Friday, May 4, 2018

Supply Chain Logistics Under Cyber Attack Threat as Maritime Insurers Offer Free Advice

All Shipping and Forwarding Staff Need to Learn the Risks
Shipping News Feature
UK – WORLDWIDE – Cyber security is possibly the hottest topic of this year in the world of shipping and forwarding, despite all the news coming out on autonomous vehicles, Brexit and the like. Logistics companies are under attack from cyber criminals every single day and, historically, with some success. Now stakeholders in the community who possibly stand to lose the most in a successful attack, the maritime insurers, have released some frightening facts and offered advice to protect the interests of those occupying the central links of the supply chain.

The TT Club, jointly with UK P&I Club (also managed by Thomas Miller) and cyber security consultants NYA, has published a paper entitled ‘Risk Focus: Cyber – Considering Threats in the Maritime Supply Chain’ which is free to read. Development director, Andrew Huxley, Huxley introduced the paper in his Livorno presentation at the 6th MED Ports 2018 Exhibition and Conference last month, saying:

“As an insurance mutual, TT Club has always been dedicated to minimising risk through its loss prevention efforts. By publishing ‘Risk Focus: Cyber’ we hope to generate more awareness of the risks to help combat the situation. Ultimately, the main threat continues to derive from human error, downloading malicious content, opening an unsecured web browser or falling victim to social engineering attacks and phishing scams.

“Many in the marine supply chain business have operations characterised by widespread office networks and a reliance on multiple third party suppliers. Often IT systems are of an in-house, legacy nature, which may be poorly protected by security software. [Furthermore] a BIMCO survey in 2016 suggested that more than 20% of respondents admitted to cyber attacks and last year a SeaIntel Maritime Analysis report estimated that 44% of the top 50 container carriers had weak or inadequate cyber security policies and processes.”

The events last year were so serious we can be said to actually be involved in a cyber war, with speculation rife that in some instances only state sponsored interests could create the attacks. From a maritime supply chain perspective an example of serious IT incursion in 2017 was the spoofing attack on over twenty ships in Novorossiysk (Russia). Previously such attacks were the thing of spy novels and science fiction films. Now the reality is that this type of attack is designed to give false information as to the location of vessels, even perhaps interfering with the ship’s own IT systems, potentially sending them off course, perhaps even more likely with autonomous vessels.

The International Maritime Organization (IMO) under its International Safety Management (ISM) Code, enforced on all ships, put in place Resolution MSC.428 (98), introduced on 7 June 2017, which requires administrations to ‘take the necessary steps to include cyber threat considerations appropriately through safety management systems and address this by the first annual verification after 1 January 2021’.

Last year we also saw the attack on AP Moller-Maersk costing an estimated third of a billion dollars, followed by an assault on Clarksons in which data was stolen from the files of the integrated shipping services group. On a global level reports by AV-TEST indicate that on average an astonishing 4.2 new files of malware code were generated every second last year, that’s thirty one plus million attempts to find different ways to steal or damage data every year, and the count is ever rising.

The US Coast Guard has issued a draft Navigation and Vessel Inspection Circular (NAVIC) titled ‘Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities’. The circular currently under review requires incorporation of personnel training, drills and exercises to test capabilities, security measures for access control, handling cargo, delivery of stores, procedures for interfacing with ships and security systems and equipment maintenance.

Additional national and regional initiatives, exemplified in the European Union by the Directive on Security of Network and Information Systems (NIS Directive), and of course the further strengthening of the General Data Protection Regulation (GDPR), are indicative of the development of regulatory expectations. While the latter does not directly address it, cyber protection is intrinsically at the core of data protection. Such initiatives, together with known vulnerabilities, highlight that cyber security is ever more pertinent for ports and terminals, as well as the broader supply chain community.

So, what is a brief answer to this new, growing, ever present risk? One thing is clear from all the experts we have interviewed on the subject. Yes, equip yourselves with the strongest IT systems you can afford but these alone will never prevent an experienced hacker who can find a way in. The most effective protection for any company is a well trained staff operating those systems and alert constantly for the risk of opening the door to criminals.