Cyber crime is the curse of the electronic era
When communications were only about voice transmissions and Morse code sound signals, the only danger to a ship’s operation and safety was from a misinterpretation of instructions or a wrong decoding by the radio operator. The improvement of communications due to modern electronic systems has been hailed as a revolution in shipping but while that may be true to some extent, it has also brought new hazards that can have even more drastic consequences than was previously the case.
Cyberattacks can come in a variety of forms from targeted ransomeware to less dangerous malware and viruses. Shipping is no more at risk from cyber attack than any other industry or service but the biggest fear is that if a ship’s navigation or other essential systems are affected there could be a high safety or pollution risk.
The issue of cyberattacks is not something that has just happened as most operators have experience dating back to the 1990s of virus attacks on PC supplied for stowage and loading purposes and as word processors for preparing various documents. Mostly these were caused by crew members loading pirated computer games on the machines and the consequences were either a need to reload all official software or in the worst cases arrange for a replacement machine. Since the PCs were stand-alone devices, the problem was limited if in some cases quite costly to put right. Today a cyberattack is likely to be more problematical and have a more malicious intent.
Shipping has been quite silent in publicising attacks at least until the summer of 2017 when AP Møller Maersk was the victim of a cyberattack. After recovering from the computer issues triggered by the NotPetya cyberattack, Maersk revealed that the problems would cost the company as much as $300m in lost revenue but has since revised the figure upward and has admitted that every PC in the organisation was changed.
More recently another leading liner operator revealed that taking into account all malicious activity including random phishing e-mails and more targeted hacking events, the number of attacks it undergoes on a daily basis exceeds 1,200 individual events.
There is no shortage of advice in the shipping industry on tackling cyber security: the IMO, BIMCO, Class societies, P&I clubs and others have all produced documents dealing with the issue. The IMO has issued MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management which provide high-level recommendations on cyber risk management and include functional elements that support effective cyber risk management. The MSC at its 98th session in June 2017, also adopted Resolution MSC.428(98) - Maritime Cyber Risk Management in Safety Management Systems.
The BIMCO Guidelines are the results of input from no less than 16 organisations from shipping companies to communications providers. In the classification society sphere, most leading societies have published their own guidance and some have also devised class notations for vessels where best practices are employed. For those interested in reading the advice, copies of the various documents can usually be accessed from the issuing party’s website. Free of charge in the case of BIMCO, ABS and LR.
One of the downsides of class notations is that if they rely on management practices, the notation may not necessarily be continuous in cases where ships change hands. Some notations do look into the connectivity between systems on board and as long as these are not changed then the notation may have more value.