Is the Shipping Industry on Cybersecurity Autopilot?

The summer months of 2017 have been a watershed for the maritime industry, and more is yet to come.

On the one hand, reports indicate that ships in Norway are closing in on becoming the very first in the world to operate completely without a crew. On the other hand, the recent Petya ransomware attacks struck the shipping industry hard.

The promise of economic and safety advances with increased digitalization and automation within the maritime industry is nothing short of revolutionary; but so too are the attendant risks, particularly from a cybersecurity perspective. Only recently, however, has attention been paid to cybersecurity concerns, particularly on the water.

In fact, even before fully autonomous ships plie the oceans, the cybersecurity vulnerabilities lurk beneath the surface, steadily growing as ships, ports, global navigation and supply chains get “smarter.” The implications of any cyberattack against global shipping are also increasingly extending far beyond the ship itself. Consider a cyber attack on an oil tanker, for example, which causes it to run aground and spill its contents. That alone would be a disaster.  Now consider what would happen if that same attack occurred in the narrowest point of the Straits of Malacca, the approximately 1.7 mile-wide stretch through which over 15 million barrels of oil are otherwise transited per day, not to mention an estimated 25 percent of all global shipping. That would be a global catastrophe.

And yet, the shipping industry has remained relatively unprepared.

Recognizing this fact, the U.S. House Intelligence Committee included a provision in the Fiscal Year 2017 Intelligence Authorization Act that required the Under Secretary of Homeland Security for Intelligence and Analysis to look carefully at cybersecurity vulnerabilities and threats to ports and maritime shipping, as well as to the status of US Coast Guard efforts to address these concerns, and to report back within six months. This provision became law in May of this year.

In late July, the U.S. House also passed the Homeland Security Authorization Act of 2017, which also included provisions designed to better ensure port operators have a thorough plan for cybersecurity, and that would create a mechanism for port operators to share current cyber threat information and best practices.

In mid-July, the Coast Guard took its own action.  Following its December 2016 addition of cybersecurity to the list of “security” items that are covered by the 2002 Maritime Transportation Security Act (MTSA), the Coast Guard, on July 15, announced a request for public comment its Navigation and Vessel Inspection Circular (NVIC) 05-17: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities. If promulgated, this NVIC would “begin to lay out a series of policies and procedures” to mitigate the growing cybersecurity risks while ensuring the continued operational capability of the Maritime Transportation System. Essentially, the NVIC would clarify the existing requirements under the 2002 MTSA to incorporate the analysis of computer and cyber risks, and it would set forth guidance for addressing those risks. Additionally, this NVIC would provide guidance on incorporating cybersecurity risks into an effective Facility Security Assessment (FSA), as well as provide additional best practices for policies and procedures that could reduce cyber risk to operators of maritime facilities. 

This Coast Guard initiative would bring maritime facility security more in line with cyber best practices across other industries. For example, the draft guidance relies heavily on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). First published in 2014, the NIST CSF assists organizations in assessing their unique cyber risks and vulnerabilities so that they can systematically mitigate them. The Framework, like the Coast Guard’s proposed NVIC, favors a holistic, proactive, and tailored process, not a standardized, one-and-done approach. Both also propose certain recommendations, such as reviewing the security of third parties and “air gapping” certain networks to keep them free from internet-borne viruses. 

The NVIC also reflects the larger regulatory convergence around this approach to cybersecurity. Whether the SEC, FDA, New York State DFS or European GDPR, regulators are coalescing their approaches around requiring a holistic, proactive, risk-based and well-practiced cyber strategy. 

Additionally—and importantly—regulators are increasingly signaling that they will be enforcing cybersecurity. In the maritime context, the inclusion of cyber within the MTSA could mean penalties of up to $25,000 per cyber preparedness violation. The prospect of greater regulatory enforcement could also translate into the need among the industry to plan ahead to prepare for the costs of responding to government investigations. 

Despite all this attention and increasing potential for regulation, more needs to be done, particularly when it comes to the ships themselves. The summer’s ransomware attacks that have hit a major shipping company make that point abundantly clear. It is also hard to avoid the particularly apt cliché that this ransomware attack is only the “tip of the iceberg” when it comes to the cyber threat to the shipping industry. Even cruise ships carrying thousands of passengers miles from land are vulnerable to debilitating cyber attacks, particularly as their bridges and engineering systems become increasingly high-tech and connected to satellites and the internet.

But, it is also not just about things, but about people. People are often the weakest link when it comes to cyber attacks, and yet, according to a 2015 FutureNautics survey, fewer than one in eight crew members on maritime vessels have received any cybersecurity training and fewer than half of crew members were even aware of cyber policies. Even a crew member who works in the kitchens can pose a cybersecurity threat if they connect their laptop to the ship’s network.

Not surprisingly then, over 40 percent of crew members report sailing on a vessel that had become infected with a virus or malware. 

To be certain, there are those besides DHS and the Coast Guard who have been sounding the cyber alarm bells. The International Maritime Organization (IMO), for example, a specialized United Nations agency, has recently started incorporating cyber risk management into their regulations. By 2021, some of these regulations will require full compliance. In the interim, in July of this year, BIMCO, a Denmark-based international shipping organization, produced its version 2.0 of “The Guidelines on Cyber Security Onboard Ships,” which are “aligned with the IMO guidelines and provide practical recommendations on maritime cyber risk management covering both cyber security and cyber safety.” 

While the IMO regulations are not yet compulsory, and the BIMCO guidelines are “not intended to provide a basis for and should not be interpreted as calling for auditing or vetting the individual approach to cyber security taken by companies and ships,” the pace of digitalization, and the explosion of cyber malicious activity, indicates that any company not in compliance will be decidedly more vulnerable than its competitors, and may lose lucrative business contracts for those companies not willing to risk shipping their product on cyber insecure vessels.

The industries that rely on shipping or provide services to the maritime industry must also take note, as successful attacks to shipping can have a vast ripple effect. Lloyds of London recently estimated that the true cost of a serious cyber attack could exceed $120 billion dollars. Underwriters therefore need to ensure that premium calculations keep apace with the changing cyber threat. At the same time, as part of its cyber strategy, the shipping industry needs to systematically review existing insurance to determine what is covered when it comes to cyber—and what is not.

Ultimately, for the maritime industry and for those industries reliant on the maritime industry, the time is now to generate and implement a sound cyber strategy, especially with the move to greater connectivity and greater automation. Cybersecurity is not just about IT, and it cannot be left to IT departments alone. Rather, cybersecurity requires a holistic, proactive, risk-based and well-practiced approach that starts at the very top of the companies and organizations.  

In other words, cybersecurity is one feature of the shipping industry that cannot be left to auto-pilot.

Michael Bahar is the former Minority Staff Director and General Counsel of the U.S. House of Representatives Permanent Select Committee on Intelligence. Bahar currently serves as a partner at Eversheds Sutherland (US) where he leads the Cybersecurity and Privacy team.