This article was originally published in The Charterer, the newsletter of the Charterers P&I Club on 1 Aug 2017.
Cyber Risk and security in the shipping industry is a relatively new concern that has only begun receiving industry-wide attention over the past five or so years. This is largely a result of the increased frequency and publicity of cyber-attacks in other high value industries, and the increased integration of the internet and satellite-based information exchange system into ships to improve safety, their operational capabilities, and comply with international standards and Flag Administration requirements. Once again, however, the drive for greater efficiency and safety has opened up an entirely new category of risk.
New though the concern may be, the reality is that most legal issues that will arise as a consequence of cyber-attacks will fall to be considered against a legal framework that is now centuries old. In this piece, we focus on one (albeit, a significant) element of that traditional legal frame- work: the seaworthiness of the vessel.
Various hypothetical scenarios involving the compromise of a ship’s cyber security may be envisaged: the ECDIS or AIS systems on board may be attacked to facilitate piracy or other criminal or terrorist objectives; shippers of dangerous cargoes could electronically make changes to cargo manifests so as to give the appearance of carrying non-dangerous cargo; or criminals intent on stealing high value cargo could facilitate such a theft by electronically manipulating cargo handling systems (as recently took place in a major European port).
In each scenario, there is high likelihood of legal claims and cross-claims involving shipowners, charterers, cargo interests, and insurers: in the piracy scenario shipowners (or their subrogated underwriters) may seek general average contributions in respect of any ransom and other payments; in the dangerous cargo scenario an explosion or a fire causing damage to other cargo will give rise to significant claims; and in the theft scenario, a claim by the owners of the stolen property can be expected. The adequacy of the ship’s preparedness to deal with the nature of the relevant cyber-attack will almost certainly fall to be considered in each case.
In this respect, it is worth remembering three central tenets of the traditional concept of the seaworthiness of a vessel:
First, a ship is seaworthy if she has that degree of fitness which the ordinary careful owner would re- quire his vessel to have at the commencement of her voyage having regard to all the probable circumstances of it. In short, the question is: would a prudent owner have required it should be made good before sending his ship to sea, had he known of it?
Second, a vessel’s seaworthiness extends beyond its physical fitness of the relevant voyage. It extends to ensuring that the vessel has (i) sufficient, efficient and competent crew, and (ii) adequate and sufficient systems on board to address matters that might be encountered during the relevant contractual voyage.
Third, whether a vessel is seaworthy is to be considered by reference to the state of knowledge in the industry at the time.
Viewed against these tenets, the first observation in the context of the threat of cybercrime in shipping is that its precise parameters are currently unknown. It will, however, become increasingly difficult for shipowners to argue successfully that the state of knowledge in the industry is such as to permit them to do nothing to address the potential of cyberattacks. P&I Clubs, international organisations, and critically, the IMO, have done a great deal over the past few years to raise awareness of the threat which cyber security poses to the shipping industry. Take for example, the “Be Cyber Aware At Sea” campaign supported by many significant players in the industry, the “Guidelines on Cyber Security On Board Ships” produced by BIMCO, CLIA, ICS, INTERCARGO, and INTERTANKO in February 2016, and the IMO’s recent “Interim Guidelines on Maritime Cyber Risk Management” is- sued on 1 June 2016. If it is not there already, the industry is certainly moving closer to a world where shipowners will be expected to take positive steps to address potential cyber-crime risks that may arise in the course of a voyage, in order for the vessel to be considered seaworthy.
Precise positive steps that would be required to ensure the seaworthiness of a ship in this respect are beyond the scope of this piece. However, it is noteworthy that two of the central themes of most of the publicly-available guidance on how to address the risk are described in terms that closely mirror two of the central tenets of seaworthiness – the implementation of cyber risk management systems and protocols (both on shore and at sea) designed to avoid, transfer, and mitigate the risk of cyber-attacks; and the training and education of relevant crew and personnel on the identification and mitigation of cyber-risks. In the absence of being able to show positive steps taken in line with either of these themes, a shipowner caught in a hypothetical claim of the type discussed above may well find itself in an uphill battle to establish the fitness of its vessel.
The following are just two examples of recent cases that involve these issues. In case one unidentified cyber terrorists managed to hack remotely into the stability programs of an offshore platform. They were able to make changes that destabilised the rig which in turn led to its shut down and the loss of production for 48 hours. No direct demand or responsibility statement was received and it is believed that this could well have been the action of a protest group or simply an individual “trying their hand” at infiltrating the systems.
Case two involved the hacking into accounting systems of both operators and their brokers changing two digits in a standard bank account number. This lead to the mis-payment of funds to a re-directed bank account. Initially when a query was raised the hacker (who had planted a virus in the system) was able to intercept email correspondence in order to pose as the client and explain the reason for the change in details. It was only due to the perseverance of the accounts personnel that the fraud was discovered and steps taken to intercept the accounts to prevent funds being removed from the duplicate account.
From a charterers’ perspective, as highlighted during a series of presentations recently given by the Club to charterers and operators in China, there are a number of areas where in the future charterers’ liability could well be extended into the arena of cyberattack. Take for example the charterers’ obligations in relation to providing a safe port. In circumstances where a vessel suffers damage as a result of a ports cyber security being compromised and it can be shown that the port had inadequate cyber security systems in place, could it be argued that the port is rendered unsafe for the vessel in question? Likewise in relation to the obligations for safe stowage which often may rest with charterers as a matter of contract, in circumstances where the loading operation is affected due to a cyber-attack could resulting damage, both physical and financial, ultimately be found to be the responsibility of the charterer?
Currently there is no direct case law which considers such issues in a maritime context. Further the extent to which existing clauses in commercial contracts and insurance policies effectively address the concerns is unclear, not least as every day new developments in cyber technology modify the way in which such crimes are carried out. While previously existing clauses were often aimed at “computer viruses” it is now regularly the case that the infiltration is not by means of something which can properly be termed a virus. Also the intentions of the person responsible may not fall within existing definitions of “intentional harm” - see case one above.
This article was also co-written by Julian Clark (Global Head of Shipping at international law firm Hill Dickinson LLP).