It may come as a surprise to many that one of the greatest risks to companies may be hackers accessing and manipulating their computer systems. However, according to the World Economic Forum’s 2014 Global Risk Report, cyber attacks are one of the top five risks facing the global economy.
The maritime industry is by no means immune to this threat and is, in fact, considered by many to be one of the most obvious targets. This article considers the potential vulnerabilities of ships, oil rigs, ports and terminals and the potential damage that a cyber attack could cause.
Reliance upon computer systems
The shipping industry, like the rest of the world, is becoming increasingly dependent on electronic systems which play a role in navigation, engine control, steering control and cargo handling. Almost all major shipowners, port operators, freight forwarders and logistics companies consider information technology as one of the most important systems in their businesses.
To take some obvious examples:
- Automatic identification systems (AIS) exchanges vessel tracking and identification data with other vessels, ports and the coast guard.
- A ship’s position report and speed are displayed on the Electronic Chart and Display Information System (ECDIS), the data for which is updated from the internet. (Under SOLAS all ships must have ECDIS electronic charts by 2018).
- Ships and container ports rely on electronic Global Positioning Systems (GPS) to identify vessel positions, steer port cranes and stack containers.
There is concern in the industry that, rather than reducing risk, the improper use and over-reliance on electronic systems may have actually increased the risk.
Impact of an attack
The potential damage that a cyber-attack could cause to a shipowner or port operator is hard to quantify.
There is some evidence that attacks may already have occurred:
- There is anecdotal evidence of a cyber-security company accessing and modifying the electronic charts in some ECDIS software to highlight the risks. Obviously if there was malicious modification of the charts, and nobody was aware, then it could result in a collision or a grounding.
- Hacking of a vessel’s or port’s GPS system. It is reported that one US port suffered a seven hour GPS signal disruption that crippled container movement operations.
- Hacking of port computers that track and control the movement and location of containers. There are reports of criminal gangs accessing port computers in order to identify and steal particular containers.
- Evidence of a cyber-attack on a floating oil rig, causing the rig to tip and ultimately shut down for several days.
All of the above examples result in fairly obvious financial losses, however, in addition there are the potential business interruption losses which could arise out of a cyber attack1.
It is thought that one of the reasons why so few cyber attacks have been reported is that companies are fearful of the reputational damage that such a disclosure could cause. Companies do not want to alarm investors, regulators or insurers.
However, increasingly regulators in the US, EU and elsewhere are obliging companies to disclose any data breach that occurs.
It is widely felt that the marine industry is, for the most part, totally unprepared to deal with existing and emerging cyber threats.
This has been recognised by organisations such as BIMCO, Intertanko and Intercargo who announced on 15 April 2015 that they are developing standards and guidelines to address the major cyber security issues facing the shipping sector. These guidelines are intended to minimise the risks of an attack and advocate the development of contingency plans should an attack take place.
In the meantime, we would recommend that shipping companies give careful consideration to the systems they have in place to prevent and respond to a cyber attack, and that they routinely test their internal governance system and supply chain, and monitor it for intrusions.