Ken Munro, an external cyber expert stated:

“A small number of shipping insurers are starting to cover cyber related incidents. This is a very brave move in my experience. I gave numerous lectures in and around the Lloyds building in the early days of conventional cyber liability insurance. Cover was being offered with no understanding of the risks involved. Premiums were not appropriate and many underwriters were burned with sizeable losses around data breaches, particularly where punitive mandatory notification, credit monitoring and class actions occurred.”

It is strongly advised operators investigate a specific cyber liability insurance policy for their business operations. Typically, these policies address loss cases such as CEO/invoice fraud, online banking fraud, data loss and business interruption in the case of a hacking incident.

A ‘cyber’ policy is usually constructed to specifically deal with these scenarios, though you may be required to demonstrate a certain level of cyber security maturity and process in order to obtain cover at an acceptable premium.

The level of cyber risk will reflect the circumstances of the company, ship (its operation and trade), the IT and OT systems used, and the information and/or data stored. The maritime industry possesses a range of characteristics, which affect its vulnerability to cyber incidents:

• the cyber controls already implemented by the company onboard its ships
• multiple stakeholders are often involved in the operation and chartering of a ship potentially resulting in lack of accountability for the IT infrastructure
• the ship being online and how it interfaces with other parts of the global supply chain
• ship equipment being remotely monitored, eg by the producers
• business-critical, data sensitive and commercially sensitive information shared with shore-based service providers, including marine terminals and stevedores and also, where applicable, public authorities
• the availability and use of computer-controlled critical systems for the ship’s safety and for environmental protection.

Communication systems

• integrated communication systems
• satellite communication equipment
• Voice Over Internet Protocols (VOIP) equipment
• wireless networks (WLANs)
• public address and general alarm systems
• systems used for reporting mandatory information to public authorities

Bridge systems 

• integrated navigation system
• positioning systems (GPS, etc.)
• Electronic Chart Display Information System (ECDIS)
• Dynamic Positioning (DP) systems
• systems that interface with electronic navigation systems and propulsion/manoeuvring systems
• Automatic Identification System (AIS)
• Global Maritime Distress and Safety System (GMDSS)
• radar equipment
• Voyage Data Recorders (VDRs)
• other monitoring and data collection systems.

Engine management and power control systems 

• engine governor
• power management
• integrated control system
• alarm system
• emergency response system

Control systems 

• surveillance systems such as CCTV network
• Bridge Navigational Watch Alarm System (BNWAS)
• Shipboard Security Alarm Systems (SSAS)
• electronic “personnel-on-board” systems

Cargo management systems 

• Cargo Control Room (CCR) and its equipment
• onboard loading computers and computers used for exchange of loading information and load plan updates with the marine terminal and stevedoring company
• remote cargo and container sensing systems
• level indication system
• valve remote control system
• ballast water systems
• water ingress alarm system

Onboard computer networks used for administration of the ship or the welfare of the crew are particularly vulnerable when providing internet access and email. This can be exploited by cyber attackers to gain access to onboard systems and data.

These systems should be considered uncontrolled and should not be connected to any safety critical system on board. Software provided by ship management companies or owners is also included in this category.

Digital systems used for property management, boarding and access control may hold valuable passenger related data. Intelligent devices (tablets, handheld scanners etc.) are themselves an attack vector as ultimately the collected data is passed on to other systems.