The Cyber future of Marine Risk and Insurance

  • The Cyber future of Marine Risk and Insurance

    Author: Jana Rodica, LL.M.

    Key words: Cybercrime, Cyber risk management, Coverage gaps, Unmanned vessels, Autonomous shipping, Port facilities

    Safety of international shipping vessels is critical to the global economy given that, approximatively 90% of traded goods are transported by international shipping industry. Although the downward trend in shipping losses is encouraging, more challenges however lie ahead. In particular, the cargo shipping industry has witnessed a capacity increase and an increase in the size of ships.
    The size of vessels augmented drastically over the past fifty years, and increases in vessels’ size have become exponential over very limited periods of time due to technological advancements. The increase of vessels’ size which finds parallels also in other shipping sectors (ex. ever increasing size of passenger ships), combined with the advent of drone cargo ships at the horizon, pose new challenges to the legal and insurance landscape of the marine industry, especially in consideration of the increased importance of IT and electronics, leading to the necessity of redesigning risk management processes, also in a way to properly weigh the emerging cyber risk elements which are affecting the marine industry.
    Cyber risks are already present in marine shipping and transportation with navigation having become ever more reliant on electronic navigation tools and interconnectivity. Presently, it is possible to notice over-reliance on technology (ex. navigation), training of crews not uniform in all countries and minimum manning levels on board, all elements that, in an even more advanced IT environment, will make, for instance, hackers’ lives easier when attempting to compromise a vessel. In this regard, an increasing number of malicious jamming of GPS signals in some seas has been reported. Such are called spoofing attacks, i.e. a type of cyber-attack which could lead a vessel off course and result in a grounding, collision or similar serious marine incident. Pirates are using the internet to track vessels, the web being possibly their biggest strategic asset. However, it is not only pirates who may illegally access IT networks of shipping companies, GPS and AIS systems, that may be falsely updated by hackers. The navigation system is just one element of an integrated, complex information process which can also be directly accessed. The firewalls on-board ships are often not able to provide adequate protection given that vulnerability is due to the necessity of the different systems to communicate with each other. In fact, with so many different suppliers of the different components of the systems (ex. radars, GPS, AIS, etc.), open communication is necessary for their joint operation. The flexibility inherent to the systems’ components allowing for their communication with components from other manufacturers leaves obvious security gaps which are the targets of hackers.
    Many categories of wrongdoers may be interested in such assets. The consequences of such acts may give rise to theft of data or cargo, extortion, property damage coupled with bodily injury and at times even loss of life, not excluding catastrophes, even environmental ones (ex. the grounding of a liquid gas container ship).
    These developments have also affected ports. In 2013, in the Port of Antwerp, a drug smuggling organization hacked the tracking system of goods. In 2014, in a primary US Port, all cranes were simultaneously shut down during loading / unloading operations by an unidentified intruder in their IT systems.
    Inadequate cyber protection is a relatively new threat compared with traditional perils. However, cyber risk is regarded by many as the major issue for the shipping industry going forward, particularly given that it is not inconceivable that an attack could ultimately result in the loss of vessels.
    In 2012, the European Network and Information Security Agency issued an Analysis of Cyber Security Aspects in the Maritime Sector, emphasizing that “the awareness on cyber security needs and challenges in the maritime sector is currently low to non-existent …” .  Improvements since then are difficult to evaluate and quantify. To date, lack of robust cyber security is identified in the Allianz Risk Barometer (2015) as “… a significant threat to future shipping safety …”.
    It is evident how the marine sector is becoming increasingly vulnerable to massive attacks in an environment in which the human factor is becoming less and less important with crews becoming smaller, ships becoming larger and more complex, coupled with growing reliance on automation by crews lacking uniform training across countries. Clearly, such factors favoring attacks is the result of a highly competitive environment in which cost cutting (smaller and sometimes poorly paid crews) and scaling of services (gigantic ships effectively managed by IT systems) is key for survival.
    Technology’s advancements are leading the way to a future in which ships will be unmanned. In 2015, a Finnish ship designer presented an unmanned and zero-impact cruise ship capable of transporting almost 600 passengers. Many other prototypes of drone cargo carriers have also seen their debut in the recent past.
    In one of their most popular systems configurations, drone ships are governed by a so-called Integrated Bridge System (IBS) having direct control over an Engine Automation System (EAS), an Autonomous Ship Controller (ASC) and an Advanced Sensor Module (ASM). The EAS controls the AEMC or Autonomous Engine Monitoring and Control, the ASM instead communicates with the dedicated LOS communicators (AIS, VDES, GMDSS). The drone ship’s systems as described above, are interfaced via a Communications Controller to the SCC or Shore Control Centre which encompasses Shore Engine Control, Remote Fine Navigation and Shore Bridge Controls. The SCC and IBS then communicate with other ships and shore systems.
    The implications of the cyber risks involved in the control and navigation of unmanned drone ships is evident and would not require lengthy argumentation.
    The International Maritime Organization (IMO) in its Interim guidelines on maritime cyber risk management acknowledged the dangers posed by cyber-risks to the marine industry and asked that the “… Stakeholders should take the necessary steps to safeguard shipping from current and emerging threats and vulnerabilities related to digitization, integration and automation of processes and systems in shipping…”.
    With the aforementioned document, the IMO has therefore attempted to provide interim guidelines on maritime cyber-risk management. By cyber risk management the IMO intends to outline a process for identifying, analyzing, assessing, and communicating cyber-related risks and accepting, avoiding, transferring, or mitigating them, considering costs and benefits of actions taken to stakeholders. In particular, the goal of maritime cyber risk management is to support safe and secure shipping.
    Very interestingly, in terms of risk management processes, the IMO distinguishes between information technology systems focusing on data as information and operational technology systems using such data to control or monitor physical processes. The risks mostly arise from the exchange of information and communication protocols.