Shipping failing to deal with threat of cyber crime (source: Lloyd’s List)

The fragmented nature of shipping leaves it open to cyber attack and fraud, and it may take IMO intervention to establish better security, says Mishcon de Reya

Law firm claims regulation needed to avoid digital breaches

LAW firm Mishcon de Reya is calling for shipping organisations to lend support to efforts to increase cyber-security across the industry as it seeks to bring wider awareness of shipping’s vulnerability to cyber attacks and associated fraud.

“Because of the fragmented nature of the industry, there haven’t been many incentives for people to have good cyber security; they haven’t needed it,” the firm’s cyber security lead Joe Hancock told Lloyd’s List.

“If you own 10 vessels, you have some administration around them, but you’re mainly in a transactional environment in your business,” he said. “You might not be shipping anything that is interesting like defence equipment so your risk level has traditionally been quite low.”

But that risk is increasing.

“For a vessel owner, the vessel itself has become incredibly digital, with things like crew wi-fi and electronic charting systems,” Mr Hancock said. “Even old vessels have new technology retrofitted to them.”

But while the risks of tomorrow are more around the vessels, the risk today is around fraud.

“The business itself is also now being targeted,” he said. “If you are paying berthing fees or any sort of financial transaction, you’re now doing it by email, you’ve probably got some sort of electronic operations process and that now makes it vulnerable.

“All of a sudden, you have cash moving around and these can be huge sums. We see transactional business where criminals are happy to take $50,000-$100,000 — it doesn’t always have to be multi-million dollar transactions.”

Shipping can also be at risk because of the large amount of publicly available information. That, combined with a compromised email account or an email domain fraud can lead to exposure.

“It is easy enough to go on a free AIS tracker to see where a vessel is and use that information to know when to send an email authorising a payment for bunkers, for example. They are not just attacking the technology, they are attacking the process.”

In this respect the shipping industry is at the cutting edge.

“You have small, fragmented industry that is not very good at security and a highly visible international logistics process,” Mr Hancock said. “While there have not been a lot of attacks on shipping, a lot of it we can see coming because we have seen it in other industries. Shipping is ahead in having one kind of problem, but behind in knowing how to deal with it.”

Basic checks

The key to better security is having the basics in place.

“That’s easy to say but is hard at scale. But the industry needs to ask itself what problems exist and what they can do about it.”

As a whole, the industry should consider whether the Safety of Life at Sea convention is fit for purpose, for example.

“Solas is very much focused on traditional safety features but doesn’t really include the impact of cyber security on those,” he said.

While there were lots of groups working on security that have come out with all sorts of standards, there was no one visible standard in shipping.

“There is a need for some regulatory standardisation,” Mr Hancock said.

“We’re in that place where everyone is trying to have a bit of the action. Different countries are establishing different standards. At a very basic level, I think we need regulation because there is little to help people quantify the benefits of security. Like insurance, you only really need it when you don’t have it.”

Mr Hancock proposes a set of minimum standards to assess cyber-security risk, put something in place that is proportionate to that risk and make sure there is a mechanism for that to be assured and audited in the same way as environmental standards are audited.

“If you do those three things that will get you to a good place,” he said. “It also leaves flexibility so that we don’t end up with 2018 security in 2038 as technologies change.”

There are parallels between the physical risks of overweight containers and the invisible risks of cyber security. In the case of the former, guidelines were in place but it was not until the International Maritime Organization stepped in with the Solas amendment on the verification of gross mass that significant steps were taken.

“I think the process of getting regulation will be identical,” Mr Hancock said. “We will go through a code of practice that eventually will lead to regulation.”