Cyber-attacks and data breaches pose a serious threat to corporations. Recently there have been a number of high profile attacks. Perhaps the most notable of which for the marine industry was the cyber-attack on Maersk, which reportedly affected all business units at Maersk, including container shipping, port and tug boat operations, oil and gas production, drilling services and oil tankers. Maersk estimated that the cyber-attack negatively impacted its third quarter results by approximately USD200m- 300 million.
Shipping companies face the same risks as any other company, e.g.: data breaches including loss of or damage to data, software and essential IP; reputational damage; business interruption from network downtime; and financial loss due to extortion and "man in the middle" or "mandate fraud" i.e. redirection of payments.
International standards and guidelines for cyber security issues are provided by ISO/IEC 27001.
This provides an Information Security Management System ("ISMS") in that it identifies a number of activities concerning the management of information risks. It provides overarching management framework through which the organisation identifies, analyses and addresses its information risks.
The standard covers all types of organisations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defence, healthcare, education and government).
However, the ISO/IEC 27001 does not address the issues which are particular to vessels.
In order to fill this gap, a number of industry organisations came come together to produce a set of best practice guidelines, "The Guidelines on Cyber Secutrity on board ships " (produced and supported by BIMCO, The International Chamber of Shipping, The Cruise Lines International Association, Intercargo and Intertanko) which seeks to assist shipping companies with their on board cyber security by providing a step by step guide to risk assessment.
Most recently the Institute of Engineering and Technology with the support of the UK Government's Department for Transport (DfT) and Defence Science and Technology Laboratory (Dstl) have produced the "Code of Practice – Cyber Security for Ships".
This Code does not set out specific technical or construction standards for ship systems but provides a useful management framework that can be used to reduce the risk of cyber incidents. The Code of Practice provides actionable advice on:
- developing a cyber security assessment and plan to manage risk;
- handling security breaches and incidents; and
- highlighting national and international standards used.
The code is to be used with organisation’s risk management systems and subsequent business planning and works with the ‘Cyber security for ports and port systems code of practice’.
This code is intended to be read by board members of organisations which own vessels as well as the senior officers on board and others responsible for the operation of maritime information and operational technology.The Code is further welcome guidance to those responsible for cyber security in the maritime sector.