters to report suspicious activities and cyber breaches.”

Macfarlane added that the shipping sector was behind the curve compared with other industries when it comes to tackling cyber threats.

“There are two clear, interlinked factors especially relevant to maritime that have further contributed to this position,” he said. “Firstly, many owners and operators are underestimating the extent of their cyber risk, by focusing on the likelihood of a targeted attack to seagoing assets, rather than the parallel risk of indiscriminate attacks to their shore-based operations. Secondly, and related to this first point, the tough market conditions within which shipping and logistics businesses have had to operate since the financial crisis have piled pressure on finances. In a cost-saving market, owners and operators are reluctant to invest in cyber-security protocols especially if their own assessment of their risk has shown it to be low – sometimes erroneously so.

“Things are improving, albeit still too slowly. There are excellent cyber-security resources available, some with a particular maritime focus. Examples include the UK Department of Transport code of practice and the BIMCO guidelines. The IMO’s decision to include cyber security in its ISM [International Safety Management Code] onboard safety management requirements from 2021 is also to be welcomed. However it would be ill-advised for any business to wait until 2021 before undertaking a cyber-security assessment and implementing an appropriate layered cyber-security plan.”