A shipping legal expert said at last week’s European Maritime Cyber Risk Management Summit in London that port officers can’t be expected to accurately gauge cyber compliance of ships, thus a system may develop of mariners carrying compliance certificates similar to oil-pollution prevention certification.
The summit focused on “frontline responsibility for maritime cyber security, from boardroom through to the back office, from superintendent to seafarer, from insurer to IT responsible” and how those in the chain should “update themselves on regulation, best practice and the latest products and processes in cyber security risk management.”
Items on the agenda included cyber security risks at sea, fraud and cybercrime, contingency planning, crisis management and response from the points of view of operators, port officials, cybersecurity experts, government, academia and more.
“It’s hard to see a port state control officer – a guy who’s been at sea, who understands engines and fuels and lifeboats – suddenly becoming armed with the ability to check a ship’s cybersecurity,” said Norton Rose Fulbright partner Philip Roche. “It seems to me a lot of reliance is going to be – as it is now – put on classification societies certifying whether a ship is safe to go to sea. Under SOLAS … under MARPOL, and those kind of things.”
The International Convention for the Safety of Life at Sea (SOLAS) entered into force in 1980 and specifies “minimum standards for the construction, equipment and operation of ships, compatible with their safety,” as documented by a certification process. MARPOL is the International Convention for the Prevention of Pollution from Ships, which entered into force in 1983 and covers “prevention of pollution of the marine environment by ships from operational or accidental causes.”
The European Union’s Network and Information Security directive gave member states until May 9 to meet “certain national cybersecurity capabilities” while promoting information-sharing and mandating “national supervision of critical sectors” including transportation and water.
Roche said he could see port state control “doing basic checks” on cybersecurity, though “I cannot see them doing penetration testing, I cannot see them going into great depth, but I can see them doing a check that there is a policy in place.”
He said an enforcement regime is expected to take longer in the EU than the likely U.S. response.
“U.S. Coast Guard, of course, will apply an American approach to this and over-regulate and over-fine anybody who is found to be in breach,” Roche predicted.
Gert-Jan Panken, vice president of sales and applications at Inmarsat Maritime, presented some grim statistics at the conference: how global cyberattacks cost $3 trillion to the world economy, how 90 percent of crew at sea have never received cybersecurity training or guidelines, and how 95 percent of breaches came as a result of human error. Forty-three percent of crew have sailed on a ship that’s been compromised in a cyber incident of some kind, he also said.
“Education is only one layer,” Panken explained. “When you’re facing a cyber threat, obviously it’s a continuous threat; it’s not a one-off activity.” Thus, it’s also about technology and making sure that set cyber policies are adhered to, he said.
“Nobody seems to really know quite how a cyber [incident] will be manifest, nobody knows where the cyberattacks are going to come from, and we’re really not sure just how many people are being attacked,” said Capt. Robert Hone, a lecturer in nautical studies at the University of Plymouth, former chief officer on the Queen Mary 2 and former staff captain on the Queen Elizabeth 2.
‘”So I think it’s important that the industry opens up and starts to let people know if they’ve had some sort of cyber compromise and how it’s been manifest,” he said.
Patrick Rossi, maritime cybersecurity service manager at Norway registrar DNV GL, broke risk assessment down to container ships, tankers and passenger ships.
“When we’re looking at offshore oil and gas assets, sometimes we’re looking at assets that have been retrofitted and not necessarily using the proper configuration for proper security,” he said.
Martin Wright, chief executive of insurer CKRe, stressed that assessment of cyberthreats in the maritime industry must not just focus on vessels but land bases as well, each with unique risks. “It’s a tough one for the industry to try to tackle,” he said.