Cyber-attacks pose a serious threat to corporations generally and those involved in shipping are no exception. The Cyber Risk team at Clyde & Co has worked on over 3,000 data breaches and cyber incidents including a number of the largest, most high profile incidents globally to date. Although these cases and incidents have encompassed the full range of global business interests, Clyde & Co is particularly well placed to understand and assist in relation to the sharply increasing cybercrime risks posed to the shipping industry.
This is the first in a series of four articles that will consider some of the key issues surrounding the threats posed to the shipping industry and highlight some of the most important steps that can be taken to mitigate that risk. This first article will consider examples of the risks and vulnerabilities that particularly affect the shipping industry as well as highlighting the importance of reacting to developments in market knowledge by reference to contract of carriage claims.
Shipping industry incidents
Most people are by now familiar with the "NotPetya" malware cyber-attack on Maersk Line in 2017, which reportedly caused the company around USD 300 million in losses. This incident was followed in 2018 by a serious ransomware attack on COSCO that severely impacted its email and telephone systems in the United States as well as other locations and which the company described as having caused "significant business interruption". More recent cases affecting the shipping industry have included the following:
- In April 2020, Mediterranean Shipping Co encountered a malware attack forcing the carrier’s website and headquarters to shut down for almost a week.
- In September 2020, CMA CGM SA was the victim of a ransomware attack which impacted some servers on its network and prevented customers from having external access to the company’s IT applications and booking systems.
- In October 2020, The International Maritime Organisation suffered a cyber incident against its IT systems internally and externally.
Although the shipping industry faces broadly the same cyber-risks as other sectors, it is becoming increasingly apparent that it fits the profile of the high value, critical infrastructure targets sought by cyber criminals and also faces risks that might be considered unique to the nature of carriage of goods by sea, for example:
- Systems affecting the navigation of the vessel, such as ECDIS or AIS, may be attacked to facilitate piracy, criminal or terrorist objectives. For example a cyber attacker could disable the vessel's AIS and/or create false or misleading AIS reports. The technology needed to "spoof" a vessel is inexpensive and becoming easier to find and download online. Spoofing incidents have already been seen in practice in coastal areas of Russia, China and elsewhere.
- The increasing use of shore-based control systems to monitor and direct ship-board operations provides new means of interference by third parties or internal error that may affect the prosecution of the voyage. We have seen cases involving shipping industry targets where a large number of consignments of goods were wrongly directed and/or the contractual voyage was interrupted and/or seriously delayed. This gave rise to claims including for physical loss and/or damage to perishable goods and consequential losses.
- Electronic manipulation of cargo documentation or handling systems. It has been known for pirates to use cyber-attacks as a form of reconnaissance to identify ship manifests, container ID numbers and vessel sea routes to assist in the organisation of attacks and the targeting of high-value goods.
As the increasing nature and extent of the threat posed to the shipping industry by cybercrime becomes clear, attention has also focussed on some of the legal issues and difficulties that are posed by such threats.
Carriage Contract Issues
In each case involving cybercrime there is the potential for resulting legal claims involving a wide range of parties, including shipowners, charterers and cargo owners. The preparedness of the shipowner's and the ship's systems to deal with the relevant cyber-attack is likely to be an important consideration in the context of such claims.
Claims under charterparties following a cyber-attack could arise in relation to a variety of provisions such as those relating to delivery / redelivery of the vessel, laycans, prosecution of the voyage, delays to loading and discharge and also the payment of hire.
To take a particular example relating to contracts of carriage, most such contracts will be subject to the Hague and/or Hague-Visby Rules ("the Rules") and a fundamental obligation of the carrier under Article III Rule 2 of the Rules, is to properly and carefully keep, carry and care for the cargo, including delivering it to the contractual destination without unreasonable delay. The carrier's duties under Article III Rule 2 are subject to the exceptions in Article IV Rule 2. In the case of a cyber-attack giving rise to delay and/or damage to cargo, carriers have sought to rely on the exception in Article IV Rule 2(q); "Any other cause arising without the actual fault or privity of the carrier, or without the fault or neglect of the agents or servants of the carrier…"
However the exceptions in Article IV of the Rules do not apply if the carrier is in breach of its obligation under Article III Rule 1 of the Rules (the seaworthiness obligation) and this is a very good example of an area where legal battles are likely to be fought in cyber-attack cases in future. The seaworthiness example is also instructive to consider because it usefully illustrates the need for the industry to pay careful attention to the rapidly-changing cybercrime landscape.
The carrier's duty is to exercise due diligence before and at the beginning of the voyage to provide a seaworthy ship. "Seaworthiness" covers not only the physical condition of the vessel but also the adequacy and efficiency of crew, stores and equipment and the suitability of the vessel to carry the agreed cargo. Clearly this obligation has the potential to extend to losses that have arisen in relation to cybercrime or attacks, but to what extent? How is the responsibility of the shipowner to be judged in relation to this new and developing cause of loss?
The test of seaworthiness has been defined as follows:
"If the defect existed, the question to be put is: "Would a prudent owner have required that it should be made good before sending his ship to sea had he known of it? If he would, the ship was not seaworthy..." (McFadden -v- Blue Star (1905) 1 K.B. at 706).
So how do we apply this formula to the threat posed by cyber-attacks? Clearly the 'prudent shipowner' test suggests that seaworthiness is to be judged in accordance with the state of knowledge in the industry at the time. Where the knowledge and experience within the shipping industry in relation to cyber-attacks is at such an early and developing stage, the steps that would be expected to be taken by a 'prudent shipowner' will currently be subject to a high degree of uncertainty. This will inevitably result in greater scope for disputes and litigation. What is absolutely clear is that there is currently an increasing obligation – in fact a rapidly increasing obligation - on shipowners to avoid and mitigate the risk of cyber-attacks and to train and educate crew and other relevant personnel.
Recognising the urgent need to raise awareness on cyber risk threats to support safe and secure shipping, IMO Resolution MSC.428(98) provides that cyber risk issues should be addressed in accordance with the ISM Code and included in safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 2021.
In order to fill existing gaps in industry knowledge and to assist shipowners in meeting this challenge, a number of industry organisations have come together to produce a set of best practice guidelines. Examples include:
- "The Guidelines on Cyber Security Onboard Ships" (produced and supported by BIMCO, the International Chamber of Shipping, IUMI, Intercargo, Intertanko and other leading industry organisations) seeks to assist shipping companies with their on-board cyber security by providing a step by step guide to risk assessment.
- The UK Government's Department for Transport and Defence Science and Technology Laboratory have produced a "Code of Practice – Cyber Security for Ships" .
Although these and other similar public interventions provide valuable and welcome guidance for those responsible for cyber security in the maritime sector, it is also the case that by raising the overall level of knowledge within the industry about the threats posed and the preventative measures that can be taken, they might also be considered to have raised the level of obligation that must be met in order to satisfy the 'prudent shipowner' test in the context of an unseaworthiness claim. As such, the issue of unseaworthiness provides a useful illustration of the increased levels of awareness and preparedness that will be required if the challenge posed to the shipping industry by cybercrime is to be met.
Of course, in addition to the example of unseaworthiness under contracts of carriage, there are many additional risks posed to the shipping industry by cybercrime. Future articles in this series will consider the rapid rise in ransomware incidents as well as issues related to exfiltration and data protection. We will also consider the steps that can be taken now to anticipate and mitigate risks, including issues relating to insurance and how to respond when an incident has occurred.