Cyber attacks targeting the marine sector, and critical infrastructure more broadly, are growing rapidly across the world and in Asia. As the maritime industry undergoes rapid digitalization, ransomware attacks continue to escalate. In fact, hackers are narrowing their focus on organizations in the sector, which are seen as tempting targets due to a perceived lack of cyber security investment and potential for significant operational disruption.
The marine industry being an attractive target for hackers is not new. Since Maersk suffered a devastating US$300 million ransomware attack in 2017, the maritime industry has earned the unfortunate distinction of being the only sector to have all four of the world’s largest shipping companies being hit by cyber attacks in the last four years, namely – Maersk, Mediterranean Shipping Company, CMA CGM and COSCO.
As an international shipping centre with global influence, it is crucial that Hong Kong’s maritime industry is well-prepared against cyber attacks which are rising in frequency and sophistication.
Rising threat levels
Compliance requirements around cyber risk for shipowners and operators have increased since the start of 2021, amid growing anxiety over the financial impact and operational ramifications of cyber attacks. Shipowners and operators globally, including here in Asia, are now obliged to comply with the International Maritime Organization’s resolutions pertaining to cyber risk management and guidelines. Every Safety Management System must be documented as having factored in cyber risk management and processes for cyber risk assessment, in line with the International Safety Management Code.
Since the start of the pandemic, cyber security specialist Naval Dome found that there has been a 400% increase in attempted hacks on the marine industry globally. There are threats in the field of information technology, like IT networks, e-mail, electronic manuals and certificates, planned maintenance, permits to work, spares management and requisitioning, administration, accounts, crew lists and so on, where mainly finance and reputation are at risk.
Much worse are threats to operation technology such as Global Positioning System (GPS), engine and cargo where there is danger to life, property and the environment, plus all the risks that are associated with IT. And as highlighted by marine cyber security experts, Ocean Shield, the limitations in cyber response capabilities are exacerbated by the lack of visibility around onboard digital asset inventories and network infrastructure which are not as well mapped out as IT assets.
Marine cyber risk in Asia
The Asia-Pacific region appears to be the most targeted area in the world for ransomware and state-sponsored advanced persistent threat groups, with the region experiencing a 168% increase in cyber attacks between May 2020 and May 2021. The recent cyber breaches of Singapore-based marine services provider Swire Pacific Offshore in November and South Korean shopping company HMM in June this year highlighted this threat.
Imagine the disruption to the global economy should a major port such as Hong Kong be crippled by cyber attacks. And what would be the scale of devastation if several ports across Asia were forced to shut because of a cyber attack? According to a scenario analysis done by the Singapore-based Cyber Risk Management project in 2019, damage to the world’s economy from a concerted global cyber attack on 15 Asian ports could cost up to US$110 billion in an extreme scenario.
If such an event were to happen, claims paid by the insurance industry would be in the region of US$8.3 billion, which reflects the current high level of underinsurance for such cyber attacks. Insurance payout would include coverage for business interruption, contingent business interruption, incident response cost, and data and software loss.
Despite the data on insured losses and the real possibility of claims, there are still major misconceptions around cyber risk and insurance.
Myth 1: We have invested significantly in network security controls and have therefore eradicated cyber risk
Putting the right controls in place is a crucial element of cyber risk mitigation. Such controls, however, can only ever minimize the vulnerabilities in the network and/or decrease the likelihood of the threat.
It is impossible to eradicate the risk altogether as no security can be 100% effective. Moreover, insider threats remain an issue. Employees make mistakes and, on occasions, seek to deliberately cause their employers harm.
Myth 2: Losses arising from cyber risk are covered under traditional marine insurance policies
This, of course, could be correct depending on the terms of the insurance contract. Hull and machinery policies, however, typically exclude loss or damage caused by a cyber attack. In some cases, policies may be silent on whether loss arising from cyber risk is covered or excluded, which potentially gives rise to uncertainty and litigation.
Myth 3: Hull and machinery insurance policies include a cyber attack exclusion, but a cyber attack can’t lead to property damage
This is incorrect. For example, in 2008 a pipeline in Turkey exploded after cyber criminals hacked into the pipeline’s control systems. Similarly, in 2014, hackers accessed the control systems of a steel mill in Germany causing significant physical damage.
While there have been no reported cases of physical damage to vessels caused by a cyber attack (which is not to say there haven’t been any cases), the increased reliance upon operational technologies, such as the GPS, AIS (automatic identification system) and ECDIS (electronic chart display and information system), on board vessels, undoubtedly increases the threat of physical damage.
Potential for physical damage
As ship operations become more interconnected with shore side computer systems, partly driven by the digitalization wave in the wake of Covid-19, the potential for a cyber event leading to physical damage is high. The reputational implications, if an attack took place on such a critical industry, would be severe.
Maritime operators can also easily become collateral damage of attacks not targeted at them – just look at Maersk and many others who were collateral damage for a cyber attack that targeted Ukraine a few years ago.
Our work with companies shows that cyber insurance with a physical damage extension would provide protection for financial losses, although insurance buyers would first need to demonstrate robust controls and cyber response capabilities.
Bridging the security gap
While digitalisation of the industry brings exciting possibilities, due care must be taken to ensure cyber threats are managed.
Cyber security remains of critical importance for maritime operators, yet it is perhaps not receiving the funding, focus and risk management approach it deserves and needs. With cyber-attacks on ship owners and operators being reported with ever-increasing frequency across Asia, the time for open collaboration, risk discussions and knowledge sharing is now.
Sabba Manyara is Hong Kong cyber leader at Willis Towers Watson, a global advisory, insurance broking and solutions company.