Cyber risks in general have recently become a hot topic and many companies are working on implementing measures for their cyber defense. Cyber attacks in the maritime domain have for some time been thought of as science-fiction, but are very real today. Although many stakeholders still struggle to grasp the full impact of the issue, the cry for awareness of these risks is becoming louder.
Cyber-attacks come in many shapes and guises, ranging from the theft of sensitive business information to full scale ransomware-attacks and from single-ship owners to large port terminals. A prime example is the 2017 ransomware-attack on the Maersk group of companies, paralyzing business for weeks. Reportedly, damages amounted to over USD 300 million, which does not even include consequential damage for depending businesses.
Another well-known ransomware-attack was launched against Norsk Hydro, one of the world’s largest aluminum producers, in the fall of 2018. IT systems were blocked, causing the production chain to come to a halt and costing approx. USD 71 million. All of this was caused by a regular looking email from a longtime trusted client, which happened to be infected with some kind of malware.
TACKLING THE PROBLEM
It appears that many companies believe that they are either too small or too low-key to be attacked. Not many cyber-attacks reach the news, except for the big ones. That strengthens the idea that cyber-attacks would only happen to others and giving a false sense of security.
Part of that issue is that these attacks are usually surrounded by secrecy and rumors. Not much comes out into the open, leaving this subject snowed under, when maritime companies set up a general security program. Security experts have applauded Norsk Hydro for their full transparency during the crisis, as it created a lot of awareness in the industry.
Awareness is a key factor for dealing with cyber risks. In order to facilitate that the UK-based CSO Alliance, a maritime member-organization, has created an anonymous reporting system to help maritime companies report cyber incidents, ensuring anonymity and confidentiality.
Also several other international maritime organizations such as the IMO, BIMCO and IUMI are catching up quickly and are introducing helpful guidelines and best practices.
The IMO adopted a regulation already in 2017. This resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company's Document of Compliance after 1 January 2021. In order to do so, the IMO issued guidelines that provide high-level recommendations related to maritime cyber risk management in order to protect vessels against current and emerging cyber threats and vulnerabilities.
Also shipowners association BIMCO, in collaboration with o.a. marine insurers organization IUMI have published guidelines for cyber risks.
In summary the cyber security guidelines and advices say the following:
- Assess your company’s cyber security program
- Focus on vulnerabilities within your organization
- Take necessary (technical) protection measures
- Establish a crisis team and a contingency plan
The IMO’s target date leaves a little under a year for companies to assess their cyber risks and their security programs. For all stakeholders in the maritime domain that seems wise to do so. For further information see the IMO’s website.
Especially for commodity traders to prepare their companies and security programs for cyber attacks, Aon has broadcasted a webinar, with helpful insights and tips. Watch the webinar and learn how to:
- Navigate the cyber threat landscape
- Gain instant visibility into your cyber risk posture
- Obtain clear, actionable strategies for remediation
- Understand how you compare to industry peers
Sources: IMO, BIMCO, IUMI, Lloyd’s List Maritime Intelligence, Aon