Half of all shipping company chief information officers claimed to have information technology (IT) security policies onboard their vessels in a recent survey, but 100% of them admitted they do not provide cyber security training on those ships.

When human behaviour, notably ignorance of cyber vulnerabilities, is responsible for most breaches of computer networks, the lack of training fatally undermines those IT policies and leaves much of the industry open to the threat of hacking.

In the same research, Jordan Wylie reports that two-thirds of company security officers (CSOs) did not think cyber security is a serious threat. By contrast, 91% of ship security officers, often the master, believe they do not have the training to deal with the threat.

Wylie, who previously worked in combating Somali pirates after a career in the British Army, set up the Be Cyber Aware at Sea campaign after researching maritime security for a masters degree.

The main weaknesses

The free campaign aims to raise awareness globally among seafarers with simple messages about the main areas of weakness: the use of social media and USB sticks, malware and phishing emails. Sharply messaged posters to download and pin up are available from its website.

Among members are owners, insurers and an as-yet-unnamed flag state, and the organisation is developing the first cyber security training course for seafarers to be approved by the UK communications intelligence service GCHQ.

Cyber attacks on shipping have mainly affected IT system functionality (67%, according to research by IHS) but 21% have caused financial loss, mainly from bogus invoices made to look like real ones copied from the company’s own computer systems.

So far, only 4% of attacks have affected the functionality of shipborne systems.

But Colin Gillespie, deputy director of loss prevention at the North of England Protecting and Indemnity Association, says electronic chart display and information systems and vessel positioning systems are seen to be the most vulnerable parts of the ship, followed by engine and cargo control systems.

Risks will probably increase by trade, and may be much greater for cruiseships or gas tankers than bulk carriers. But criminals like boxships because they are a good way of carrying illicit cargoes — a big incentive to hack into liner company systems.

Few owners will be covered by insurance for cyber damages, Gillespie says. Most hull and machinery policies include Clause 380, which excludes payment for damage from hacking attacks. Cyber risk policies are typically limited to $1m of rebuilding systems but exclude property and injuries, while war risk policies generally exclude electromagnetic weapons and computer viruses. Gap insurance is available, but it is expensive.

Reporting and sharing information is key to understanding the issues and then tackling them with prudent behaviour, says Gillespie.

The aviation industry has developed comprehensive compartmentalised systems to manage security, achieved by accepting open reporting of incidents in real time.

Shipping is a long way behind because vessels have until now been largely autonomous, but guidance is proliferating.

The cyber at sea awareness campaign is working with the CSO Alliance, an online community that allows security officers in the shipping industry to share their experience.

CSO Alliance director Mark Sutcliffe says the organisation has been talking to insurance underwriters at Lloyd’s about what information they need from the industry. “They are saying to us if we give them actuarial information — where are the incidents, how expensive are they, what happened and what have we learned — they will reward us with cheaper insurance, but most importantly consider the removal of Clause 380.”

Gillespie says Clause 380 may well be becoming unrealistic in tomorrow’s world, which is moving towards ever more automation controlled by computer systems. “I would say the [insurance] market has to respond. There is a debate going on.”

Sutcliffe says anonymity of cyber crime reporting is essential. Gillespie says anybody can be hacked; the key thing is to work together to build the best defences that make it difficult.

The CSO Alliance is building a cyber platform that will include a helpline to share issues and be a starting point for reporting incidents. A toolbox to help deal with malware and short e-learning courses are also possible for crews to do before they get access to email and other systems after coming onboard.

Be Cyber Aware at Sea has put currently available guidance documents by the International Maritime Organization (IMO), Bimco, North of England, DNV GL, Hewlett-Packard (HP), Marsh, Lloyd’s Register and others on its site.

The proliferation of guidance can, though, lead to confusion.DNV GL senior cyber security product manager Patrick Rossi says the IMO does not want to dictate what is done about the issue, and so is relying on the International Association of Classification Societies (IACS).

Rossi says the IACS’ aim is “first to tackle the newbuild life cycle. There is a push to come up with standards that help the industry design cyber security into vessels at manufacture. With the operating fleet, they are relying on flag states to handle it”. He expects something more tangible on existing vessel procedures in 2017.

For further information, visit CsoAlliance.com and BeCyberAwareAtSea.com