Cyber Security in Shipping

The application of technologies, processes and controls to protect systems, networks, devices and data from cyber-attacks. Cyber security is put in place to reduce the risk of cyber-attacks and protect critical information against unauthorised exploitation. The UK government has recently issued a warning of an increased likelihood of cyber attacks from Russia, with the National Cyber Security Centre urging businesses to ensure their cybersecurity measures are up to date. There are also concerns that shipping companies providing vital food, medical supplies and goods will be targeted. You can find out more on this fast moving situation in our dedicated expertise area Ukraine Conflict. 

While many insurance policies specifically exclude losses or liabilities’ arising from cyber risks, International Group P&I cover does not. This means that Members benefit from the same level of P&I cover should a claim arise due to a cyber risk, as they would from such a claim arising from a traditional risk. As always, cover is subject to the Club rules. Any P&I cover can be prejudiced by the failure to take reasonable steps to prevent foreseeable loss or liability, and as more and more potential cyber risks are being identified all clubs will expect to see operation of sensible and properly managed cyber risk policies and systems both ashore and on vessels if a cyber risk leads to a claim.

Each company must take steps to reduce the risk of cyberattacks to minimise the potential impact on their business operations. There are two types of responses; the technical response and the procedural response. To find out more take a look at North’s guidelines to ensure your contingency plans are in place to deal with the raft of today’s potential threats. Organisations must have a robust cybersecurity policy in place, where staff are trained and the rules and procedures are followed. It is unlikely that all systems can ever be 100% technically secure, so developing cyber resilience is the key to managing cyber risk. An approach which welds resistance, response and learning from previous cyber attacks across the shipping industry will lead to better resilience.

In a shipping context a cyber risk may be the failure of an onboard GPS receiver due to a fault with the equipment, extending right through to catastrophic scenarios of vessel systems being attacked and the vessel being disabled, deliberately run aground or taken over by malicious third parties. This could be caused through  outdated or missing antivirus software and protection from malware, shipboard computer networks which lack boundary protection measures and segmentation of networks, inadequate access controls for third parties including contractors and service providers, and safety-critical equipment or systems always connected with the shoreside. At North, our team of cybersecurity specialists will guide you on the process of creating a safer environment. 

The IMO’s guidelines on Maritime Cyber Risk Management identify four groups who may give rise to a threat. They are activists (including disgruntled employees), criminals, opportunists (they like the challenge of breaking in) and states or terrorists. Each has different motivations and objectives. Once a threat and their motives have been identified, it’s important to assess the risk, look at how that risk can be reduced, contingency plan and implement a formal response, recovery and investigation. Read our ‘Cyber Risks in Shipping’ Briefing for more detail. 

Cybersecurity is crucial to ensure the safety of the crew, vessel, cargo and even ports. There’s already been a number of examples which demonstrate that criminals and others have already successfully targeted shipping companies via electronic systems. Technology and connectedness will play an increasing role in shipping and this creates opportunities for criminals and others. Shipping companies wishing to reduce risks to protect operational efficiency and profitably should therefore take steps to make their organisations less vulnerable to cyber risks.