Global Shipping Industry Faces Wave of Cyber Threats

By Capt. Rahul Khanna, Global Head of Marine Risk Consulting at Allianz Global Corporate & Specialty (AGCS)

Commercial insurer Allianz Global Corporate & Specialty just released its latest Safety & Shipping Review, an annual analysis of shipping losses and accidents worldwide.  The international shipping industry is responsible for the carriage of around 90% of world trade, so vessel safety is critical to the global economy.

The 2022 report reveals that the maritime sector continued its long-term positive safety trend over the past year with 54 total losses of vessels reported globally, compared with 65 a year earlier. This represents a 57% decline over 10 years (127 in 2012); while during the early 1990s the global fleet was losing 200+ vessels a year. The 2021 loss total is made more impressive by the fact that there are an estimated 130,000 ships in the global fleet today, compared with some 80,000 30 years ago. Such progress reflects the increased focus on safety measures over time through training and safety programs, improved ship design, technology and regulation.

However, the industry is not without its challenges. Russia’s invasion of Ukraine, costly issues involving larger vessels, crew and port congestion and managing decarbonization targets, means there is no room for complacency.

Another growing challenge facing the shipping industry is cyber security. The digital era may be opening up new possibilities for the maritime industry but its growing reliance on computer and software and increasing interconnectivity within the sector, is also making it highly vulnerable to cyber-attacks. All four of the largest shipping companies, Maersk, Cosco, MSC (and CMA CGM), have been victims of cyber-attacks in recent years. Port operators have also been affected. Even the United Nations’ global shipping regulator, the International Maritime Organization was recently targeted by a cyber-attack, forcing some of its services offline. In particular, ransomware has become a global problem.

According to a recent industry survey just under half (44%) of maritime professionals reported that their organization has been the subject of a cyber-attack in the last three years. Of these, 3% agreed to pay a ransom, which averaged at around $3mn. It also found 32% of organizations do not conduct regular cyber security training while 38% do not have a cyber response plan.

To date, most cyber incidents in the shipping industry have been shore-based, such as ransomware and malware attacks against shipping companies’ and ports’ database systems. But with the growing connectivity of shipping, the fact that geopolitical conflict is increasingly being played out in cyber space – recent years have seen a growing number of GPS spoofing incidents, particularly in the Middle East and China, which can cause vessels to believe they are in a different position than they actually are – and with the concept of autonomous shipping, there is little doubt that cyber risk will become a more important exposure that will require much more detailed risk assessment going forward.

At the same time, the crippling ransomware attack against the 9,000km long Colonial oil pipeline in the US in May 2021 has raised concerns that critical maritime infrastructure, could be increasingly targeted in future. The attack resulted in the pipeline’s systems, which connect some 30 oil refineries and nearly 300 fuel distribution terminals, being forced offline, resulting in petrol shortages across the eastern US.

As geopolitical risks rise, so does the prospect of malicious digital disruption. Security agencies have warned of a heightened cyber risk due to the conflict in Ukraine. NATO warned vessels in the Black Sea faced the threat of GPS jamming, Automatic Identification System (AIS) spoofing (prior to the Ukraine invasion there had already been a number of these incidents, reported in the Middle East and China), communications jamming and electronic interference. The US Cybersecurity and Infrastructure Security Agency also warned the maritime transportation sector could be a target for foreign adversaries.

There is concern that shipping assets and ports could become collateral damage if the conflict in Ukraine results in an increase in cyber activity.

Marine insurers have been warning for years about the cyber risk to shipping. From a hull perspective, the worst-case scenario is a terrorist attack or a nation state group targeting shipping in a bid to inflict damage or major disruption to trade, such as blocking a major shipping route or port. While this would seem a remote possibility, it is a scenario we need to understand and monitor. Although an accident, the recent blockage of the Suez Canal by the ultra-large vessel Ever Given is an eye-opener on many fronts as it shows the disruption a momentary loss of propulsion or steering failure on a vessel navigating a narrow waterway can cause.

The good news is that the shipping community has grown more alert to cyber risk over the past couple of years, in particular in the wake of the 2017 NotPetya malware attack that crippled ports, terminals and cargo handling operations. However, reporting of incidents is still uncommon as owners fear reputational risk and delays from investigations. Meanwhile, cyber security regulation for ships and ports has been increasing. In January 2021, the International Maritime Organization’s (IMO) Resolution MSC.428(98) came into effect, requiring cyber risks to be addressed in safety management systems. The EU’s Network and Information Systems Directive also extends to ports and shipping. This is a step in the right direction but the problem at the moment is quite extensive. Despite these measures we have seen a sharp rise in attacks.

Increased awareness of – and regulation around – cyber risk is translating into an uptake of cyber insurance by shipping companies, although mostly for shore-based operations to date. Typically, marine hull insurance policies exclude coverage against cyber-attack or any loss arising from a malicious act involving the use of a computer system, given the potential loss accumulation issues from such scenarios. Instead, shippers have to purchase standalone cyber insurance coverage, but to date the readiness of many in the sector to buy a marine hull specific cyber cover has been limited.

However, the threat to vessels is growing as more and more ships are linked to onshore systems for navigation and performance management. Smart ships are coming, and we would expect demand for insurance to develop accordingly. What we may see in the future is a potential increase in demand for a combination of onshore/offshore coverage and this is something we will need to discuss and observe with our clients and brokers to see how far this can be taken by marine hull insurance and how far it can be taken by a broader scope of cover in a combined policy.

Fortunately, there are also a growing number of resources available to help mariners learn about common vulnerabilities. Just one example is the internationally-recognized United States Maritime Resource Center, which assists the industry in cyber awareness, safety and security through evidence-based research. Then there are an increasing number of cyber security guidelines which can be followed, such as those from the IMO, but also from other important organizations such as BIMCO, CLIA, Intercargo and Intertanko.

There are also standard practices that can be implemented to reduce cyber risk, such as defining personnel roles and responsibilities for cyber risk management and identifying the systems, assets and data that, when disrupted, pose risks to ship operations. Ship-owners also need to implement risk control processes and contingency planning, developing and implementing activities necessary to quickly detect a cyber event. Identifying measures to back up and restore cyber systems impacted by a cyber event is obviously crucial.

Of course, these are challenging times for the shipping industry. However, IT security should not be put on the backburner. It is vital that investment in cyber risk education and security is not neglected at this time, despite economic pressures, as this risk has the potential to have catastrophic consequences, given the right confluence of events.

To read the full Allianz Safety & Shipping Review 2022, please visit https://www.agcs.allianz.com/news-and-insights/reports/shipping-safety.html

About the Author

Rahul is the Global Head of Marine Risk Consulting at Allianz Global Corporate & Specialty (AGCS), one of the largest insurance companies in the world. Based in London, he leads a global team of marine risk consultants who support the marine underwriting function in Marine risk selection and loss prevention at Allianz.

Rahul is a qualified master mariner who has spent 14 years at sea sailing on oil tankers and bulk carriers and moved ashore after sailing as a captain for 2 years.

Rahul joined Allianz in 2011 as a senior risk consultant and took over as Global Head of Marine risk consulting in 2014. In his current role he focuses on risk consulting strategy for the global marine business of AGCS.

Rahul can be reached online at @CaptRahulKhanna and at our company website https://www.agcs.allianz.com/.